Newly registered domains, or “NRDs” for short, have been recently created or changed their Domain Name System (DNS) records in the past few weeks. Modifications like a change in domain ownership or any data point (contact details, for instance) in a domain’s WHOIS record also make even the oldest domains “new” again.
You can determine if a domain is newly registered by looking at its WHOIS record, specifically its creation or last update date.
Other interesting terms…
Read More about “Newly Registered Domains”
While the age of a domain doesn’t matter in most cases,, it does in cybersecurity. Why? Because cybercriminals and other threat actors often use newly registered domains as malware hosts in their campaigns.
Are There Particular Kinds of Newly Registered Domains You Should Avoid?
While cybersecurity experts would warn individuals and organizations to avoid accessing all newly registered domains, that may be too restrictive because you may not be able to visit even legitimate and reputable sites. Therefore, we recommend steering clear of these particular types of newly registered domains to address that issue.
Punycode Newly Registered Domains
Punycode was created to allow non-native English speakers to use internalized domain names (IDNs) for their websites. IDNs are domain names written in languages other than English or use non-Latin characters. An example would be “点击网站.” In Punycode, that translates to “xn--89q526eh4gzse.” In English, that means “click[.]com.”
Punycode thus translates IDNs into domain names comprising only English letters (A–Z) and Arabic numerals (0–9) because those are the only ones the DNS recognizes.
Computer-Generated Newly Registered Domains
NRDs created using domain generation algorithms (DGAs) fall under this category. Simply put, a DGA is a program that creates several domains within a specified amount of time (say, every five minutes).
Cyber attackers often use computer-generated newly registered domains to redirect users to malicious websites instead of those they wish to visit. These web properties comprise random alphanumeric characters. An example would be gd6hwkd[.]xyz.
Newly Registered Domains Inspired by Current Events
Threat actors are known for riding on special occasions, holidays, and newsworthy events to bait victims into visiting their specially crafted malicious sites successfully. This tactic is especially prevalent in phishing campaigns that aim to steal targets’ login credentials.
Typosquatting Newly Registered Domains
Cyber attackers also widely use typosquatting domains that look very similar to those that belong to the world’s biggest brands. This technique allows them to trick more people into entering their login credentials into fake login sites. An example would be paypaI-security[.]com, where the supposed lowercase “L” is actually a capital “i.”
How Can You Avoid Becoming the Victim of a Threat That Uses NRDs?
Here are some best practices to prevent becoming a victim:
- Configure your systems to block access going to and coming from NRDs by downloading and integrating a newly registered domain database into your security solutions. You’ll need to update the database regularly, so make sure to download a fresh copy periodically, say, once a month.
- Set up a rule so your security solutions will automatically block access to DGA-created domains.
- Block all access to Punycode domains if your employees don’t need to visit internationalized websites for work or if you don’t do business with companies that use IDNs.
- Integrate a typosquatting data feed into your security solutions to prevent interactions with potentially harmful sites. Like the newly registered database, however, you’ll need to update the feed regularly.
- If you don’t want to miss out on potential business opportunities with newly registered domain owners, white-list the legitimate ones, so even if your network automatically blocks access to NRDs, you can still access those on your list of exceptions.
—
We’ve seen how destructive malicious newly registered domains can be with threats like Kraken, which incidentally was the first malware to use DGA-generated domains. Now, you know there’s a way to avoid accessing them.