Registration, Detection, and Deregistration: Analyzing DNS Abuse for Phishing Attacks
Kyungchan Lim, Raffaele Sommese, Mattis Jonker, Ricky Mok, kc claffy, Doowon Kim
TL;DR
This work targets phishing defenses at the DNS registration level by conducting a longitudinal analysis of 690,502 phishing domains over 39 months, revealing that 66.1% are maliciously registered and that domains often rely on low-cost new gTLDs and AWS hosting. Using a multi-source dataset, a DNS crawler, and registration data (including GDPR-aware sources), the authors identify maliciously registered domains with a COMAR-inspired four-step method and analyze their lifecycle from registration to deregistration. They find rapid detection for some brands but substantial post-detection exposure (average ~11.5 days) and wide variability across blocklists, underscoring gaps in current defenses and the potential for DNS-level interventions. The study contributes a comprehensive dataset, a robust methodology for identifying malicious registrations, and actionable insights into TLD usage, brand targeting, and DNS dynamics that can inform proactive anti-phishing strategies and registrar policies.
Abstract
Phishing continues to pose a significant cybersecurity threat. While blocklists currently serve as a primary defense, due to their reactive, passive nature, these delayed responses leave phishing websites operational long enough to harm potential victims. It is essential to address this fundamental challenge at the root, particularly in phishing domains. Domain registration presents a crucial intervention point, as domains serve as the primary gateway between users and websites. We conduct a comprehensive longitudinal analysis of 690,502 unique phishing domains, spanning a 39 month period, to examine their characteristics and behavioral patterns throughout their lifecycle-from initial registration to detection and eventual deregistration. We find that 66.1% of the domains in our dataset are maliciously registered, leveraging cost-effective TLDs and targeting brands by mimicking their domain names under alternative TLDs (e.g., .top and .tk) instead of the TLDs under which the brand domains are registered (e.g., .com and .ru). We also observe minimal improvements in detection speed for maliciously registered domains compared to compromised domains. Detection times vary widely across blocklists, and phishing domains remain accessible for an average of 11.5 days after detection, prolonging their potential impact. Our systematic investigation uncovers key patterns from registration through detection to deregistration, which could be leveraged to enhance anti-phishing active defenses at the DNS level.