INFERMAL: Inferential analysis of maliciously registered domains
Yevheniya Nosyk, Maciej Korczyński, Carlos Gañán, Sourena Maroofi, Jan Bayer, Zul Odgerel, Samaneh Tajalizadehkhoob, Andrzej Duda
TL;DR
The paper investigates why malicious actors register phishing domains by analyzing registrar-TLD level factors using 73 features across three latent dimensions: registration attributes, proactive verification, and reactive security. It employs a GLM Negative Binomial regression and a multilevel logistic regression to quantify how price, discounts, free services, API access, and verification practices influence abuse, finding that discounts and API access strongly boost malicious registrations while strict restrictions and proactive verification curb them. The study leverages the TLD-List dataset and blocklisted phishing domains (APWG/PhishTank/OpenPhish) plus a large benign-domain baseline to distinguish attacker preferences from legitimate behavior. Its results highlight economic incentives and automation as major enablers of abuse, and suggest actionable upstream measures for registries and registrars to deter phishing-domain registrations without harming legitimate users. These insights can inform policy and operational anti-abuse strategies in the DNS ecosystem.
Abstract
Cybercriminals have long depended on domain names for phishing, spam, malware distribution, and botnet operation. To facilitate the malicious activities, they continually register new domain names for exploitation. Previous work revealed an abnormally high concentration of malicious registrations in a handful of domain name registrars and top-level domains (TLDs). Anecdotal evidence suggests that low registration prices attract cybercriminals, implying that higher costs may potentially discourage them. However, no existing study has systematically analyzed the factors driving abuse, leaving a critical gap in understanding how different variables influence malicious registrations. In this report, we carefully distill the inclinations and aversions of malicious actors during the registration of new phishing domain names. We compile a comprehensive list of 73 features encompassing three main latent factors: registration attributes, proactive verification, and reactive security practices. Through a GLM regression analysis, we find that each dollar reduction in registration fees corresponds to a 49% increase in malicious domains. The availability of free services, such as web hosting, drives an 88% surge in phishing activities. Conversely, stringent restrictions cut down abuse by 63%, while registrars providing API access for domain registration or account creation experience a staggering 401% rise in malicious domains. This exploration may assist intermediaries involved in domain registration to develop tailored anti-abuse practices, yet aligning them with their economic incentives.