Security News > 2021 > November > These are the top-level domains threat actors like the most
Out of over a thousand top-level domain choices, cyber-criminals and threat actors prefer a small set of 25, which accounts for 90% of all malicious sites.
"First, we only study domains categorized by the Advanced URL Filtering service, and we only consider registered domains. Additionally, we validate whether domains existed the past one year by checking zone files and passive DNS, and by issuing active DNS queries. We do not consider domains that we categorize as parked, insufficient content or unknown for our calculations," explains the research by Palo Alto Networks Unit42.
The most popular top-level domain is.com, which has an average ratio of malicious domains.
The researchers found phishing to be one of the most evenly distributed categories, with 99% of the domains spreading across 92 different TLDs. Grayware is being distributed through.org,.
Palo Alto compiled the following table in terms of the rate of malicious domains compared to the total registrations for a TLD. In the table below, the MAD score is the 'median of the absolute deviation,' which means that a higher score represents an unusually large number of malicious domain registrations for that TLD. Why does any of that matter?
In many cases, legitimate domains on these larger TLDs are compromised by threat actors, so they were not registered with malicious intent.