INFERMAL (Inferential Analysis of Maliciously Registered Domains) is a research project being carried out by KOR Labs and funded by ICANN. The goal of this project is to conduct an in-depth analysis of maliciously registered domain names, aiming to uncover cyber attackers' preferences and possible measures to mitigate abusive activities within the domain name space.
Domain names serve as convenient shorthands for IP addresses, enabling easy navigation of the numerous online services we use daily. While most domain name registrations are harmless, cybercriminals frequently register new domains to launch large-scale attacks, such as phishing, malware drive-by-download, or spam campaigns. These malicious activities pose significant threats to Internet users and the security of the online ecosystem.
For years, there has been anecdotal evidence suggesting that cybercriminals tend to exploit top-level domains (TLDs) and registrars with low domain name registration prices. However, this hypothesis lacked concrete evidence and a systematic analysis of attackers' preferences. Each malicious actor may have their own criteria, with one favoring lower registration prices while another may target registrars with specific payment methods or free APIs for bulk domain registration. The INFERMAL project aims to expand the knowledge in this area.
The issue of factors influencing malicious domain registrations is of significant importance, particularly in light of the new generic Top-Level Domain (gTLD) program initiated by the Internet Corporation for Assigned Names and Numbers (ICANN). Since its launch in October 2013, hundreds of new gTLDs have been incorporated into the domain name system (DNS).
Certain gTLDs compete by offering exceptionally low registration prices, occasionally even below US $1. This presents a critical challenge: finding ways for TLD registries and registrars to attract legitimate users while simultaneously implementing robust measures to deter malicious use. Addressing this challenge requires systematically exploring strategies that strike a balance, encouraging legitimate registrations while maintaining barriers against abuse. By understanding the motivations behind malicious registrations and the factors driving them, TLD registries and registrars may develop effective approaches to safeguard the integrity of the domain name system and protect users from cyber threats.
In a nutshell, our approach involves collecting URLs blocklisted by reputable organizations and focusing on maliciously registered domain names, rather than hacked websites. We gather registration data and compile registration policies, including pricing, API access to the registration panel, bulk registration options, and payment methods (e.g., credit card or cryptocurrencies) used during domain registration. Through systematic analysis using Generalized Linear Models (GLMs), we extract the set of registration features favored by attackers and assess their significance in identifying malicious domains.
Dr. Maciej Korczyński will serve as the scientific consultant of the INFERMAL project and a co-founder of KOR Labs - university spin-off dedicated to combating cyber threats, helping the Internet community collectively increase barriers to abuse. He is an Associate Professor of computer networks and cybersecurity at the Grenoble Institute of Technology in France. His main interests revolve around large-scale passive and active measurements and analysis of cybersecurity, with a focus on the DNS. Since 2015, he has co-authored over 30 scientific articles about domain name and DNS infrastructure abuse, DNS vulnerabilities, security metrics, Internet Protocol address spoofing, distributed denial-of-service attacks, botnets, and vulnerability notifications.
Dr. Samaneh Tajalizadehkhoob will serve as a scientific contact point of the INFERMAL project from ICANN Org side. Samaneh is a Director of Security, Stability and Resiliency Research (SSR) within ICANN's Office of CTO (OCTO). The SSR research team leads work on topics related to DNS security measuremnets, DNS vulnerabilitys and DNS abuse, among others. This project is funded as a part of ICANN's Domain Name System (DNS) Security Threat Mitigation Program, which strives to make the Internet a safer place for end users by reducing the prevalence of DNS security threats across the Internet.