Hackers Use Large Numbers of Transient Domains to Hide Attacks

Almost three-quarters of the hostnames on the internet last for less than one day with a large plurality used for malicious purposes, according to new research from Blue Coat Systems.

The security firm analyzed over 660 million unique hostnames requested by 75 million users worldwide over a 90-day period.

It found that 71% of those hostnames (470 million) appeared for just one day or less.

More worryingly, 22% of the top 50 parent domains used by these so-called 'one-day wonders' were malicious.

The vast majority of short-lived sites are operated by legitimate web giants like Google, Amazon and Yahoo, as well as online optimizations companies, Blue Coat said.

But a significant proportion are being used by cybercriminals to manage botnets, launch attacks and facilitate spam runs.

This is because their dynamic, short-lived nature makes it hard for traditional security products to keep up.

By the time a typical reactive tool has analyzed and blocked a particular bad site or spam email, it has disappeared and moved to a new hostname or spam email sub-domain, for example.

Blue Coat said that generating a high volume of such domains also increases the chances that a certain number will be missed by security controls.

“While most 'One-Day Wonders' are essential to legitimate internet practices and aren’t malicious, the sheer volume of them creates the perfect environment for malicious activity,” said senior threat researcher, Tim van der Horst, in a prepared statement.

“The rapid building up and tearing down of new and unknown sites destabilizes many existing security controls. Understanding what these sites are and how they are used is a key to building a better security posture.”

A best practice, policy-based approach to security needs real-time intelligence about good and bad sites in order to enforce controls.

To facilitate this, firms need automated security tools which can identify bad domains on-the-fly and assign risk levels to them to better protect corporate assets.

Those top 50 'parent domains' outlined in the research seem like a good place to start.

Hackers Use Large Numbers of Transient Domains to Hide Attacks

You may also like

Symantec Name President and COO

Blue Coat to be Acquired by Symantec for $4.65BN

Blue Coat Swaps Private Investors For $2.4bn

2015: Ransomware, Malvertising, Espionage, Oh My!

Cyber Fraudsters Tweet Malicious MH17 URLs Hours After Incident

What’s hot on Infosecurity Magazine?

Fraudsters Exploit Telegram’s Popularity For Toncoin Scam

Vulnerability Exploitation on the Rise as Attackers Ditch Phishing

Security Leaders Braced for Daily AI-Driven Attacks by Year-End

DragonForce Ransomware Group Uses LockBit's Leaked Builder

Fifth of CISOs Admit Staff Leaked Data Via GenAI

North Korean Hackers Target Dozens of Defense Companies

North Korean Group Kimsuky Exploits DMARC and Web Beacons

Russian Sandworm Group Hit 20 Ukrainian Energy and Water Sites

Dependency Confusion Vulnerability Found in Apache Project

NSA Launches Guidance for Secure AI Deployment

Banning Ransomware Payments Will Do More Harm Than Good

Security Leaders Braced for Daily AI-Driven Attacks by Year-End

Incident Response: Four Key Cybersecurity Measures to Protect Your Business

Is MFA Enough? Strategies for Next-Level Identity Security in 2024

Disinformation Defense: Protecting Businesses from the New Wave of AI-Powered Cyber Threats

Securing APIs in the Cloud Frontier

Navigating the Evolving Cybersecurity Compliance Landscape in 2024

Adapting to Tomorrow's Threat Landscape: AI's Role in Cybersecurity and Security Operations in 2024

Infosecurity Magazine Spring Online Summit 2024: Day One

Infosecurity Magazine Spring Online Summit 2024: Day Two

Russia’s Midnight Blizzard Accesses Microsoft Source Code

I-Soon GitHub Leak: What Cyber Experts Learned About Chinese Cyber Espionage

LockBit Takedown: What You Need to Know about Operation Cronos

Women in Cybersecurity at Infosecurity Europe 2024