Skip to main content
SpringerLink
Log in

Exploring the Ecosystem of Malicious Domain Registrations in the .eu TLD

  • Conference paper
  • First Online:
Research in Attacks, Intrusions, and Defenses (RAID 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10453))

Abstract

This study extensively scrutinizes 14 months of registration data to identify large-scale malicious campaigns present in the .eu TLD. We explore the ecosystem and modus operandi of elaborate cybercriminal entities that recurrently register large amounts of domains for one-shot, malicious use. Although these malicious domains are short-lived, by incorporating registrant information, we establish that at least 80.04% of them can be framed in to 20 larger campaigns with varying duration and intensity. We further report on insights in the operational aspects of this business and observe, amongst other findings, that their processes are only partially automated. Finally, we apply a post-factum clustering process to validate the campaign identification process and to automate the ecosystem analysis of malicious registrations in a TLD zone.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We use the term malicious domain name whenever we refer to a domain name that is registered to be bound to a malicious service or activity.

  2. 2.

    http://pwoah7foa6au2pul.onion/forum/index.php?threads/%E2%96%84-%E2%96%88-%E2%98%85-paperghost-%E2%98%85-%E2%96%88-%E2%96%84-fresh-non-hacked-private-email-logins-lower-your-fraud-detection-score-2.71566.

  3. 3.

    Note that some campaigns might be running even longer than 372 days, as they might have been active before the starting date of our dataset (campaigns c_01 - c_05) or they may still be active past the time span that is covered in our dataset.

  4. 4.

    For instances without campaign labels, the registrant’s phone numbers are set as their label.

References

  1. Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for DNS. In: Proceedings of the 19th USENIX Conference on Security, p. 18 (2010)

    Google Scholar 

  2. Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou II., N., Dagon, D.: Detecting malware domains at the upper DNS hierarchy. In: Proceedings of the 20th USENIX Conference on Security, p. 27

    Google Scholar 

  3. Bilge, L., Sen, S., Balzarotti, D., Kirda, E., Kruegel, C.: Exposure: a passive DNS analysis service to detect and report malicious domains. ACM Trans. Inf. Syst. Secur. (TISSEC) 16(4), 14 (2014)

    Article  Google Scholar 

  4. Cova, M., Leita, C., Thonnard, O., Keromytis, A.D., Dacier, M.: An analysis of rogue AV campaigns. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 442–463. Springer, Heidelberg (2010). doi:10.1007/978-3-642-15512-3_23

    Chapter  Google Scholar 

  5. Felegyhazi, M., Kreibich, C., Paxson, V.: On the potential of proactive domain blacklisting. In: Proceedings of the 3rd USENIX Conference on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More, p. 6 (2010)

    Google Scholar 

  6. FortiGuard Center: Antispam - IP & Signature Lookup (2017). https://www.fortiguard.com/more/antispam

  7. Google: Google Safe Browsing (2016). https://developers.google.com/safe-browsing/

  8. Google: Unwanted Software Policy (2016). https://www.google.com/about/company/unwanted-software-policy.html

  9. Hao, S., Feamster, N., Pandrangi, R.: Monitoring the initial DNS behavior of malicious domains. In: Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference, pp. 269–278. ACM (2011)

    Google Scholar 

  10. Hao, S., Kantchelian, A., Miller, B., Paxson, V., Feamster, N.: Predator: Proactive recognition and elimination of domain abuse at time-of-registration

    Google Scholar 

  11. Hao, S., Thomas, M., Paxson, V., Feamster, N., Kreibich, C., Grier, C., Hollenbeck, S.: Understanding the domain registration behavior of spammers. In: Proceedings of the 2013 Conference on Internet Measurement Conference, pp. 63–76 (2013)

    Google Scholar 

  12. Hastie, T., Tibshirani, R., Friedman, J.: The Elements of Statistical Learning. Springer Series in Statistics. Springer, New York (2001)

    Book  MATH  Google Scholar 

  13. Levchenko, K., Pitsillidis, A., Chachra, N., Enright, B., Félegyházi, M., Grier, C., Halvorson, T., Kanich, C., Kreibich, C., Liu, H., McCoy, D., Weaver, N., Paxson, V., Voelker, G.M., Savage, S.: Click trajectories: end-to-end analysis of the spam value chain. In: Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP 2011, pp. 431–446. IEEE Computer Society, Washington, DC (2011). http://dx.doi.org/10.1109/SP.2011.24

  14. Moura, G.C., Müller, M., Wullink, M., Hesselman, C.: nDEWS: a new domains early warning system for TLDs. In: NOMS 2016–2016 IEEE/IFIP Network Operations and Management Symposium, pp. 1061–1066. IEEE (2016)

    Google Scholar 

  15. Myles, P.: DomainWire Global TLD Report 2016/2. https://www.centr.org/library/statistics-report/domainwire-global-tld-report-2016-2.html

  16. Pattanai: Faker is a PHP library that generates fake data for you. https://github.com/teepluss/laravel-faker

  17. Plohmann, D., Yakdan, K., Klatt, M., Bader, J., Gerhards-Padilla, E.: A comprehensive measurement study of domain generating malware. In: 25th USENIX Security Symposium, pp. 263–278 (2016)

    Google Scholar 

  18. Scikit-learn developers: Encoding categorical features (2017). http://scikit-learn.org/stable/modules/preprocessing.html

  19. Scikit-learn developers: Homogeneity, completeness and V-measure (2017). http://scikit-learn.org/stable/modules/clustering.html

  20. SURBL: SURBL - URI Reputation Data (2016). http://www.surbl.org

  21. The Spamhaus Project Ltd: The Domain Block List (2016). https://www.spamhaus.org/dbl/

  22. Twilio: Lookup (2017). https://www.twilio.com/lookup

  23. URL Void: Website Reputation Checker Tool (2016). http://www.urlvoid.com/

  24. Vixie, P.: Domain name abuse: how cheap new domain names fuel the eCrime economy. Presentation at RSA Conference 2015 (2015)

    Google Scholar 

Download references

Acknowledgements

We thank the reviewers for their valuable feedback. We would also like to express our gratitude to the PC chairs and in particular our shepherd, for supporting us in improving the paper.

Author information

Authors and Affiliations

  1. Imec-DistriNet, KU Leuven, Leuven, Belgium

    Thomas Vissers, Jan Spooren, Pieter Agten, Frank Piessens, Wouter Joosen & Lieven Desmet

  2. EURid VZW, Brussels, Belgium

    Dirk Jumpertz, Peter Janssen & Marc Van Wesemael

Authors
  1. Thomas Vissers
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jan Spooren
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Pieter Agten
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Dirk Jumpertz
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Peter Janssen
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Marc Van Wesemael
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Frank Piessens
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Wouter Joosen
    View author publications

    You can also search for this author in PubMed Google Scholar

  9. Lieven Desmet
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Thomas Vissers .

Editor information

Editors and Affiliations

  1. Qatar Computing Research Institute, Doha, Qatar

    Marc Dacier

  2. University of Illinois at Urbana Champaign, Champaign, Illinois, USA

    Michael Bailey

  3. Stony Brook University, Stony Brook, New York, USA

    Michalis Polychronakis

  4. Georgia Institute of Technology, Georgia, USA

    Manos Antonakakis

1 Electronic supplementary material

Below is the link to the electronic supplementary material.

Supplementary material 1 (txt 1 KB)

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Vissers, T. et al. (2017). Exploring the Ecosystem of Malicious Domain Registrations in the .eu TLD. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2017. Lecture Notes in Computer Science(), vol 10453. Springer, Cham. https://doi.org/10.1007/978-3-319-66332-6_21

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-66332-6_21

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-66331-9

  • Online ISBN: 978-3-319-66332-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation