Recent Posts

Recent Blog Posts

The PhishLabs Blog

How Malicious Domain Correlation is Fueling the Fight Against Phishing

Posted by Lindsey Havens on May 19, '17

At sign padlock.jpgIn the fight against phishing, there’s far more to think about than simply blocking malicious email.

In fact, as a security vendor, our analysts spend a huge amount of time trying to disrupt the phishing landscape in a way that makes all of us safer.

This is the third article in a series breaking down the expertise imparted during our recent consumer-focused phishing webinar. The webinar was hosted by Crane Hassold, a former FBI Cyber Behavioral Analyst, now a Senior Security Threat Researcher on our Research, Analysis, and Intelligence Division (R.A.I.D)

So far in the series we’ve looked at how phishing intelligence can be used to mitigate the risk of phishing attacks against your organization, and specifically how analysis of phishing site source code and URL patterns can aid in the fight against phishing.

In this post, we’ll be taking a close look at how our R.A.I.D. analysts use malicious domain correlation techniques to group phishing sites together, and ultimately get them taken down by registrars.

For a full view of the current phishing landscape, download our 2017 Phishing Trends and Intelligence Report

 Download Report

Linking Malicious Domains 101

Before we get into the details of malicious domain correlation, it’s important to understand the process by which threat actors setup phishing sites.

On average, approximately 80 percent of phishing sites are setup on compromised domains. That means instead of registering their own domains, they surreptitiously gain access to a legitimate domain belonging to somebody else, and setup their phishing content there.

However, in the other 20 percent of cases, threat actors choose to register their own domains specifically for the purpose of setting up phishing sites. When this happens, threat analysts have a unique opportunity to gather highly valuable threat intelligence.

You see, whenever anybody registers a new domain, they are required to provide a certain amount of information. At a minimum, this information includes:

  • Registrant organization
  • Registrant email
  • Title of the website being registered

And here’s the good part. Using freely available online WHOIS lookup services, anybody can find this information, along with a number of other useful data points such as the date the domain was originally registered.

Now we know what you’re thinking. If they’re planning to use a domain for malicious purposes, are they really going to provide legitimate information? After all, who would be bold enough to attach their real name and email address to a malicious domain?

And you’re right. Almost nobody is that careless.

But it doesn’t matter. Even when they use fake details, they typically reuse the same fake details each time they register a malicious domain. As a result, threat analysts can use registration details to identify additional active or inactive phishing sites, and ultimately to link large numbers of sites to the same threat actor.

OK… So How Does This Actually Work?

The first thing you need to understand is that there is a reason why threat actors choose to register specific domains. Typically, it’s because they want to create a website and domain that appear similar to an existing legitimate website, and relates directly to the phishing content they intend to use.

For instance, if a threat actor plans to create a phishing site that poses as a legitimate online banking website (let’s say they might choose to register a very similar domain (e.g.

Now, to really understand how registrant information can be used to correlate malicious domains, let’s take a look at a typical WHOIS query return. The image below is of a fictitious WHOIS record for

Screen Shot 2017-05-12 at 14.14.47.png

When considering this WHOIS record in isolation, there’s a limit to what we can learn. After all, as we’ve already mentioned, the vast majority of threat actors won’t be using real details to register their malicious domains.

But when we start to compare malicious domains, not only are we often able to link them together, we can also start to identify previously unknown domains.

Screen Shot 2017-05-12 at 11.49.21.pngIn the above image, you’ll see a series of similar domains, some of which share one or more WHOIS record details, and some that don’t. As you can see, our R.A.I.D. analysts have unearthed vital context by scouring the individual WHOIS records for each domain, as well as using internal records and freely available online tools to build a picture of how each domain has been used historically.

In some cases our analysts have identified clear links between domains, as well as definitive proof that they are being used for malicious purposes. In other cases, though, there are no obvious links, and no current or historic evidence of malicious content. Nonetheless, the mere fact that somebody has taken the time to register a domain that mimics that of a legitimate banking website is strongly suggestive of malicious intent.

Disrupting the Bad Guys

At the end of the day, as great as it is to identify and link malicious domains, there has to be a tangible benefit. In this case, our R.A.I.D. team uses this process and others like it for a very specific purpose: to disrupt the phishing ecosystem.

If you’ve ever registered a domain, you’ll know that to do so you must go through a domain name registrar such as or These companies manage the reservation of domain names, and are responsible, for collecting and maintaining WHOIS records for the domains they register.

Using malicious domain correlation, in combination with other techniques such as analysis of URL patterns and phishing site source code, our analysts are able to produce compelling evidence that clearly identifies malicious and potentially malicious domains. These reports are regularly sent to the registrars used to register each domain, along with a request to have them taken down.

Even in cases where certain domains can’t be explicitly tied to known malicious activity, our analysts are able to evidence with a high degree of confidence that they are linked. And thankfully, a lot of the time, registrars are more than happy to take sites down on this basis.

Attacking from All Sides

Of course, while the work described above is extremely valuable, it doesn’t work in isolation. Getting malicious domains taken down is all about disrupting criminal schemes and making life harder for threat actors, but you’ll still need to be prepared for the reality of incoming phishing attacks.

Yes, technical controls can help to ward off a large majority of incoming attacks, particularly when augmented with relevant phishing intelligence. And yes, the work our R.A.I.D analysts are doing every day does directly contribute to the fight against phishing.

But ultimately, even with these advantages, it’s still essential to have a strong program to fight back against phishing attacks that target your customers. Customer education is also a critical component. 

To find out more about how you can join the fight against phishing click here to arrange a private briefing to assess your organization's security posture and vulnerability level. 

Topics: Phishing

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Subscribe to Email Updates

Posts by Topic

see all