# BadDomains: Early Detection of Phishing Domains Registration

**Authors:** Karolina Seweryn, Piotr Białczak, Tomasz Chytry-Trzeciak

PMC · DOI: 10.3390/s26031041 · Sensors (Basel, Switzerland) · 2026-02-05

## TL;DR

BadDomains is a system that detects phishing domains early by analyzing domain registration data and phishing trends.

## Contribution

BadDomains introduces a novel system for early phishing domain detection using registry data and phishing insights.

## Key findings

- BadDomains outperformed Premadoma with higher F1 scores in phishing domain detection.
- Operational deployment revealed timely detection of previously unknown phishing domains.

## Abstract

Phishing attacks often rely on impersonating a legitimate entity, such as a well-known company or a bank, with the intent to deceive individuals. A common tactic used by cybercriminals to conduct such an attack is to register a specific domain to host a phishing website on it. In this paper, we propose BadDomains, a system for the early detection of phishing domains’ registration. BadDomains utilizes domain registry data about newly registered domains combined with knowledge about the current phishing situation, such as information about the most frequent impersonation targets, or suspicious domain contact information. An analysis of .pl phishing domain registry data, combined with the authors’ CSIRT operational experience, helped in the design of new features. It also facilitated the extension of features already used in other solutions. The system’s evaluation has been performed using information from .pl Top Level Domain (TLD) registry combined with CERT Polska’s (Polish national CSIRT) public list of phishing domains, used as a ground truth. BadDomains has been compared to a similar detection system designed for .eu TLD called Premadoma, which was adapted to this work. The results showed that BadDomains achieved higher F1 scores than Premadoma. After operational deployment, the system proved to provide timely detections, uncovering unknown phishing domains.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/PMC12900114/full.md

## Figures

11 figures with captions in the complete paper: https://tomesphere.com/paper/PMC12900114/full.md

## References

37 references — full list in the complete paper: https://tomesphere.com/paper/PMC12900114/full.md

---
Source: https://tomesphere.com/paper/PMC12900114