INFERMAL: Investigating Cyber Attackers' Preferences in Domain Registrations for Enhanced Online Security

Oct 2, 2023 · Maciej Korczyński and Samaneh Tajalizadehkhoob

INFERMAL (Inferential Analysis of Maliciously Registered Domains) is a research project being carried out by KOR Labs and funded by ICANN. The goal of this project is to conduct an in-depth analysis of maliciously registered domain names, aiming to uncover cyber attackers' preferences and possible measures to mitigate abusive activities within the domain name space.

Domain name abuse

Domain names serve as convenient shorthands for IP addresses, enabling easy navigation of the numerous online services we use daily. While most domain name registrations are harmless, cybercriminals frequently register new domains to launch large-scale attacks, such as phishing, malware drive-by-download, or spam campaigns. These malicious activities pose significant threats to Internet users and the security of the online ecosystem.

Understanding attackers' preferences

While there has been long-standing anecdotal evidence suggesting that cybercriminals exploit top-level domains (TLDs) and registrars with low domain registration prices, no study has conclusively proven this hypothesis or conducted a systematic analysis of their preferences. Different malicious actors may exhibit varying preferences.

Some may prioritize lower registration prices, while others exploit registrars offering specific payment methods or a free API for bulk domain registration. In our previous study1, we discovered that AlpNames Limited supported bulk registration, enabling the generation and registration of up to 2,000 domains across 27 new gTLDs using diverse patterns such as letters, time, cities, or zip codes. Our analysis revealed that AlpNames faced a high volume of reported abusive domains by both Spamhaus and SURBL2.

Conversely, TLD operators or registrars may offer inexpensive domains but implement additional checks to prevent domain name abuse. These checks may involve verifying the accuracy of registration information or requiring registrants to provide a national ID card. By doing so, they may discourage criminals from registering domain names with those operators.

Importance and challenges

The issue of factors influencing malicious domain registrations is of significant importance, particularly in light of the new generic Top-Level Domain (gTLD) program initiated by the Internet Corporation for Assigned Names and Numbers (ICANN). Since its launch in October 2013, hundreds of new gTLDs have been incorporated into the domain name system (DNS). Notably, our previous research has revealed a shift in attackers' behavior as they transitioned from exploiting legacy gTLD domains to targeting the new gTLD domain name space1.

Certain new gTLDs compete by offering exceptionally low registration prices, occasionally even below US $1. This presents a critical challenge: finding ways for TLD registries and registrars to attract legitimate users while simultaneously implementing robust measures to deter malicious use.


Addressing this challenge requires exploring strategies that strike a balance, encouraging legitimate registrations while maintaining strong barriers against abuse.

The objective of this project is to conduct a comprehensive analysis aiming to identify the preferences of attackers and devise effective measures to proactively mitigate abusive and malicious activities within the domain name space.

Our focus is to understand the specific attributes that malicious actors find particularly enticing and the underlying reasons for their selection. By thoroughly investigating these aspects, we aim to shed light on the factors that attract attackers to certain registration practices. This knowledge will serve as a foundation for devising preemptive strategies and implementing robust security measures to help mitigate the risks associated with malicious activities involving domain names.


In this study, we propose to collect and analyze a comprehensive list of registration features and policies that we consider relevant to attackers. We categorize them into three groups: registration features (e.g., access to the registration panel via API, ability to register in bulk, payment methods such as credit card, Bitcoin, or WebMoney, but also retail pricing), proactive security (e.g., verification of contact information provided by the registrant), and reactive security (response to domain name abuse notifications).

For this study, we have been collecting several registration features offered by several dozen domain registrars such as retail pricing (including promotions), available payment methods, additional free features such as a DNS service, email forwarding, number of email accounts, or TLS certificates. Most of the registration information is collected daily. We will associate each maliciously registered domain with the registration features at the time of domain registration. Other properties that do not change often (e.g., access to the registration panel via API, ability to register in bulk, etc.) are collected manually or semi-manually.

Proactive security features require empirical verification. For example, we will register the sample domain names with random characters, containing special keywords, or misspelled versions of brand names. To measure reactive security, we will design a set of experiments and evaluate how registrars react to notifications of abusive domain names, i.e., whether they suspend domains promptly. We suspect that uptimes (i.e., time between the notification and takedown) might be one of the factors that malicious actors consider when selecting a registrar and TLD to abuse.

In our previous work1, we analyzed the relationship between the limited number of security indicators and the structural properties of TLDs, and abuse at the level of gTLDs, whereas the here-proposed approach will allow a fine-grained analysis at the domain name level.

First, we will collect URLs blacklisted by reputable organizations such as the Anti-Phishing Working Group (APWG). In this study, we will focus on domains that were maliciously registered rather than hacked websites. Then, we assemble the registration policies of the registrars (i.e., registration features, proactive and reactive security policies) at the time the malicious domain name was registered. We will systematically distill the set of registration features preferred by attackers, using generalized linear models (GLMs), and will assess their importance.


Phase 1: Mapping abusive domains to registration policies

By the end of November 2023, for chosen domain abuse blacklists such as APWG, we will extract malicious domains and map them to their corresponding registration information at the time of their registration.

Phase 2: Analysis of proactive and reactive security measures

By July 2024, we will perform the analysis of preselected proactive security measures, including domain registrant data validation, strategies for blocking domain names containing, for example, keywords of the most abused services, and other proactive security measures. We will also summarize a study of uptimes, that is, how quickly abusive domain names are suspended after the notification.

Phase 3: Fine-grained inferential analysis of maliciously registered domains

Finally, by September 2024 we will publish a final report in the form of a research paper providing a fine-grained inferential analysis of maliciously registered domains using GLM modeling to determine driving factors of domain abuse. The project will also propose best practices to effectively mitigate abuse.

1 "SADAG: Statistical Analysis of DNS Abuse in generic Top-Level Domains", Maciej Korczyński, Maarten Wullink, Samaneh Tajalizadehkhoob, Giovane C.M. Moura, Cristian Hesselman, report, 2017

2 "Cybercrime After the Sunrise: A Statistical Analysis of DNS Abuse in New gTLDs", Maciej Korczynski, Maarten Wullink, Samaneh Tajalizadehkhoob, Giovane C.M. Moura, Arman Noroozian, Drew Bagley, Cristian Hesselman, ACM Asia Conference on Computer and Communications Security (AsiaCCS), 2018