Registration, Detection, and Deregistration: Analyzing DNS Abuse for Phishing Attacks

TL;DR

This study analyzes the lifecycle of over 690,000 phishing domains over 39 months, revealing patterns in registration, detection delays, and deregistration, to improve DNS-level anti-phishing defenses.

Contribution

It provides a comprehensive longitudinal analysis of phishing domains, highlighting registration behaviors, detection delays, and potential intervention points for enhanced defenses.

Findings

66.1% of domains are maliciously registered using cost-effective TLDs

Phishing domains remain accessible for an average of 11.5 days after detection

Detection speed improvements are minimal across different blocklists

Abstract

Phishing continues to pose a significant cybersecurity threat. While blocklists currently serve as a primary defense, due to their reactive, passive nature, these delayed responses leave phishing websites operational long enough to harm potential victims. It is essential to address this fundamental challenge at the root, particularly in phishing domains. Domain registration presents a crucial intervention point, as domains serve as the primary gateway between users and websites. We conduct a comprehensive longitudinal analysis of 690,502 unique phishing domains, spanning a 39 month period, to examine their characteristics and behavioral patterns throughout their lifecycle-from initial registration to detection and eventual deregistration. We find that 66.1% of the domains in our dataset are maliciously registered, leveraging cost-effective TLDs and targeting brands by mimicking their domain names under alternative TLDs (e.g., .top and .tk) instead of the TLDs under which the brand domains are registered (e.g., .com and .ru). We also observe minimal improvements in detection speed for maliciously registered domains compared to compromised domains. Detection times vary widely across blocklists, and phishing domains remain accessible for an average of 11.5 days after detection, prolonging their potential impact. Our systematic investigation uncovers key patterns from registration through detection to deregistration, which could be leveraged to enhance anti-phishing active defenses at the DNS level.