For this month's Exploring DAP article, we take a look at what the DAP data sources and capabilities can tell us about the relationships between various milestone dates in the lifetime of domain names used in phishing attacks.  What we found is that while domain names used in phishing attacks have an average lifetime of 21 days and are “active” (e.g. we can observe DNS activity associated with them) for an average of 16 days, the majority of domains used in phishing are still blocked within 4 days of being registered.  This tells us that newly registered domain names used in phishing attacks are still the biggest threat to internet users.  

Newly Registered vs. Aged Domain Names

The Anti-Phishing Working Groups (APWG) Phishing Activity Trends Report for the 3rd Quarter of 2022 reported that they observed 1,270,883 total phishing attacks, a new record and the worst quarter for phishing that APWG has ever observed. The number of reported phishing attacks has more than quintupled since the first quarter of 2020, when the APWG observed 230,554 attacks. In the phishing research community much time has been spent on understanding how the “age” of domain names used in phishing attacks influence the effectiveness of phishing campaigns. In the past blocking newly registered domain names was an effective way to shield users from attacks, but over time attackers have evolved to use “aged” domain names to get around the blocks imposed on newly registered domain names. GIven that, what does the DAP data tell us?  

Using the DAP to Analyze Domain Name Age

The DAP makes available three key data sources needed to answer this question.  The OpenPhish data source contains a list of domain names that have appeared on the OpenPhish list, including the date when they were added. The WHOISXML data source contains the registration date for a domain name, amongst other WHOIS data. And finally the Farsight DNSDB (Passive DNS) data source can tell us when the domain name became active, e.g. when DNS queries to a domain name were observed.  

Running a daily snapshot of domain names that had been placed on the OpenPhish list and using the domain name to “join” in the associated registration date and passive DNS data for those names, we were quickly and easily able to calculate the amount of time between three key dates.

Figure 1 summarizes the findings for the time between when the domain name was registered and ultimately placed on the OpenPhish block list.  This represents the age of the domain name when it was first blocked.  While the fastest “take down” time is 27 minutes, the average takedown time of 21 days is concerning as that represents quite a lot of time harm can be done to users.  

Figure 2 summarizes the findings for the time between when the domain name was registered and the first time DNS activity was observed in the Farsight Passive DNS database. The fastest time observed was 35 seconds and the data shows that most domain names used in phishing are responding to DNS queries within the first day of registration. We suspect this is due to the use of domain name registration and hosting services that automate DNS Name Server (NS) configuration once the domain name has been purchased.  

Figure 3 summarizes the findings for the time between when DNS activity was first observed and then ultimately placed on the OpenPhish block list. This range represents the period when the domain name was active. As with Figure 1 above, while a 2 minutes time range is good, the average time of 16 days is quite concerning in terms of the amount of harm that can be done to users.  

Time to Panic? Are Phishers Using Aged Domains?

Does this data show that phishers are moving quickly to the use of “aged” domain names?  No, it doesn’t. While the above data is interesting, and in some aspects quite concerning, it turns out that our use of the fastest, longest and even average date range values obscures what is really happening under the covers. In order to get a better understanding of what the data actually is telling us, we used DAP to visualize the distribution of the count of the number of days for the three ranges referenced above.

In Figure 4, we can see that for all of the domain names in our data set, 39% were blocked in less than 1 day and 63% were blocked within 4 days. The rest, 37% representing the long tail of this data, were blocked somewhere 5 and 179 days.  This indicates that blocking newly registered domain names is still an effective way to mitigate phishing attacks. Having said that If you look closely at the chart you can see small “spikes” at about 35 and 110 days, indicating that a small amout of “aged” domain names are being used.  

FIgure 5 reinforces the analysis mentioned for Figure 2 above showing that 85% of domain names are actively resolving via the DNS in 24 hours or less.

Finally, in Figure 6 we see data analogous to what we see in Figure 4 where 49% of domains are blocked with 24 hours of passive DNS being observed and 69% were blocked within 4 days.  

Conclusion

While the data in the DAP does indicate that Phishers are using “aged” domains for a small number of attacks, the underlying details shows us that a majority of domain names used (63%) have an age of less than 4 days old.  This indicates that blocking newly registered domain names is still an effective way to mitigate phishing attacks.  

We note that the Interisle Phishing Landscape 2022 study reported similar findings in the more complete data set and rigorous methodology they used. On page 12 of the report, the authors state “that during the current study period, 41% of domains reported for phishing were used within 14 days following registration and that the majority of these were reported within 48 hours.”  

Finally, this simple DAP experiment highlighted several basic but useful DAP features. 

1. The ability to join different, but related data sets into a single query, allowing greater insight and analysis. 
2. The ability to run DAP queries periodically, using the DAP snapshot feature. This key for longitudinal analysis of issues related to the DNS.  
3. The ability to use formulas to convert DAP data into more user friendly forms.  In this experiment we used formulas extensively to calculate the time differences (in seconds) between the various date ranges and also to convert seconds into days, hours and minutes.  

Notes on methodology

A few details about the methodology used to prepare this blog.  

1. In order to simplify the sample data set, we removed domain names that were "re-registered".  We determined if a domain name was re-registered by checking if the domain registration for the domain happened after than the passive DNS time values in the dataset.  The result is that this blog focused on only newly registered domains .  

2. We did not distinguish between malicious domains, compromised domains or sub-domains of existing services. These domain names would be older (by definition) and end up in the long tail of the data.  

3. Currently the DAP only has Phishing data from the OpenPhish data set, so our sample is only complete based on the findings of OpenPhish.  In the future we will augment our Phishing data with feeds from additional phishing block list providers.

References

• Anti-Phishing Working Groups (APWG) - Phishing Activity Trends Report for the 3rd Quarter of 2022
• Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends - https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/
• DomainAge: An effective method to combat phishing attacks - https://paubox.com/resources/domainage-an-effective-method-to-combat-phishing-attacks/ 
• Phishing Landscape 2022 - Interisle Consulting Group - https://www.interisle.net/PhishingLandscape2022.pdf