Detecting and Preventing Malicious Domain Registrations in the .eu TLD

Explore an extensive analysis of malicious domain registrations in the .eu TLD over a 14-month period. Delve into the ecosystem and modus operandi of cybercriminal entities that repeatedly register large numbers of domains for short-lived, malicious purposes. Discover insights into 20 major campaigns accounting for over 80% of flagged domains, and learn about the partial automation of these processes. Examine the development and implementation of an automatic prediction system designed to classify domain names as malicious or benign at registration time, currently in production at EURid. Gain valuable knowledge about the domain registration ecosystem, campaign identification techniques, and the effectiveness of various prevention and detection methods in this informative conference talk from OWASP AppSec EU 2018.

Introduction
Malicious Domain Names
Research Hypothesis
Outline
Domain Registrations
Malicious Domains
Registration Data
Bootstrap IP Address
Campaign Identification
How did they operate
What did we explore
Is it obvious that the registration will be malicious
What can we do
Other organizations preventing
Manual vs automated analysis
Campaign criteria
The ecosystem of domain registrations
The insights we found
The window of opportunity
What is the reason why
Which blacklist did we use
Data summary
Campaigns with links
Relations between campaigns
Clustering
Automation
Demand and offer questions
facilitators
toxicity
good API
email
campaigns vs black lists
prevention detection
Spamhaus
Prevention and detection
Prediction models
Current operation
Domain seizures
Blacklist
Key takeaways
The facilitators
The second takeaway
Productive detection and prevention
How will the catandmouse game kill
Compliance
TLD Ecosystem
Europe
Thank you