One in Five Old Domains Is Dangerous or Contains Malware

The number of inactive malicious domains is on the rise, and 22.3% of outdated domains may pose a threat. These findings come from experts at Palo Alto Networks, who monitored tens of thousands of domains daily in September. The analysts were inspired to conduct this research after the SolarWinds attack, when it was discovered that attackers relied on domains registered several years before any malicious activity began. The purpose of such early domain registration is to create a “clean record” that prevents security systems from undermining the success of future malicious campaigns. Recently registered domains are more likely to be malicious, so security solutions often flag them as suspicious.

For example, during the SolarWinds attack, the hackers’ domains remained inactive for two years, and then, once the attack began, their DNS traffic suddenly increased by 165 times. After closely monitoring numerous domains, Palo Alto Networks researchers concluded that about 3.8% were clearly malicious, 19% were suspicious, and 2% were unsafe for work environments.

Signs of a Malicious Domain

Experts say a sudden spike in traffic is an obvious sign of a malicious domain. While legitimate companies may also register domains in advance and launch services months or years later, they typically show a gradual increase in traffic. In addition, domains not intended for regular use often have incomplete, cloned, or questionable content, and lack owner information in WHOIS records.

Suspicious Domains and DGA

Another clear sign of a malicious old domain is the creation of subdomains using a domain generation algorithm (DGA). Based on this indicator alone, analysts identified two suspicious domains daily, each generating hundreds of thousands of subdomains after activation.

One notable case described in the report was the Pegasus spyware campaign, which used two command-and-control (C&C) domains registered back in 2019 that “woke up” in July 2021. DGA domains played a key role in that campaign: on the day of activation, they accounted for 23.22% of traffic, which was 56 times higher than normal DNS traffic volumes. Within a few days, traffic reached as high as 42.04%.

Other Examples and Conclusions

The researchers also described other examples, including phishing campaigns where DGA subdomains were used as layers of obfuscation to direct visitors and search engines either to legitimate sites or to phishing pages. Experts conclude that outdated domains are typically used by serious hacker groups with long-term plans. Such attackers often use DGA to steal data via DNS traffic, as proxies, or to imitate well-known brand domains (cybersquatting).