INFERMAL

For years, there has been anecdotal evidence suggesting that cybercriminals tend to exploit top-level domains (TLDs) and registrars with low domain name registration prices. However, this hypothesis lacked concrete evidence and a systematic analysis of attackers' preferences. Each malicious actor may have their own criteria, with one favoring lower registration prices while another may target registrars with specific payment methods or free APIs for bulk domain registration. The goal of this project is to conduct an in-depth analysis of maliciously registered domain names, aiming to uncover cyber attackers' preferences and possible measures to mitigate abusive activities within the domain name space.

As a project coordinator, KOR Labs gathers registration data and compiles registration policies, including pricing, API access to the registration panel, bulk registration options, and payment methods (e.g., credit card or cryptocurrencies) used during malicious domain registration. Through systematic analysis using Generalized Linear Models (GLMs), we extract the set of registration features favored by attackers and assess their significance in identifying malicious domains.