Hosting and domains: detecting abuse and protecting infrastructure

Hosting providers and their clients often face domain abuse, ranging from phishing sites to botnet infrastructure. Domain data analytics enable both hosting companies and their customers to respond swiftly to potential threats and mitigate risks. Cybercriminals use domains for fraudulent schemes, attacks on users, and malware distribution. For instance, in 2023, a large-scale phishing campaign was uncovered where duplicate domains mimicking well-known banks were used to collect customer credentials. Another case involved a botnet network managed through registered domains that frequently changed DNS records to avoid detection. These cases highlight the importance of domain activity monitoring within hosting infrastructure. Without control over the domains hosted on their servers, hosting companies risk becoming sources of threats and damaging their reputations.

Main types of threats

• Phishing domains – Created to steal personal data, often using names similar to well-known brands.
• DGA attack domains – Hackers generate random domain names using Domain Generation Algorithms (DGA) to evade blocking.
• Botnet networks – Infected devices receive commands through specially registered domains.
• Malicious sites – Domains distributing viruses or exploiting browser vulnerabilities.

How domain data analysis helps identify abuse

Historical domain data collected by DomainCrawler since 2008, along with monitoring changes, enables hosting companies to quickly detect suspicious resources. DomainCrawler provides the data, while companies decide how to use it to protect their infrastructure and customers. For example, one provider noticed an unusual spike in activity on a domain previously used for legitimate purposes, which, after a change in ownership, started sending large volumes of phishing emails. By analyzing historical data and tracking DNS changes, the company swiftly blocked the suspicious activity, preventing a large-scale attack. Key tools assisting in this process include:

• Domain history analysis – Reviewing registration changes to determine whether a domain has been previously used for fraudulent activities. DomainCrawler provides detailed ownershipmain history analysis – Reviewing registration changes to determine whether a domain has been previously used for fraudulent activities. DomainCrawler provides detailed ownership history and DNS record changes, helping to uncover manipulative domain activities.
• DNS record monitoring – Tracking changes in NS, MX, and other records to detect suspicious activity. For example, a domain previously used for legal purposes may suddenly switch to DNS servers associated with malware distribution, signaling possible compromise. DomainCrawler offers real-time analysis of such changes.
• Automated detection of DGA domains – Identifying domains generated algorithmically. DomainCrawler processes large volumes of data to detect patterns atypical for human domain registrations, allowing proactive blocking of potential threats.
• Cross-referencing with blacklists – Checking domains against known phishing and malware databases. Using DomainCrawler, hosting companies can automatically compare new registrations with established blacklists to quickly identify potentially dangerous resources.

How hosting companies and their clients can protect their infrastructure using DomainCrawler data

• Automated registration analysis – Implementing risk assessment systems for newly registered domains using hosting services. DomainCrawler allows automatic checks of new registrations by analyzing domain history, ownership changes, and DNS records to identify potential threats before they become active.
• Restricting suspicious domain registrations – Blocking domains based on naming patterns or links to known fraudulent schemes. DomainCrawler assists in identifying such domains by comparing new registrations against historical fraud data and detecting connections between domains previously used for malicious purposes.
• Reactive monitoring – Automated detection of domains that suddenly become active in attacks. With DomainCrawler, hosting companies can track domains that abruptly change DNS or experience spikes in activity, which may indicate use in phishing or botnet operations.
• Collaboration with registrars – Sharing information on abuse helps in the swift blocking of malicious domains. DomainCrawler provides analytical reports on suspicious domains, facilitating the identification and mitigation of threats in cooperation with registrars.

Conclusion: DomainCrawler data as a basis for decision-making

Hosting companies and their clients need to proactively monitor which domains operate on their servers and utilize their infrastructure. Leveraging historical domain data, automated monitoring, and collaboration with registrars significantly reduces risks. This approach not only helps protect hosting providers’ customers but also allows clients to manage their online assets with confidence, enhancing trust in their digital operations. DomainCrawler data provides companies with a comprehensive view of domain activity, enabling them to identify threats and determine appropriate actions based on their security strategies. Hosting providers can integrate DomainCrawler data into their monitoring systems to gain up-to-date insights on domain changes and assess risks according to their specific needs.