Registration, Detection, and Deregistration: Analyzing DNS

Abuse for Phishing Attacks

Kyungchan Lim Kiho Lee Raffaele Sommese
University of Tennessee University of Tennessee University of Twente
Knoxville, USA Knoxville, USA Enschede, The Netherlands
klim7@utk.edu klee120@utk.edu r.sommese@utwente.nl

Mattijs Jonker Ricky Mok kc claffy

University of Twente CAIDA/UC San Diego CAIDA/UC San Diego
arXiv:2502.09549v1 [cs.CR] 13 Feb 2025

Enschede, The Netherlands San Diego, USA San Diego, USA

m.jonker@utwente.nl cskpmok@caida.org kc@caida.org

Doowon Kim
University of Tennessee
Knoxville, USA
doowon@utk.edu
Abstract The blocklisting mechanisms (e.g., Google Safe Browsing [24])
Phishing continues to pose a significant cybersecurity threat. While currently serve as the primary defense against phishing attacks.
blocklists currently serve as a primary defense, due to their reactive, Google Safe Browsing is integrated into Google Chrome browsers
passive nature, these delayed responses leave phishing websites and by default enabled for end-users. These systems aim to protect
operational long enough to harm potential victims. It is essential users by preventing access to known (i.e., blocklisted) phishing web-
to address this fundamental challenge at the root, particularly in sites. However, their reactive (i.e., passive) nature introduces critical
phishing domains. Domain registration presents a crucial interven- security gaps in phishing protection. The fundamental limitation
tion point, as domains serve as the primary gateway between users of blocklists lies in their update latency—the time gap between
and websites. when attackers register domains and deploy a new phishing site
We conduct a comprehensive longitudinal analysis of 690,502 and when security crawlers detect, verify, and add it to the blocklist.
unique phishing domains, spanning a 39-month period, to exam- This delay creates a vulnerability window during which new phish-
ine their characteristics and behavioral patterns throughout their ing sites remain accessible to potential victims, allowing attackers
lifecycle—from initial registration to detection and eventual dereg- to freely operate their campaigns. Notably, a previous work [51]
istration. We find that 66.1% of the domains in our dataset are indicated that 75% of victims may encounter the malicious site
maliciously registered, leveraging cost-effective TLDs and target- before blocklist updates take effect.
ing brands by mimicking their domain names under alternative To effectively combat phishing attacks, it is essential to address
TLDs (e.g., .top and .tk) instead of the TLDs under which the brand the fundamental problem at the root, particularly phishing domains.
domains are registered (e.g., .com and .ru). We also observe min- Domains play a pivotal role in connecting users to websites, in-
imal improvements in detection speed for maliciously registered cluding malicious ones. This critical position makes domains an
domains compared to compromised domains. Detection times vary ideal intervention point for detecting and preventing phishing at-
widely across blocklists, and phishing domains remain accessible tacks before they can reach potential victims. Particularly, phishing
for an average of 11.5 days after detection, prolonging their po- attackers can choose between two strategies for utilizing domain
tential impact. Our systematic investigation uncovers key patterns names: 1) registering a new domain specifically for malicious pur-
from registration through detection to deregistration, which could poses; or 2) compromising an existing, legitimate website with an
be leveraged to enhance anti-phishing active defenses at the DNS already established domain. Maliciously registered domains present
level. a unique opportunity for mitigation at the domain level, as these
domains are intentionally created to facilitate malicious activities.
Prior studies [28, 44, 46, 48, 49, 51] have explored various aspects
1 Introduction of phishing websites, such as ccTLD, URL patterns and visual
Phishing attacks continue to pose one of the most pervasive cyberse- content. Specifically, Moura et al. [46] analyzed phishing domains
curity threats, with attackers deploying increasingly sophisticated mimicking target brand webpages but focused solely on three Euro-
impersonation tactics. The attackers create convincing replicas of le- pean ccTLDs: .nl, .ie, and .be. While Maroofi et al. [44] introduced
gitimate websites (e.g., facebook.com or USPS.com), to deceive users the methods to define maliciously registered domains, the char-
into divulging their login credentials and sensitive information. acteristics of maliciously registered domains for phishing attacks
Such attacks have substantial consequences, leading to financial have been unexplored. Despite the importance of understanding
losses for victims [1], reputational harm for impersonated organi- the dynamic behaviors and lifecycle of maliciously registered
zations [8], and compromised business infrastructures [46]. domains, these aspects remain largely unexamined to date.
 Kyungchan Lim et al.

To address this gap, our study undertakes a systematic, longitu- phishing domains remain accessible for an average of 11.5 days,
dinal analysis of phishing attacks using phishing domains, with a prolonging the risk to potential victims.
focus on those that are maliciously registered domains. By exam- • We present a comprehensive longitudinal analysis of phishing
ining these phishing domains from registration to detection and domains (39 months). We publicly share our collected phishing
eventual deregistration, we aim to better understand the phishing dataset (i.e., phishing domains) to facilitate future phishing
attack ecosystem at the domain level. To further understand ma- research upon acceptance.
liciously registered domains, we raise the two following research
questions. RQ1: What are the characteristics of maliciously registered 2 Background
domains and how can we find maliciously registered domains? RQ2:
What is the lifecycle of a maliciously registered domain? We provide a brief overview of domain registration and DNS records,
Our analysis shows that 66.1% of all names in our phishing with an emphasis on phishing attacks.
domains dataset are specifically registered for malicious purposes.
To better understand these malicious domains, we examine their 2.1 Domain Registration and DNS Record
characteristics, focusing on TLD usage and targeted brands. We
Domain Registration. Domain registration is the foundational
observe that new gTLDs (e.g., .top, .shop) are widely utilized due
process through which a unique domain name is acquired and asso-
to their low cost (as little as $1 per domain). Following the cessation
ciated with an individual or organization. This process involves se-
of Freenom, the use of the .cn TLD increased significantly. Notably,
lecting a domain name and choosing a top-level domain (TLD), such
the USPS brand experienced a sharp rise in domain registrations,
as .com, .org, or country-specific TLDs, such as .us or .cn. Once a
frequently under cost-effective TLDs. The latter holds true for Ozon
domain is registered through a registrar, critical DNS records—such
as well. Our observations align with prior research [32].
as A records, which link the domain to an IP address, and NS records,
To gain deeper insights into phishing domains with malicious
which designate authoritative name servers—are established to fa-
registration activity, we analyze their DNS records, dynamic be-
cilitate the Web services. The registry maintains the TLD’s zone
havior, and lifespan, spanning from registration to detection and
file, which includes delegation details for domains under that TLD.
eventual deregistration. Our analysis reveals that phishing domains
These zone files are updated in real-time or periodically by the reg-
often exhibit dynamic DNS behavior, frequently updating their DNS
istry as domain registrations and configurations change. Separately,
records with short TTLs, indicative of fast-flux DNS techniques.
organizations like ICANN collect published snapshots of these zone
Regarding lifespan, maliciously registered domains are detected
files at regular intervals (e.g., every 24 hours for gTLDs [31]), though
slightly faster than compromised domains with a median detec-
the exact frequency depends on the TLD administrator’s policies.
tion time of 16.3 days for malicious domains compared to 86 days
It’s important to note that the frequency of published zone file
for compromised domains. On average, deregistration occurs ap-
snapshots is distinct from the registry’s internal updates to the
proximately 11.5 days after detection. However, detection delays
zone file.
vary significantly across blocklists, with some domains listed in
Phishing.Database showing an average detection delay of up to
WHOIS. Registration data is typically accessed through WHOIS
388.5 days. or the Registration Data Access Protocol (RDAP). WHOIS has been
Our contributions are as follows: the standard for retrieving domain registration information since
• Building on previous methods, we enhance the approach to the 1970s. However, due to its inconsistencies and limitations,
identify maliciously registered domains. Our analysis reveals RDAP was introduced in 2015 as its successor. RDAP improves
that 66.1% of the domains in our dataset are maliciously upon WHOIS by offering structured, machine-readable registration
registered, with the remainder being compromised domains. data along with advanced features such as differentiated access,
• From our analysis of maliciously registered domains in our internationalization, and extensibility. By examining the domain
dataset, we identify three key characteristics: 1) New gTLDs: registration choices of phishing sites, including their TLD
Domains frequently use low-cost new gTLDs (e.g., .top, .xyz, preferences, registrar selection, and DNS configuration, researchers
and .online), with .cn usage rising after Freenom ceased free can uncover patterns that may inform more effective, proactive
registrations [38], aligning with previous reports [32]. 2) TLD detection methods against these evolving threats.
Variation in Brand Targeting: Phishing domains targeting brands Top-level Domain (TLD). As described in prior work [30],
(e.g., USPS, OZON) often use alternative TLDs (e.g., .top, .tk) gTLDs can be categorized into legacy gTLDs and new gTLDs. New
instead of the brand’s original TLDs (e.g., .com, .ru). 3) DNS Fast gTLDs refer to TLDs introduced as part of ICANN’s expansion
Flux: 64.3% of domains show frequent DNS updates, with 25.8% program in 2012. Initially, there were only 8 gTLDs, and another
using TTLs below 3600 seconds to possibly enable DNS fast flux. 8 in 2004. In 2012, ICANN launched the new gTLD program, which
• We find that maliciously registered domains are detected by aimed to provide greater flexibility for registrants to create unique
blocklists (e.g., APWG) faster than compromised domains, with and innovative website names. This initiative also alleviated the
a median detection time of 16.3 days for malicious domains overcrowding in the legacy gTLD market, offering more options
compared to 86 days for compromised domains. Additionally, for domain registration. Since the program’s introduction, over
detection times vary significantly across blocklists, with a thousand new gTLDs have been delegated to the root zone,
USPS and Ozon being the quickest with 1.4 and 1.3 days significantly expanding the domain name landscape.
respectively. Even after detection by blocklists (e.g., APWG), DNS Record. DNS records are fundamental components of the
Domain Name System (DNS), serving as mappings that enable
Registration, Detection, and Deregistration: Analyzing DNS Abuse for Phishing Attacks

domain names to link to specific internet resources, such as IP Table 1: Overview of Our Collected Dataset from July 2021 to
addresses, email servers, and authoritative name servers. Each DNS October 2024 (39 months). We collect a total of 2.3M phishing
record type provides unique information and functionality essential URLs and 765K domains.
for domain operation. For instance, A records (Address records) Type # URLs # Domains # TLD
link a domain to an IPv4 address, directing users to the correct
APWG [6] 2,184,835 697,237 1,203
server when they access a website. NS records (Name Server records)
phishunt.io [56] 262,755 66,743 598
specify which servers are authoritative for a domain, manage DNS
PhishStats [54] 221,331 57,299 541
queries, and ensure accurate routing. OpenPhish [52] 115,804 26,127 480
DNS records may differ depending on the geographic or network Malware-filter [14] 76,465 24,300 470
location, known as the vantage points, from which the DNS query PhishTank [55] 5,579 1,695 195
is made. This variation occurs because DNS configurations can be Phishing.Database [45] 393 236 51
adapted to present different responses based on the requester’s
Total (Distinct) 2,294,267 765,910 1,258
location, such as content delivery optimization or load balancing.
– APWG: collected from Jul. 15, 2021 to Oct. 31, 2024.
– Others: collected from May 31, 2024 to Oct. 31, 2024.
2.2 Phishing Attack and Tactic
Phishing attacks are a type of advanced social engineering where
cybercriminals deceive victims into divulging sensitive informa- there is limited understanding of how attackers exploit DNS regis-
tion. Phishing attackers craft fake websites that closely resemble tration strategies for phishing attacks. To this end, our work aims
legitimate ones (e.g., Facebook or PayPal), deceiving victims into to bridge this knowledge gap by focusing on maliciously registered
entering their credentials. domains for phishing attacks and their abuse of DNS systems. Par-
ticularly, we seek to answer our research questions through our
Phishing Tactics for Domain Registration. The choice of the
analysis using our dataset of phishing domains: RQ1: What are the
registrar and TLD can significantly impact a domain’s visibility,
characteristics of maliciously registered domains, and how can we
cost, and accessibility, with certain TLDs (e.g., .tk or .xyz) often
find maliciously registered domains? and RQ2: What is the lifecycle
being cheaper or subject to less stringent registration requirements.
of a maliciously registered domain?.
Phishing attackers frequently take advantage of this aspect of do-
main registration, choosing low-cost or lenient TLDs to host their
malicious sites in large numbers while minimizing expenses [46]. 4 Dataset Collection
Additionally, some registrars (e.g., Alibaba Cloud [12]) have mini- To address our research questions, we collect a dataset compris-
mal verification protocols, making it easier for attackers to quickly ing phishing URLs (Section 4.1), DNS records using a custom-built
register multiple domains in bulk under anonymous or fabricated crawler (Section 4.2), and registration timestamps of phishing do-
identities [5]. This practice allows attackers to operate on a large mains to analyze their characteristics and lifespans (Section 4.3).
scale, using each domain temporarily until it is flagged or blocked by
detection systems, then transitioning to newly registered domains. 4.1 Phishing URL and Domain Collection
Phishing Tactics for Domain Name. When conducting phishing As shown in Table 1, we first collect 2.3M phishing URLs and
attacks, attackers employ various domain registration strategies to their associated 765K distinct domains (1,258 TLDs) across a 39-
deceive users. They commonly use typosquatting, registering do- month period spanning July 2021 to October 2024 from multiple
mains with subtle misspellings, such as paypaI.com (using a capital prominent phishing blocklists including APWG (Anti-Phishing
I instead of L) or missing letters such as goole.com. Another tactic Working Group) [6], Malware-filter [14], OpenPhish [52], Phishing-
involves creating domain variations by adding words or modifying Database [45], phishunt.io [56], PhishStats [54], and PhishTank [55].
the structure, resulting in domains like paypal-secure-login.com or These sources have been used to better understand the phishing
login-paypal.net. Attackers also abuse different top-level domains ecosystem [36, 39, 48–51]. Particularly, APWG is a global industry
(TLDs), using alternatives like .co or country-specific codes instead association of anti-phishing entities, including banks and financial
of the legitimate .com. services companies, Internet service providers, law enforcement
3 Problem Statement agencies, and security vendors. APWG maintains an extensive data-
base of phishing URLs gathered from multiple sources.
Phishing remains a major security threat, with traditional blocklist-
based defenses (e.g., Google Safe Browsing—Google Chrome default
anti-phishing system) suffering from significant detection delays. 4.2 DNS Record Collection
These systems often take hours or days to update after new phishing To answer our research question (RQ1: What are the characteristics
domains are registered, creating a critical window of vulnerability of maliciously registered domains, and how can we find maliciously
during which attackers can successfully target victims [40–43, 48, registered domains?), we develop a comprehensive DNS data collec-
49]. tion system to monitor and analyze how phishing attackers con-
Addressing phishing at the DNS level—when domains are first figure and modify their DNS settings across different geographic
registered—is crucial, as domains are the primary gateway to phish- locations. Our system periodically collects DNS records types of
ing websites. However, while previous studies [28, 44, 46, 48, 49, 51] our collected phishing domains (i.e., A, AAAA, NS, MX, TXT) to provide
have focused on URL patterns, visual content, and blocklist data, detailed insights into their behavior.
 Kyungchan Lim et al.

Data Collection Domain Classification

Timestamp Lifespan Analysis
Zone Files Brand Names Features
Squatted Attributes Registration
WHOIS TLD Usage
/RDAP Random-looking
Ownership
Bulk Registered Brand Targets Deregistration
Phishing Blocklist Feeds DNS
DNS Config
765K Domains Records Server Analysis
(July 2021 – Oct. 2024) Detection
Blocklists
Monitoring (Detection Timestamps)

Figure 1: Overview of Our DNS Analysis on Phishing Domains.

DNS Crawler Design. Figure 1 illustrates our data collection pro- number) can be unavailable to the public. To this end, we leverage
cess. We implement a multi-threaded crawler designed for scalabil- the methodology of COMAR [44] to obtain registration timestamps
ity and reliability, using concurrent processing to efficiently handle of the domains whose information is hidden. Furthermore, we also
thousands of domain queries. The crawler maintains a connection utilize DNS Zone files from DNS Coffee [66] and DZDB [10] for
pool for database access and implements file-locking mechanisms more comprehensive registration timing analysis. These services
to prevent data corruption during parallel operations. The crawler daily collect and archive TLD Zone files from ICANN [29]. The
collects detailed DNS information using the dig command with Zone file data provides first-appearance and last-seen timestamps
comprehensive parameters. This approach enables the recursive of domains; the last-seen timestamp indicates when a domain has
collection of DNS records, capturing all possible types. For reliabil- been deregistered and is no longer active. We also utilize passive
ity, our system implements a retry mechanism with exponential DNS (pDNS) data through DomainTools’ Farsight DNSDB [17].
backoff, attempting each query up to 5 times before marking it as This dataset includes a first-seen timestamp, indicating the earliest
failed. recorded observation of a domain in the passive DNS.
Our crawler operates at 30-minute intervals, enabling us to cap- Our Collected Registration Data. Our dataset includes domain
ture both gradual changes and modifications in DNS configurations. registration timestamps collected from various sources: WHOIS
This high-frequency polling is crucial for detecting dynamic DNS (25,987 domains), RDAP (436,176 domains), CT logs (71,156 do-
behaviors that phishing attackers might employ to evade detection, mains), DomainTools (27,929 domains), and DNS Coffee (526,867
such as fast-flux DNS or rapid record updates. The system stores domains, inclusive of DZDB data). In total, we have 526,954 reg-
DNS responses in a structured JSON format, organized by domain, istration timestamps for unique domains. In sum, our approach
timestamp, and vantage point. enables us to achieve 76.3% (526,954 out of 690,502) coverage of our
Our data collection period spanned from June 6, 2024, to October collected domains. While relying solely on registration timestamps
31, 2024. We gathered URLs from blocklist feeds and extracted from WHOIS and RDAP provides 62.4% (431,011 domains) cover-
their domains and subdomains to perform DNS queries during this age, incorporating additional data sources such as zone files, pDNS
period. Using our crawler, we collected a total of 94,798 domains, data, and CT logs significantly improves the completeness of our
including subdomains, with 11,932 being unique domains. timestamp data.
Vantage Points. Moreover, to detect location-based DNS config-
urations, we query DNS records from 10 geographically diverse
DNS resolvers. These include global providers (Google, Cloudflare,
5 Identifying Maliciously Registered Domains
Quad9, OpenDNS) and regional servers across six continents (Brazil, We first define maliciously-registered domains and then devise a
South Africa, UK, Australia, South Korea, US). This distributed ap- method to identify the ones for phishing attacks. We further analyze
proach reveals if phishing domains serve different DNS responses the bulk registrations of phishing domains.
based on geographic location—a technique attackers might use to Def. of Maliciously-registered Domains. Phishing domains
evade detection or target specific regions. can be classified into two categories: maliciously registered do-
mains and compromised domains. A maliciously registered domain
4.3 Domain Registration Collection is intentionally purchased by an attacker for malicious purposes.
To investigate the lifecycle of maliciously registered domains (RQ2: In contrast, a compromised domain is a legitimate domain origi-
“What is the lifecycle of a maliciously registered domain?”), we collect nally used for benign purposes, but attackers exploit vulnerabilities
registration information (including timestamps and registrars) of of web servers and inject malicious content (e.g., phishing pages)
our collected phishing domains. We first utilize WHOIS and the into the benign servers. Detecting maliciously registered domains
Registration Data Access Protocol (RDAP) [57] from registrars and at an early stage is a critical step in preventing phishing attacks
registries as WHOIS and RDAP provides basic information, such as effectively.
registrar names and domain registration/expiration dates. Identification of Maliciously-registered Domains. We
GDPR Restriction. However, due to the European General Data utilize Tranco 1M domains [64] as a reference to filter out both
Protection Regulation (GDPR), the registration timestamp and the legitimate domains and web hosting (or website builder) service
registrant’s information (such as their name, address, and phone domains from our collected phishing domains. For example, while
Registration, Detection, and Deregistration: Analyzing DNS Abuse for Phishing Attacks

Table 2: Maliciously-registered Domain. Each steps are taken Table 3: Top 10 Registrar in Bulk Registered Domains. Alibaba
after removing the Tranco Top 1M [64] list of domains (total stands out as the registrar associated with the highest number
of 689,492). of bulk-registered domains.
Type # of URLs # of Domains∗ Rank Registrar # of Domains Country
(1) Brand Name in Domain 709,694 247,699 (35.9%) 1 ALIBABA SGP.∗ [12] 4,180 (7.6%) CN
(2) Squatted Domain 472,320 180,468 (26.2%) 2 Alibaba (Wanwang)† [5] 2,599 (4.7%) CN
(3) Random-looking Domain 283,366 194,099 (28.2%) 3 SAV.COM [59] 2,093 (3.8%) US
(4) Bulk-registered Domain 69,599 54,787 (7.9%) 4 GoDaddy.com [23] 1,845 (3.4%) US
5 Gname.com Pte. [22] 1,560 (2.8%) SGP
Mal. Total† 1,406,525 455,525 (66.1%) 6 Alibaba Cloud‡ [12] 1,352 (2.5%) CN
∗: Due to the overlap, total domains are over 100% 7 NameSilo [47] 1,285 (2.3%) US
8 Network Solutions [62] 623 (1.1%) US
‘blogspot.com’ is a legitimate blogging service, attackers may 9 Dynadot Inc [18] 618 (1.1%) US
create subdomains, such as ‘usps-tracking-service.blogspot.com’ 10 Aceville Pte. [2] 604 (1.1%) SGP
for phishing purposes. After removing the platform-based phishing Total 54,787 (100%) -
domains, our list remains 689,492 domains. ∗: ALIBABA.COM SINGAPORE E-COMMERCE PRIVATE
Furthermore, we leverage the previous approaches [11, 16, 27, †: Alibaba Cloud Computing Co., Ltd. (Wanwang)
32, 44] on finding maliciously registered domains. Especially, CO- ‡ : Alibaba Cloud Computing Ltd. d/b/a HiChina (www.net.cn)
MAR [63] demonstrated a 95% accuracy using lexical features and
registration timestamps in domains. The method from COMAR
includes nine lexical features (i.e., presence of a brand name in the domain name (e.g., faaebook.com), replacing characters with visu-
domain name, path part of URL, and misspelled target brand name ally similar alternatives (e.g., faceb0ok.com, where o is replaced
in the domain name). By merging those features and additional with the number, 0), and adding hyphens or extra prefixes (e.g.,
features we discovered, we design our method to detect maliciously face-book.com or dfacebook.com). Our analysis shows that 26.2% of
registered domains by using the following four steps: (1) brand domains in our dataset are squatted domains.
name in domains, (2) squatted domains, (3) random-looking al- (3) Random-looking Algorithmic Domain. The random ap-
gorithmic domains, and (4) bulk registered domains. As shown pearance of algorithmically generated domains makes them hard to
in Table 2, each steps are taken after removing the Tranco 1M [64] detect [20, 58]. Attackers exploit this trend by capitalizing on users’
domains from the total list of domains. tendencies not to scrutinize domain names closely before clicking
(1) Brand Name in Domain. The first approach to identifying on links, even when the domain looks suspicious. To find random-
maliciously registered domains involves detecting brand names looking algorithmic domains, we follow the approach in [58] by
within the domain or subdomain (e.g., usps-security.example.com, matching domains with English word lists. We use [60], a word
or www.usps-security-login.com). To establish a comprehensive list containing 108,687 words, to identify domains that include any
baseline, we curate a list of the top 1,000 most targeted brands English words. We apply this process after removing the brand
in our collected datasets (i.e., APWG), covering 97% of the domains in the domain and squatted domains, leaving a total of 194,099
in our dataset. Domains or subdomains containing any of these domains.
brand names are flagged as part of this category. Our analysis re- As shown in Table 2, a significant portion of domains (28.2%) are
veals that 33.9% of domains in the dataset incorporate brand names random-looking algorithmic domains. While such domains may
in their domain or subdomain, highlighting the prevalence of this appear suspicious to a human [58], automated detection tools often
tactic among phishing attackers. Detailed results for maliciously struggle to classify them as malicious due to their lack of clear
registered domains across all categories are summarized in Table 2. patterns or recognizable features.
(2) Squatted Domain. The second category is one of the most (4) Bulk Registration of Domain. Attackers often register many
common tactics used by phishing attackers: exploiting squatted malicious domains simultaneously through bulk registration to
domains. These domains incorporate a modified version of a brand maximize profits with minimal effort [28]. A phishing campaign
name in the domain or subdomain, closely mimicking legitimate can involve registering multiple domains at the same time and
brand domains to deceive users. For example, a phishing website deploying multiple webpages with different domains. Even if one
targeting facebook.com might use a squatted domain such as domain is blocklisted, an attacker can rely on others to continue
faceb{o}ook.com to trick victims into believing they are accessing the attack. Our method to find bulk registered domains includes
an authentic website. three conditions that must all be met: registered at the same time,
To identify potential squatted domains, we employ the dnstwist registered through the same registrar, and domain names are similar
tool [19], which generates domain name variations using various (using Levenshtein distance [37]).
squatting techniques and widely used in previous works [25, 35, Bulk-registered domains, often created simultaneously through
61, 63]. We apply this tool to the top 200 most targeted brand the same registrar, account for 7.9% of the domains in our dataset,
names, which account for 90% of the domains in our dataset. This as shown in Table 3. While this percentage represents a smaller
process generates 765,444 possible squatted domains based on tech- subset of the dataset, it carries significant implications.
niques such as adding extra characters to the domain name (e.g., Notably, Alibaba Cloud[12] frequently serves as a registrar for
facebook0.com from facebook.com), modifying a single bit in the these domains, offering bulk registration services[4]. Furthermore,
 Kyungchan Lim et al.

Table 4: Top 10 Targeted Brands. Popular brands (e.g., USPS, OZON, Instagram) predominantly utilize .top, .tk, .ml than the
origin of its brand (e.g., .com, .ru).

Malicious Compromised Malicious Domains Compromised Domains

Brand Country Total
Domains Domains
TLD∗ TLD Count Unique§ TLD∗ TLD Count Unique§
Facebook US 66,700 38,817 (58.2%) 27,227 (40.8%) .com 11,485 (29.6%) 439 .com 10,764 (39.5%) 324
USPS US 41,691 37,533 (90.0%) 4,109 (9.9%) .top 15,489 (41.3%) 259 .top 1,835 (44.7%) 153
Microsoft US 26,717 13,681 (51.2%) 12,438 (46.6%) .com 5,759 (42.1%) 449 .com 6,358 (51.1%) 371
DHL GER† 23,539 15,784 (67.1%) 7,277 (30.9%) .com 5,741 (36.4%) 451 .com 3,612 (49.6%) 322
OZON RUS† 18,513 10,248 (55.4%) 8,465 (45.7%) .tk 4,549 (44.4%) 34 .tk 4,600 (54.3%) 17
WhatsApp US 11,521 8,264 (71.7%) 3,163 (27.5%) .com 2,363 (28.6%) 162 .com 1,198 (37.9%) 104
Apple US 11,253 8,942 (79.5%) 2,056 (18.3%) .com 3,385 (37.9%) 234 .com 918 (44.6%) 138
Instagram US 11,181 7,337 (65.6%) 3,681 (32.9%) .ml 1,482 (20.2%) 212 .com 982 (26.7%) 165
Naver KOR† 11,030 7,207 (65.3%) 3,725 (33.8%) .com 2,506 (34.8%) 269 .com 1,549 (41.6%) 195
Amazon US 9,473 7,390 (78.0%) 2,000 (21.1%) .com 2,086 (28.2%) 192 .com 996 (49.8%) 110
∗: Most common TLD in brands. § : # of unique TLD in brand. † : GER: Germany, RUS: Russia, KOR: Korea.

Facebook USPS Microsoft DHL OZON WhatsApp Apple Instagram Naver Amazon
100% 100%
100%
80% 80%
80%
% of Domains

60% 60%
60%

40% 40%
40%

20% 20% 20%

0% 0% 0%
2021 2022 2023 2024 2021 2022 2023 2024 2021 2022 2023 2024

(a) Top 10 Brand by Year All. (b) Top 10 Brand by Year (Malicious). (c) Top 10 Brand by Year (Comp.).
Figure 2: Top 10 Brand by Year. USPS increases dramatically from 2022 to 2024, specifically in maliciously registered domains.
On the other hand, Microsoft decreases in all domains, DHL increases in maliciously registered domains but decreases in the
compromised domains.

it actively promotes bulk registrations through discounted pric- Takeaway: We combined the existing method with our new
ing [5], as illustrated in Appendix A.This combination of bulk reg- method of identifying maliciously registered domains. Mali-
istration functionality and discounted pricing likely lowers the ciously registered domains are over half of phishing domains
barrier for registering multiple domains, making it an attractive (66.1%). Phishing attackers often exploit bulk registration ser-
option for attackers. This practice enables attackers to sustain their vices, such as those offered by Alibaba Cloud. Notably, among
operations by registering multiple domains in bulk, ensuring that registrars that provide bulk registration, Alibaba emerges as the
some remain active even after others are detected. Some registrars most frequently abused platform for registering domains in bulk.
adopt proactive measures, such as stricter verification or limits on
bulk purchases, which significantly reduce the malicious use of
bulk-registered domains.
6 Characteristics of Maliciously registered
Manual Validation. We randomly select 1,000 domains from
Domains
our identified maliciously registered domains. Then, we manually
validate our method of identifying maliciously registered domains We analyze DNS components of maliciously registered domains,
by examining the contents of the phishing domains. Specifically, including their targeted brands, TLDs, and DNS records, to gain
we utilize historical data from the Wayback Machine [7] to identify insights into their characteristics.
domains that either lack historical snapshots or display content
designed to mimic legitimate webpages.
6.1 Targeted Brand
Our analysis reveals that 72.3% of the examined domains do
not have any historical data in the Wayback Machine. Among the We utilize target brand information from the APWG dataset. In
remaining 27.7%, 14.8% domains redirect to error pages, while the our analysis, we identify a diverse range of targeted brands, with
remaining 12.9% of domains host malicious content pages. Facebook standing out as the most targeted brand, followed by
USPS as shown in Table 4. These two brands alone account for a
significant portion with 15.5% (108,391 out of 697,237) of phishing
domains, reflecting their widespread recognition and trust among
users.
Registration, Detection, and Deregistration: Analyzing DNS Abuse for Phishing Attacks

Table 5: Top 10 TLDs by Year. New-gTLD with lower registration costs is widely used in maliciously registered (.top, .xyz, .shop,
.online) than compromised domains (.net, .info). Freenom usage decreases and (e.g., .cn increased in 2024 where .tk and .ml
decreased)
Maliciously Registered Domains Compromised Domains Price
TLD Total Types† Freenom
2021 2022 2023 2024 Total 2021 2022 2023 2024 Total (USD)∗

.com 218,267 19,359 53,795 42,376 26,949 142,479 10,837 30,051 20,813 14,087 75,788 $6 gTLD No
.top 84,686 2,735 12,792 19,519 18,968 54,014 3,005 10,612 13,721 3,334 30,672 $1 new gTLD No
.xyz 37,698 3,545 10,520 5,396 3,624 23,085 2,985 8,310 2,732 586 14,613 $1 new gTLD No
.shop 30,065 764 2,790 5,905 11,081 20,540 628 1,532 2,550 4,815 9,525 $1 new gTLD No
.cn 24,708 1,639 9,234 2,045 7,060 19,978 471 798 1,582 1,879 4,730 $5 ccTLD No
.tk 22,453 779 10,931 1,802 52 13,564 213 7,001 1,623 52 8,889 $7 ccTLD Yes
.online 14,409 679 3,609 3,084 1,271 8,643 254 3,123 1,741 648 5,766 $1 new gTLD No
.ml 14,154 726 8,868 526 5 10,125 251 3,388 390 0 4,029 $12 ccTLD Yes
.net 12,672 1,302 3,217 2,309 1,260 8,088 691 1,987 1,233 673 4,584 $10 gTLD No
.info 10,619 974 2,891 2,182 2,076 8,123 266 934 843 453 2,496 $2 gTLD No
∗: Cost to register a domain in each TLD [63]. † : gTLD vs. ccTLD. Note that years 2021 and 2024 are not 12 months.

.com .top .xyz .shop .cn .tk .online .ml .net .info
100% 100%
100%
80% 80%
80%
% of Domains

60% 60%
60%

40% 40%
40%

20% 20% 20%

0% 0% 0%
2021 2022 2023 2024 2021 2022 2023 2024 2021 2022 2023 2024

(a) Top 10 TLD by Year All. (b) Top 10 TLD by Year (Malicious). (c) Top 10 TLD by Year (Comp.).
Figure 3: Top 10 TLD by Year. While .com is the most used, .shop, .cn increase over the years.

As shown in Figure 2, a clear trend emerges among popular a subsequent report by Interisle [32] noted a shift, with phishing
targeted brands. Notably, USPS is the second most targeted brand, domains in ccTLDs increasing after Freenom’s policy change. To ex-
accounting for 6.0% of phishing domains. Interestingly, while USPS- amine whether our findings align with this trend, we analyze TLD
targeted domains were minimal in 2021 and 2022, there has been a usage in phishing domains, focusing specifically on maliciously
dramatic increase since 2023. This finding aligns with previous re- registered domains to uncover patterns and their implications.
ports on phishing domain trends [32]. Conversely, Microsoft shows Result: Trend of TLD. Table 5 highlights significant trends in
an overall decline in targeting, with a more pronounced decrease TLD usage across phishing domains, illustrating attackers’ prefer-
observed in compromised domains, as illustrated in Figure 2(c). Ad- ences and the influence of policy changes. The .com TLD dominates
ditionally, DHL-targeted domains demonstrate an increasing trend the landscape with 218,267 (31.3% out of 697,237) total phishing do-
in maliciously registered domains over the years, while showing a mains, likely due to its credibility and widespread familiarity, which
decline in compromised domains. enhance its effectiveness for deception. Low-cost new gTLDs, such
as .top and .shop, become prominent in our result, with 84,686
6.2 Top-level domain (TLD) (12.1%) and 37,698 (5.4%) domains, respectively, reflecting attackers’
We investigate the use of TLDs in phishing domains and assess preference for inexpensive and lenient TLDs. As shown in Table 5,
whether certain TLDs are disproportionately abused. Our analysis the lower registration costs of new gTLDs (with prices as low as $1
considers the varying registration costs across TLDs, which may in our dataset) may contribute to their increased exploitation by
influence attackers’ choices and strategies. phishing domains.
Freenom TLDs (e.g., .tk) are heavily exploited in earlier years,
Motivation. TLD choice plays a significant role in domain regis-
but seen a dramatic decline, dropping from 10,931 domains in
tration for phishing attacks. Attackers may opt for cheaper TLDs
2022 to merely 52 domains in 2024, after Freenom discontinued
to minimize costs or strategically use the same TLD as the targeted
free registrations in 2023. This finding aligns with a previous
brand to enhance impersonation (e.g., using .com for brands that
report [32]. Additionally, as shown in Figure 3, the growing
also use .com). According to a phishing report [32], Freenom TLDs
presence of .cn, from 764 in 2021 to 7,060 in 2024 domains, signals
were among the most commonly exploited by phishing attackers, as
a strategic adaptation by attackers to target TLDs with potentially
they offered free registrations. However, after reports revealed wide-
weaker enforcement mechanisms [32].
spread abuse of this functionality for malicious domain registration,
Freenom ceased offering free registrations in early 2023. Moreover,
 Kyungchan Lim et al.

100%
CDF

50%
Facebook USPS Microsoft DHL Ozon
Instagram Naver Apple WhatsApp Amazon
0%
0 50 100 150 200 250 300 350 400 450 500 550 800 1000 1500 3500 5500
Days
Figure 4: Days Between Registration and Detection by Top 10 Brand.

As illustrated in Figure 3, there is a notable increasing trend in Maliciously-registered Vs. Compromised. The comparison be-
the use of new gTLDs, particularly .top and .shop. Interestingly, tween maliciously registered and compromised domains reveals
the use of .top in maliciously registered domains has steadily in- notable differences in their TLD preferences. Among a total of
creased over the years, while its usage in compromised domains 218,267 .com domains, 142,479 (65.3%) were maliciously registered,
shows a decline in 2024. In contrast, .shop demonstrates a con- while 75,788 (34.7%) were compromised, indicating that attackers
sistent increase in usage across both maliciously registered and leveraging .com domains often register them intentionally for mali-
compromised domains. cious purposes. Conversely, new gTLDs such as .top and .xyz also
show a strong preference for malicious registrations, with 54,014
Takeaway: Phishing domains often exploit new gTLDs due to (63.8%) and 23,085 (61.2%) domains, respectively, highlighting at-
their lower registration costs. Notably, when Freenom discontin- tackers’ exploitation of low-cost TLDs for scalability. In contrast,
ued offering free domain registrations, the usage of .cn domains Freenom TLDs like .tk saw relatively balanced usage between mali-
increased concurrently. Certain new gTLDs, such as .shop, ex- ciously registered and compromised domains before policy changes
hibit distinct trends between maliciously registered domains and restricted their availability. These patterns suggest that maliciously
compromised domains, highlighting different attack strategies. registered domains favor low-cost or lenient TLDs, while compro-
mised domains may be distributed across a broader range of TLDs,
Using Different TLD than Original Brand Domain. Phishing
reflecting their opportunistic use of existing infrastructures. This
domains do not always use the same TLD as their original domains.
distinction underscores the importance of targeted monitoring and
For instance, phishing attackers often register Facebook-targeted
stricter enforcement in TLDs that are disproportionately used for
domains using alternative TLDs such as .top, rather than .com
malicious registrations.
that used by Facebook. Similarly, USPS, the second popular targeted
We analyze the targeted brands between maliciously registered
brand in our analysis, is frequently targeted using .top domains in-
domains and compromised domains. Facebook is the most used
stead of the brand’s original .com. Another example is OZON, ranked
targeted brand, with 66,700 phishing domains, of which 58.20% are
as the 5th most targeted brand, with 49.42% of its phishing domains
maliciously registered. USPS and Microsoft follow, with 41,691 and
registered under the .tk instead of its original .ru. Both .top and
26,717 domains, respectively. USPS exhibits an exceptionally high
.tk are significantly cheaper than .com for registration, with .tk
proportion of maliciously registered domains (90.03%), indicating
previously offered for free by Freenom until January 2023. Inter-
that attackers targeting this brand prefer creating new domains
estingly, both targeted brands USPS and OZON have the quickest
rather than compromising existing ones. Microsoft demonstrates a
detected time by blocklists as shown in Figure 4. We will discuss
more balanced split, with 51.21% malicious registrations and 46.55%
detection time across different brands in Section 7.1.
compromised domains, suggesting a dual approach in leveraging
Another noteworthy observation from Table 4 is that 44.39%
both new and existing infrastructures.
of OZON-targeted domains are registered under .tk, which is sig-
nificantly more popular than any other brand. Additionally, OZON- Takeaway: New gTLDs (e.g., .top, .xyz) are more prevalent in
targeted domains exhibit the smallest number of unique TLDs (34) maliciously registered domains, while compromised domains
among the top 10 brands. Furthermore, as shown in Figure 2, OZON favor legacy gTLDs (e.g., .net, .info). Freenom TLDs like .tk
demonstrates a decline in phishing activity over time. These find- and .ml have declined, while .cn has increased in 2024.
ings suggest that attackers targeting OZON often prefer low-cost
TLDs, such as those offered by Freenom, to minimize costs and
maximize the scalability of their phishing campaigns. 6.3 DNS Records
Takeaway: Phishing attackers prefer low-cost TLDs like .top We characterize the DNS records of maliciously registered domains
and .tk to target brands such as USPS and OZON, with OZON re- collected by our DNS crawler.
lying on .tk for 44.39% of its phishing domains. These brands DNS Records. We study the values of commonly used DNS record
also show the fastest detection times by blocklists, highlighting types (e.g., A, AAAA, CNAME, NS, MX, and TXT). Phishing attackers often
the importance of monitoring cost-effective TLDs to combat configure DNS records to evade detection, frequently altering them
phishing campaigns. using techniques such as fast-flux DNS. Our analysis reveals that
21.4% of domains exhibit record changes, with an average frequency
of 79.4 days and a median of 125.2 days.
Registration, Detection, and Deregistration: Analyzing DNS Abuse for Phishing Attacks

All Brand Squatted All Brand Squatted

Random Malicious Compromised Random Malicious Compromised
100% 100% USPS (1.4)
USPS (59.2) Med. Lifetime
Microsoft Ozon (11.7) Microsoft
Avg. Lifetime
CDF

CDF
(719.3) (1.3) (440.4)
50% Facebook (286.7) 50%
(275.9) Facebook
DHL
Ozon (440.4) DHL (52.5)
(43) (44.2)
0% 0%
0 100 200 300 400 500 600 700 8001000 5500 0 10 20 30 40 50 60 100 600 900 5500
Average Days Median Days
(a) Average Delays (days) Between Registration and Detection. (b) Median Delays (days) Between Registration and Detection.

Figure 5: Delays (days) Between Registration and Detection. Vertical bars show average (or median) days between registration
time and detection time of the top 5 most targeted brands.

We study the types of DNS records configured in phishing vantage point of the queried DNS servers. Instead, further investiga-
domains. NS records were the most common, with a total of 51,459, tion reveals that these domains implement language customization
followed by A records (13,218), SOA records (8,960), and TXT records through client-side code rather than DNS configuration.
(5,573). Focusing specifically on maliciously registered domains, TTL in DNS Records. In DNS records, the time-to-live (TTL)
we specifically examined those that exhibited DNS record changes. specifies how long DNS settings are cached before they are
Our analysis shows that only 4.6% of these domains (117 out of automatically refreshed. Typical TTL values are 12 or 24 hours,
2,550) demonstrated record changes over time. This suggests that with recommended minimum and maximum values of 1 hour (3600
modifying DNS records is not a commonly used tactic among seconds) and 24 hours (86400 seconds), respectively [33]. 2.1% of the
maliciously registered phishing domains. domains use TTL values less than 60 seconds, and 25.8% use values
To understand the scenarios behind DNS record changes, we shorter than 1 hour (3600 seconds) from our dataset. Only 2.9% of
manually reviewed domains that exhibited such changes over time. the domains set TTLs longer than 12 hours, and among those, 31
One common case involved NS record changes, where domains domains set values between 12 and 24 hours. The median TTL value
shifted from one DNS provider to another (e.g., from Cloudflare to across domains is 3,994 seconds, while the average is significantly
Google). Such changes are often motivated by the desire to leverage higher at 60,827 seconds. The use of short-lived TTLs can facilitate
specific services offered by different DNS providers. For instance, fast-flux DNS, a technique that frequently changes IP addresses
attackers may switch to providers like Cloudflare to utilize fea- to evade detection [9, 21] and often employ by attackers [15].
tures, such as free SSL certificates, which are available for a limited
duration [13]. Takeaway: Our analysis finds that 21.4% of domains change
Our analysis reveals that phishing domains show a strong pref- their DNS records frequently. 2.1% of phishing domains configure
erence for hosting on Amazon Web Services (AWS) infrastructure. their DNS TTL values to less than 60 seconds, a configuration
Specifically, we extract all IP addresses associated with A records commonly associated with fast-flux DNS techniques.
and utilize the Summarize IP feature provided by IPinfo [34] to gain
insights into their hosting characteristics. Among the Autonomous
System Numbers (ASNs) analyzed, AS16509 (Amazon.com, Inc.), a
primary ASN for AWS, hosts 81.2% of the phishing domains, while 7 Lifespan of Phishing Domains
an additional 15.4% are hosted on AS14618 (Amazon.com, Inc.), This section examines the lifecycle of phishing domains, focusing
another AWS-associated ASN. Combined, these two ASNs account on two critical phases: (1) the time from registration to detection,
for 96.6% of all analyzed phishing domains, indicating a significant (2) the time from detection to deactivation, and (3) the comparison
reliance on AWS services. This preference may be attributed to of detection time between blocklists. These phases provide insights
AWS’s scalability, cost-effectiveness, and global reach, which make into how phishing attackers sustain their domains to maximize mon-
it an attractive option for attackers to host phishing domains. In etization and evade timely countermeasures. By analyzing detection
comparison, other hosting providers, such as Google LLC (1.5%), delays and post-detection persistence across different domain types,
JSC Selectel (0.2%), and DigitalOcean, LLC (0.1%), host far fewer brands, and registration strategies, we uncover characteristics in
phishing domains. the lifespan of phishing domains (i.e., maliciously registered). Our
Vantage Point of DNS Server. Phishing attackers can configure findings highlight the need for improved detection mechanisms
location-aware DNS responses. This allows attackers to deliver to reduce delays and more robust enforcement measures to en-
localized phishing content (e.g., Spanish-language phishing pages sure rapid domain takedown, thereby limiting attackers’ ability to
for victims in South America) or to evade detection by serving exploit these domains.
benign pages when accessed from certain locations commonly used
by detection systems.
Our preliminary analysis shows that some phishing domains 7.1 Time Taken between Registration to
adapt their content to different languages based on the location of Detection (Detection Delay)
the user accessing them. However, we do not find any evidence In this section, we analyze how phishing domains are detected by
that these phishing domains alter their DNS records based on the blocklist after registration.
 Kyungchan Lim et al.

Phishunt PhishTank OpenPhish Malware-filter Phishing-db PhishStats

100%
CDF

50%

0%
0 5 10 15 20 25 30 35 500 1000
Days
Figure 6: Days Between APWG Detection and Other Blocklists. Other than Phishunt, all 5 blocklists show similar median
delays (2.3 to 4.4 days except the Phishunt).

Motivation. Maliciously registered domains can be blocked in have a median detection time of 86 days and an average of 332.1
advance when compared to compromised domains. Phishing do- days. This indicates that current detection methods do not perform
mains exhibit significant variation in the time it takes to be detected significantly better at identifying maliciously registered domains
after registration, influenced by the type of domain and the tar- compared to compromised domains. We will discuss potential future
geted brand. As shown in Figure 5, these differences highlight both directions in Section 8.
quicker detection for some brands and prolonged delays for others.
Takeaway: Detection delays for phishing domains vary, with
Result: Overview of Detection Delay. Across all domains, the maliciously registered domains detected faster (median 16.3
overall median detection time is 42.4 days, with an average of 286.2 days) than compromised ones (median 86 days). Brands like
days. For the top 10 most targeted brands, the detection times have a USPS and OZON see rapid detection (medians of 1.4 and 1.3 days),
slight improvement over these values, with an average of 286.2 days while others, like Microsoft, face significant delays (median
and a significantly shorter median of 11.7 days. This suggests that 440.4 days and 52.5 days, respectively).
well-known brands tend to benefit from quicker median detection
times compared to less prominent brands, likely due to more active
monitoring and stronger anti-phishing measures.
Detection Time between Targeted Brands. USPS (United States
Postal Service) [65], a U.S. federal agency providing postal services,
7.2 Time Taken between Registration and
and OZON [53], a Russian e-commerce platform founded in 1998,
stand out with the fastest average detection times among targeted Deregistration (Takedown Delay)
brands. USPS has a median of 1.4 days (average of 59 days), and Figure 7 highlights the significant variation in the time it takes
OZON has a median of 1.3 days (average of 42.9 days). These quicker for phishing domains to be deregistered after detection. Across all
detections may result from more active monitoring systems or phishing domains, the average time between detection and dereg-
simpler phishing tactics that are easier to identify. istration is 11.5 days on average, reflecting a relatively short-lived
Both brands are targeted using non-original TLDs (Section 6.2), post-detection activity. However, specific domain categories reveal
which are often cheaper to register. Also, the detection as shown notable discrepancies. Squatted domains persist significantly longer,
in Figure 4, detection time of USPS and OZON is quickest with a me- with an average lifespan of 23 days post-detection. Random-looking
dian of 1.4 days and 1.3 days respectively. Some registrars, such domains and impersonating specific branded domains exhibit aver-
as Freenom, provide APIs for the immediate takedown of phish- age post-detection duration of 14.8 days and 19.9 days, respectively.
ing domains upon detecting signs of abuse [3]. This suggests that This prolonged availability of squatted and brand-targeted do-
attackers’ choice of cost-effective TLDs may have inadvertently mains underscores their continued risk in phishing campaigns, as
backfired, as these domains could be removed quickly. these domains remain accessible to victims even after being block-
Domains targeting Microsoft take the longest to be detected, listed. The observed differences in deregistration times between
with an average detection time of 719 days (median of 440.4 maliciously registered domain categories, such as brand-targeted
days). Facebook, despite being the most impersonated brand, has (19.9 days), random-looking (14.8 days), and squatted domains (23
a moderate detection time of 275 days (median of 52.5 days). These days), may reflect variations in the policies or practices of registrars
findings highlight significant disparities in detection efficiency and hosting providers. These differences could also indicate that at-
across brands and TLDs, emphasizing the impact of attackers’ TLD tackers exploit specific domain types for their perceived resilience
choices on detection timelines. or due to differences in enforcement or takedown mechanisms.
Maliciously-registered Vs. Compromised. As shown in Figure 5, These findings reveal critical gaps in enforcement mechanisms,
the detection times vary across different categories of maliciously particularly for squatted domains, which outlast other categories
registered domains. Overall, compromised domains consistently by a wide margin.
have slower detection times compared to maliciously registered Takeaway: Maliciously registered domains, especially squatted
domains, though the difference is not substantial. Specifically, the domains, are key in phishing domains but are deregistered more
median detection time for maliciously registered domains is 16.3 slowly, averaging 23 days compared to 11.5 days for all phishing
days, with an average of 206.4 days, while compromised domains domains.
Registration, Detection, and Deregistration: Analyzing DNS Abuse for Phishing Attacks

100%
Brand Squatted
All (19.9) (23)
(11.5)
CDF

50%
Random
(14.8) All Brand Squatted Random
0%
0 5 10 15 20 25 30 35 50 500 1000 1500 2500 4000 5500
Days
Figure 7: Days Between Detection and Last Seen. Vertical bars show the last seen timestamp from the zone file by each type of
maliciously registered domain.

7.3 Comparison Between Blocklists systems and policies to register malicious domains. Previous re-
As shown in Figure 6, detection times vary significantly between search has proposed multiple strategies to address this issue, but
APWG and other blocklists, illustrating how quickly each blocklist the persistence of maliciously registered domains indicates that
identifies phishing domains after they have already been detected by existing efforts remain insufficient. Several approaches have been
APWG. APWG plays a critical role in identifying phishing domains, discussed in prior work to prevent attackers from registering mali-
with domains on its blocklist having an average detection time of cious domains:
277.3 days and a median detection time of 42.4 days. • Stricter Verification Processes: Implementing enhanced regis-
In contrast, other blocklists show considerable delays in detect- trant verification during domain registration, such as requiring
ing these same domains. For instance, Phishunt.io has an average government-issued identification or multi-factor authentication,
detection delay of 676.1 days and a median of 930.8 days after to ensure the legitimacy of registrants.
APWG’s detection, indicating significant lag. Conversely, blocklists • Monitoring and Reporting Systems: Developing real-time
like PhishTank and OpenPhish demonstrate faster detection times, monitoring tools to detect suspicious registration patterns, such
with PhishTank averaging 167.7 days and a median of 4.4 days, as bulk registrations or domains containing high-risk keywords,
while OpenPhish averages 257.9 days and a median of 4.1 days after and establishing automated reporting mechanisms to notify reg-
APWG detection. Malware-filter and PhishStats also detect istrars and relevant authorities.
domains relatively quickly, with median delays of 3.7 and 2.3 days, • Registrar Accountability: Encouraging or mandating reg-
respectively, despite higher average delays of 255.6 and 141.9 days. istrars to adopt anti-abuse policies, e.g., proactive detection
Phishing.Database shows mixed results, with an average detec- measures and swift suspension of flagged domains.
tion delay of 388.5 days but a stronger median delay of 64.4 days. • Global Collaboration: Promoting coordinated efforts between
These findings demonstrate that APWG consistently detects phish- registries, registrars, security organizations, and governments
ing domains earlier than all other blocklists in our dataset. However, to standardize policies and share intelligence on malicious
the variability in detection delays across blocklists highlights the registration practices.
need for improved synchronization and data sharing to reduce de- • Policy Enforcement for Low-Cost TLDs: Strengthening
tection gaps and enhance phishing defense coverage. APWG’s early oversight for TLDs with low registration costs, which are often
detection could be further leveraged to accelerate response times exploited by attackers.
across the ecosystem. However, due to the decentralized nature of domain registration sys-
tems and varying policies among registries and registrars, it is chal-
Takeaway: APWG consistently detects phishing domains ear- lenging to implement a generalized defense mechanism. Our anal-
lier than other blocklists, but significant variability in detec- ysis aims to reiterate these recommendations and emphasize the
tion delays across blocklists underscores the need for improved urgent need for domain registries and registrars to defend against
synchronization and data sharing to enhance timely phishing malicious domains proactively. By adopting these measures, stake-
defense and reduce attacker impact. holders can significantly reduce phishing attackers’ exploitation of
domain registration systems.
Ethics. Our methods emphasize ethical responsibility while up-
8 Discussion holding scientific rigor in analyzing real-world phishing domains.
Based on our analysis, we outline limitations and provide recom- The data collection process including crawling DNS data and reg-
mendations to guide future research efforts. istration data (e.g., RDAP), strictly adheres to established ethical
guidelines, utilizing phishing URLs sourced from blocklist feeds
Limitation. During our verification step, a small number of do-
explicitly made available for research purposes.
mains may fall outside our defined malicious domain classification
categories. While we conducted manual verification to ensure the
accuracy of our results, it is still possible that a few domains can 9 Related Work
exhibit characteristics that do not align with our predefined criteria. The number of reports showed the trend of phishing domains and
Recommendation. There have been various approaches to un- examined phishing websites. However, the characteristics of DNS
derstanding how phishing attackers exploit domain registration settings of phishing domains are not well studied.
 Kyungchan Lim et al.

Coverage of TLDs in Phishing Domains. Previous work [46] References

has a narrow focus on three specific ccTLDs, while our work broad- [1] FBI’s IC3 Report. https://www.proofpoint.com/us/blog/email- and- cloud-
ens the analysis to include all TLDs (gTLDs and ccTLDs), offering threats/fbis- ic3- report- losses- cybercrime- surpass- 125- billion- new- record,
March 2024. (Accessed on 11/20/2024).
a more comprehensive understanding of phishing trends across a [2] Aceville. Dnspod. https://www.dnspod.com/, 11 2024. (Accessed on 11/19/2024).
diverse range of domain spaces. While the prior study [46] focused [3] Antonia Affinito, Raffaele Sommese, Gautam Akiwate, Stefan Savage, kc claffy,
Geoffrey M Voelker, Alessio Botta, and Mattijs Jonker. Domain name lifetimes:
on identifying impersonated domains, our work delves into how Baseline and threats. In TMA, 2022.
long these phishing domains remain active post-registration, com- [4] Alibaba. Domain name bulk registration-basic edition. https://check.aliyun.com/
paring this lifespan to detection delays on blocklists (e.g., APWG). domain/bulk-search/basic.htm, 11 2024. (Accessed on 11/16/2024).
[5] Alibaba. New user discount! only $0.5 - alibaba cloud. https :
Furthermore, our work enhances the analysis by examining the / / www.alibabacloud.com / ko / domain / 1dollar?_p_lc = 1&spm =
characteristics of specific targeted brands in phishing domains. Our a3c0i.145322.1761468070.2.522a4635pLdxUS, 11 2024. (Accessed on 11/16/2024).
work also goes beyond registration trends by exploring the influ- [6] APWG. Apwg | the apwg ecrime exchange (ecx). https://apwg.org/ecx/, 11 2024.
(Accessed on 11/17/2024).
ence of economic factors, such as whether cheaper TLDs contribute [7] Archive. Wayback machine. https://web.archive.org/, 11 2024. (Accessed on
to the trend of phishing domains. 11/20/2024).
[8] Greg Belding. Phishing: Reputational damages | infosec. https : / /
Lifecycle and Classification of Phishing Domains. The www.infosecinstitute.com/resources/phishing/reputational- damages/, 2020.
previous study [44] introduced a classification method that distin- (Accessed on 11/20/2024).
[9] Leyla Bilge, Engin Kirda, Christopher Kruegel, and Marco Balduzzi. EXPOSURE:
guishes between compromised and maliciously registered domains Finding Malicious Domains Using Passive DNS Analysis. In Proc. of the Network
using 32 extracted features. However, their analysis is restricted and Distributed System Security (NDSS), 2011.
to identifying malicious domains, leaving a gap in understanding [10] CAIDA. home - dzdb. https://dzdb.caida.org/, 11 2024. (Accessed on 11/15/2024).
[11] Davide Canali, Davide Balzarotti, and Aurélien Francillon. The role of web
domain behaviors beyond real-world phishing datasets. Our work hosting providers in detecting compromised websites. In Proceedings of the 22nd
builds upon COMAR [44] by applying its method more broadly international conference on World Wide Web, pages 177–188, 2013.
to understand maliciously registered domains with real-world [12] Alibaba Cloud. Alibaba cloud. https://www.alibabacloud.com/, 11 2024. (Ac-
cessed on 11/19/2024).
phishing datasets. Similarly, while prior work [28] examined bulk [13] Cloudflare. Cloudflare free ssl/tls. https://www.cloudflare.com/application-
registrations, it was limited to five months of .com TLD data. Our services/products/ssl/, 11 2024. (Accessed on 11/20/2024).
[14] curbengh. curbengh/malware-filter: Mirror of https://gitlab.com/malware-
work builds upon these studies by analyzing multiple gTLDs and filter/malware-filter. https://github.com/curbengh/malware- filter, 11 2024.
ccTLDs, providing comprehensive insights into how maliciously (Accessed on 11/05/2024).
registered domains behave differently from compromised domains [15] David Dagon, Niels Provos, Christopher P Lee, and Wenke Lee. Corrupted DNS
Resolution Paths: The Rise of a Malicious Resolution Authority. In Proc. of the
across various TLDs and targeted brands. Annual Network and Distributed System Security Symposium (NDSS), 2008.
Registration Patterns and Longevity of Phishing Domains. [16] Ravindu De Silva, Mohamed Nabeel, Charith Elvitigala, Issa Khalil, Ting Yu, and
Chamath Keppitiyagama. Compromised or { Attacker-Owned } : A large scale
Previous research [51] reveals that 75% of victims access phishing classification and study of hosting domains of malicious { URLs } . In 30th USENIX
webpages before they are detected. Building on this, our work security symposium (USENIX security 21), pages 3721–3738, 2021.
examines the lifespan of phishing domains, compares the lifespans [17] DomainTools. Introducing dnsdb 2.0 | passive dns | domaintools. https:
//www.domaintools.com/products/farsight- dnsdb/, 11 2024. (Accessed on
across different targeted brands, and analyzes various types of 11/15/2024).
maliciously registered domains to uncover patterns and strategies [18] Dynabot. Buy a domain name - register, manage, and save more | dynadot.
https://www.dynadot.com/, 11 2024. (Accessed on 11/19/2024).
used by attackers. [19] elceef. elceef/dnstwist: Domain name permutation engine for detecting ho-
DNS Behavior and Phishing Detection Delays. Previous mograph phishing attacks, typo squatting, and brand impersonation. https:
//github.com/elceef/dnstwist, 09 2024. (Accessed on 11/16/2024).
work [26] found that 55% of malicious domains are first detected [20] Fox-IT. Using anomaly detection to find malicious domains – fox-it international
in spam campaigns over a day after registration. Building on this, blog. https://blog.fox- it.com/2019/06/11/using- anomaly- detection- to- find-
our study provides a more comprehensive analysis of phishing malicious-domains/, 06 2019. (Accessed on 11/16/2024).
[21] Tillson Galloway, Kleanthis Karakolios, Zane Ma, Roberto Perdisci, Angelos
domains’ lifecycles, spanning from registration to detection and Keromytis, and Manos Antonakakis. Practical Attacks Against DNS Reputation
deregistration. By examining the delay between domain registration Systems. In Proc. of the IEEE Symposium on Security and Privacy (SP). IEEE
and blocklist detection, we offer a clearer understanding of detec- Computer Society, 2024.
[22] Gname. Gname | buy domain names, websites, hosting, cloud products. https:
tion timelines for both maliciously registered and compromised //www.gname.com/, 11 2024. (Accessed on 11/19/2024).
domains, highlighting gaps in current detection mechanisms. [23] GoDaddy. Godaddy. https://www.godaddy.com, 11 2024. (Accessed on
11/19/2024).
[24] Google. Safe browsing – google safe browsing. https://safebrowsing.google.com/,
10 Conclusion 11 2024. (Accessed on 11/19/2024).
[25] Anders Gorboe. Detection of fake domain names in e-mails. Master’s thesis,
This study provides a comprehensive analysis of phishing domains, OsloMet-storbyuniversitetet, 2022.
focusing on maliciously registered domains, DNS behaviors, and [26] Shuang Hao, Nick Feamster, and Ramakant Pandrangi. Monitoring the initial
dns behavior of malicious domains. In Proceedings of the 2011 ACM SIGCOMM
detection timelines. We find that 66.1% of domains are maliciously conference on Internet measurement conference, pages 269–278, 2011.
registered, with attackers favoring low-cost TLDs like .top and [27] Shuang Hao, Alex Kantchelian, Brad Miller, Vern Paxson, and Nick Feamster.
.tk, and frequently using hosting services like AWS. Maliciously Predator: proactive recognition and elimination of domain abuse at time-of-
registration. In Proceedings of the 2016 ACM SIGSAC conference on computer and
registered domains are detected faster than compromised ones (me- communications security, pages 1568–1579, 2016.
dian 16.3 vs. 86 days), yet significant delays persist across blocklists. [28] Shuang Hao, Matthew Thomas, Vern Paxson, Nick Feamster, Christian Kreibich,
Chris Grier, and Scott Hollenbeck. Understanding the domain registration behav-
Some domains could take over a year to be listed. Our findings high- ior of spammers. In Proceedings of the 2013 conference on Internet measurement
light the need for improved blocklist synchronization and monitor- conference, pages 63–76, 2013.
ing of widely abused TLDs to mitigate phishing threats effectively. [29] ICANN. About zone file access - icann. https://www.icann.org/resources/pages/
zfa-2013-06-28-en, 06 2013. (Accessed on 11/15/2024).
Registration, Detection, and Deregistration: Analyzing DNS Abuse for Phishing Attacks

[30] ICANN. At-large - topic: New gtlds. https://atlarge.icann.org/topics/new-gtlds, [52] openphish. Openphish - phishing intelligence. https://openphish.com/, 11 2024.
11 2024. (Accessed on 11/17/2024). (Accessed on 11/05/2024).
[31] ICANN. Help | centralized zone data service. https://czds.icann.org/help, 11 [53] OZON. OZON Marketplace. https://www.ozon.ru/, 11 2024. (Accessed on
2024. (Accessed on 11/15/2024). 11/19/2024).
[32] Interisle. Phishing landscape 2024: An annual study of the scope and distribution [54] phishstats. Phishstats. https://phishstats.info/, 11 2024. (Accessed on 11/05/2024).
of phishing — interisle consulting group. https://interisle.net/insights/phishing- [55] phishtank. Phishtank | join the fight against phishing. https://phishtank.org/, 11
landscape-2024-an-annual-study-of-the-scope-and-distribution-of-phishing, 2024. (Accessed on 11/05/2024).
07 2024. (Accessed on 11/17/2024). [56] phishunt. phishunt - free phishings and scams feed. https://phishunt.io/, 11
[33] ionos. Dns ttl best practices: Understanding and configuring dns ttl - ionos. 2024. (Accessed on 11/05/2024).
https://www.ionos.com/digitalguide/server/configuration/understanding-and- [57] RDAP. Rdap.org. https://about.rdap.org/, 11 2024. (Accessed on 11/15/2024).
configuring-dns-ttl/, 11 2024. (Accessed on 11/19/2024). [58] Joe St Sauver. Automating detection of "random-looking" algorithmic domain
[34] IPinfo. Ip summarization & data visualization - ipinfo.io. https://ipinfo.io/tools/ names - domaintools | start here. know now. https://www.domaintools.com/
summarize-ips, 11 2024. (Accessed on 11/22/2024). resources / blog / automating - detection - of - random - looking - algorithmic -
[35] Keshav Kaushik, Sahajpreet Singh, Saksham Garg, Sarthak Singhal, and Shamb- domain-names/, 05 2019. (Accessed on 11/12/2024).
havi Pandey. Exploring the mechanisms of phishing. Computer Fraud & Security, [59] Sav. Sav. https://www.sav.com/, 11 2024. (Accessed on 11/19/2024).
2021(11):14–19, 2021. [60] SCOWL. Scowl custom list/dictionary creator. http://app.aspell.net/create, 11
[36] Doowon Kim, Haehyun Cho, Yonghwi Kwon, Adam Doupé, Sooel Son, Gail-Joon 2024. (Accessed on 11/20/2024).
Ahn, and Tudor Dumitras. Security analysis on practices of certificate authorities [61] Ruchi Sharma, Bhag Dei Thakur, Neelam Kaushik, and Purnima Chauhan. Se-
in the https phishing ecosystem. In Proc. of the ACM Asia Conference on Computer curing the web: A study on look-alike domain detection using open-source
and Communications Security, 2021. intelligence tools. Journal of Information Security and Cybercrimes Research,
[37] Maciej Korczynski, Maarten Wullink, Samaneh Tajalizadehkhoob, Giovane CM 7(1):05–28, 2024.
Moura, Arman Noroozian, Drew Bagley, and Cristian Hesselman. Cybercrime [62] Network Solutions. Domain name | network solutions. https : / /
after the sunrise: A statistical analysis of dns abuse in new gtlds. In Proceedings www.networksolutions.com, 11 2024. (Accessed on 11/19/2024).
of the 2018 on Asia Conference on Computer and Communications Security, pages [63] tldlist. Compare prices of all top-level domains | tld-list. https://tld-list.com/, 11
609–623, 2018. 2024. (Accessed on 11/15/2024).
[38] Kreb. Sued by meta, freenom halts domain registrations – krebs on security. [64] Tranco. A research-oriented top sites ranking hardened against manipulation -
https://krebsonsecurity.com/2023/03/sued-by-meta-freenom-halts-domain- tranco. https://tranco-list.eu/, 11 2024. (Accessed on 11/20/2024).
registrations/, 03 2023. (Accessed on 11/20/2024). [65] USPS. Welcome | usps. https://www.usps.com/, 11 2024. (Accessed on
[39] Kyungchan Lim, Jaehwan Park, and Doowon Kim. Phishing Vs. Legit: Compara- 11/19/2024).
tive Analysis of Client-Side Resources of Phishing and Target Brand Websites. [66] Vorsk. home - dns coffee. https://dns.coffee/, 11 2024. (Accessed on 11/15/2024).
In Proc. of the international World Wide Web conference (WWW), 2024.
[40] Yun Lin, Ruofan Liu, Dinil Mon Divakaran, Jun Yang Ng, Qing Zhou Chan,
Yiwen Lu, Yuxuan Si, Fan Zhang, and Jin Song Dong. Phishpedia: A hybrid deep
learning based approach to visually identify phishing webpages. In 30th USENIX
Security Symposium (USENIX Security 21), pages 3793–3810, 2021.
[41] Ruofan Liu, Yun Lin, Xiwen Teoh, Gongshen Liu, Zhiyong Huang, and Jin Song
Dong. Less defined knowledge and more true alarms: Reference-based phishing
detection without a pre-defined reference list. In 33rd USENIX Security Symposium
(USENIX Security 24), pages 523–540, 2024.
[42] Ruofan Liu, Yun Lin, Xianglin Yang, Siang Hwee Ng, Dinil Mon Divakaran,
and Jin Song Dong. Inferring phishing intention via webpage appearance and
dynamics: A deep vision based approach. In 31st USENIX Security Symposium
(USENIX Security 22), pages 1633–1650, 2022.
[43] Ruofan Liu, Yun Lin, Yifan Zhang, Penn Han Lee, and Jin Song Dong. Knowledge
expansion and counterfactual interaction for { Reference-Based } phishing detec-
tion. In 32nd USENIX Security Symposium (USENIX Security 23), pages 4139–4156,
2023.
[44] Sourena Maroofi, Maciej Korczyński, Cristian Hesselman, Benoit Ampeau, and
Andrzej Duda. Comar: classification of compromised versus maliciously reg-
istered domains. In 2020 IEEE European Symposium on Security and Privacy
(EuroS&P), pages 607–623. IEEE, 2020.
[45] mitchellkrogza. mitchellkrogza/phishing.database: Phishing domains, urls web-
sites and threats database. we use the pyfunceble testing tool to validate the status
of all known phishing domains and provide stats to reveal how many unique
domains used for phishing are still active. https://github.com/mitchellkrogza/
Phishing.Database, 11 2024. (Accessed on 11/05/2024).
[46] Giovane CM Moura, Thomas Daniels, Maarten Bosteels, Sebastian Castro, Moritz
Müller, Thymen Wabeke, Thijs van den Hout, Maciej Korczyński, and Georgios
Smaragdakis. Characterizing and mitigating phishing attacks at cctld scale
(extended). 2024.
[47] Namesilo. Low-cost domain names & hosting from $0.99 | namesilo. https:
//www.namesilo.com/, 11 2024. (Accessed on 11/19/2024).
[48] Adam Oest, Yeganeh Safaei, Adam Doupé, Gail-Joon Ahn, Brad Wardman, and
Kevin Tyers. Phishfarm: A scalable framework for measuring the effectiveness
of evasion techniques against browser phishing blacklists. In Proc. of the IEEE
Symposium on Security and Privacy, 2019.
[49] Adam Oest, Yeganeh Safaei, Penghui Zhang, Brad Wardman, Kevin Tyers, Yan
Shoshitaishvili, and Adam Doupé. { PhishTime } : Continuous longitudinal mea-
surement of the effectiveness of anti-phishing blacklists. In Proc. of the USENIX
Security Symposium, 2020.
[50] Adam Oest, Yeganeh Safei, Adam Doupé, Gail-Joon Ahn, Brad Wardman, and
Gary Warner. Inside a phisher’s mind: Understanding the anti-phishing ecosys-
tem through phishing kit analysis. In Proc. of the APWG Symposium on Electronic
Crime Research, 2018.
[51] Adam Oest, Penghui Zhang, Brad Wardman, Eric Nunes, Jakub Burgis, Ali Zand,
Kurt Thomas, Adam Doupé, and Gail-Joon Ahn. Sunrise to sunset: Analyzing
the end-to-end life cycle and effectiveness of phishing attacks at scale. In 29th
{ USENIX } Security Symposium ( { USENIX } Security 20), 2020.
 Kyungchan Lim et al.

A Example of Bulk Registration.

As shown in Figure 8, AlibabaCloud provides extensive features

that facilitate bulk domain registration while offering promotional
pricing for new users. The platform advertises and combines several
capabilities that make bulk registration highly accessible: deeply
discounted pricing for new users (domains for as low as $0.5), ex-
plicit bulk management tools allowing simultaneous registration
of multiple domains, and automation tools for managing multiple
domains. While these features serve legitimate business purposes,
they can be exploited by attackers to register multiple phishing
domains efficiently at minimal cost. The combination of bulk regis-
tration capabilities, automation tools, and aggressive pricing pro-
motions makes the platform particularly attractive for malicious
actors orchestrating large-scale phishing campaigns.

Figure 8: Alibaba Cloud offers promotion and allows bulk

registration.