Research from Palo Alto Networks shows that almost 1/4 of the aged domains are dangerous. According to the research, 3.8 percent of the aged domains are just malicious. 19 percent is on the “suspicious” side while 2 percent is not safe for work. Palo Alto Networks has gathered this data by checking tens of thousands of domains every day, since September.
Stays in a dormant state until an attack
There are some interesting notes in the research. According to Palo Alto Networks, the threat actors are strategically aging domains in a dormant state. This is done because security measures are stricter for the new domains. As the domain ages without any suspicious activity, the security loosens because the domain seems to be trusted.
When the threat actors decide to start an attack, they use those old domains for mostly fake and copies of legit websites. Domains are also being filled by questionable or incomplete content too. Lastly, their WHOIS details are missing.
Purposefully aged domains are also being used for domain generation algorithms. With this method, threat actors generate unique domain names and IP addresses to create new C2 communication points. In this way, they can avoid blocklists and detection.
The last purpose of the aged domains that Palo Alto Networks has found is SEO cheating. The domains are filled by websites created by random templates, containing random strings. Those websites link to each other to cheat the search engine bots as if they are providing valuable information. Then all the subdomains point to one single IP address as wildcard DNS abuse.