Hackers Use Large Numbers of Transient Domains to Hide Attacks

Almost three-quarters of the hostnames on the internet last for less than one day with a large plurality used for malicious purposes, according to new research from Blue Coat Systems.

The security firm analyzed over 660 million unique hostnames requested by 75 million users worldwide over a 90-day period.

It found that 71% of those hostnames (470 million) appeared for just one day or less.

More worryingly, 22% of the top 50 parent domains used by these so-called 'one-day wonders' were malicious.

The vast majority of short-lived sites are operated by legitimate web giants like Google, Amazon and Yahoo, as well as online optimizations companies, Blue Coat said.

But a significant proportion are being used by cybercriminals to manage botnets, launch attacks and facilitate spam runs.

This is because their dynamic, short-lived nature makes it hard for traditional security products to keep up.

By the time a typical reactive tool has analyzed and blocked a particular bad site or spam email, it has disappeared and moved to a new hostname or spam email sub-domain, for example.

Blue Coat said that generating a high volume of such domains also increases the chances that a certain number will be missed by security controls.

“While most 'One-Day Wonders' are essential to legitimate internet practices and aren’t malicious, the sheer volume of them creates the perfect environment for malicious activity,” said senior threat researcher, Tim van der Horst, in a prepared statement.

“The rapid building up and tearing down of new and unknown sites destabilizes many existing security controls. Understanding what these sites are and how they are used is a key to building a better security posture.”

A best practice, policy-based approach to security needs real-time intelligence about good and bad sites in order to enforce controls.

To facilitate this, firms need automated security tools which can identify bad domains on-the-fly and assign risk levels to them to better protect corporate assets.

Those top 50 'parent domains' outlined in the research seem like a good place to start.

What’s Hot on Infosecurity Magazine?