Saved in:
Bibliographic Details
Main Authors: Lim, Kyungchan, Sommese, Raffaele, Jonker, Mattis, Mok, Ricky, claffy, kc, Kim, Doowon
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2502.09549
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866913797883559936
author Lim, Kyungchan
Sommese, Raffaele
Jonker, Mattis
Mok, Ricky
claffy, kc
Kim, Doowon
author_facet Lim, Kyungchan
Sommese, Raffaele
Jonker, Mattis
Mok, Ricky
claffy, kc
Kim, Doowon
contents Phishing continues to pose a significant cybersecurity threat. While blocklists currently serve as a primary defense, due to their reactive, passive nature, these delayed responses leave phishing websites operational long enough to harm potential victims. It is essential to address this fundamental challenge at the root, particularly in phishing domains. Domain registration presents a crucial intervention point, as domains serve as the primary gateway between users and websites. We conduct a comprehensive longitudinal analysis of 690,502 unique phishing domains, spanning a 39 month period, to examine their characteristics and behavioral patterns throughout their lifecycle-from initial registration to detection and eventual deregistration. We find that 66.1% of the domains in our dataset are maliciously registered, leveraging cost-effective TLDs and targeting brands by mimicking their domain names under alternative TLDs (e.g., .top and .tk) instead of the TLDs under which the brand domains are registered (e.g., .com and .ru). We also observe minimal improvements in detection speed for maliciously registered domains compared to compromised domains. Detection times vary widely across blocklists, and phishing domains remain accessible for an average of 11.5 days after detection, prolonging their potential impact. Our systematic investigation uncovers key patterns from registration through detection to deregistration, which could be leveraged to enhance anti-phishing active defenses at the DNS level.
format Preprint
id arxiv_https___arxiv_org_abs_2502_09549
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Registration, Detection, and Deregistration: Analyzing DNS Abuse for Phishing Attacks
Lim, Kyungchan
Sommese, Raffaele
Jonker, Mattis
Mok, Ricky
claffy, kc
Kim, Doowon
Cryptography and Security
Phishing continues to pose a significant cybersecurity threat. While blocklists currently serve as a primary defense, due to their reactive, passive nature, these delayed responses leave phishing websites operational long enough to harm potential victims. It is essential to address this fundamental challenge at the root, particularly in phishing domains. Domain registration presents a crucial intervention point, as domains serve as the primary gateway between users and websites. We conduct a comprehensive longitudinal analysis of 690,502 unique phishing domains, spanning a 39 month period, to examine their characteristics and behavioral patterns throughout their lifecycle-from initial registration to detection and eventual deregistration. We find that 66.1% of the domains in our dataset are maliciously registered, leveraging cost-effective TLDs and targeting brands by mimicking their domain names under alternative TLDs (e.g., .top and .tk) instead of the TLDs under which the brand domains are registered (e.g., .com and .ru). We also observe minimal improvements in detection speed for maliciously registered domains compared to compromised domains. Detection times vary widely across blocklists, and phishing domains remain accessible for an average of 11.5 days after detection, prolonging their potential impact. Our systematic investigation uncovers key patterns from registration through detection to deregistration, which could be leveraged to enhance anti-phishing active defenses at the DNS level.
title Registration, Detection, and Deregistration: Analyzing DNS Abuse for Phishing Attacks
topic Cryptography and Security
url https://arxiv.org/abs/2502.09549