Domains and domain names are fundamental to the operation of the Internet. They provide a hierarchy of unique identifiers that guide traffic across the Web and identify websites, servers and other resources. However, in the form of malicious domains, they are a basic tool in the hands of cybercriminals.

As with other aspects of computer security, there are no silver bullets for protecting against malicious domains. However, understanding domain names can help firms and individual employees guard themselves against attacks.

Domain names form a hierarchy of domains and subdomains. For example, is a subdomain of In turn, this is one of the many subdomains of the familiar top-level domain (TLD) com. It is typical to type a period in front of TLD names, as in .com, though the period is technically a separator, not part of the TLD itself.

Looking at the TLD Landscape

A recent IBM security intelligence and research report, “The .Bizness Behind Malicious Domain Names,” looks at malicious domains and their distribution across the overall domain name structure, particularly the various TLDs, such as .com, .net and .org. The report builds on research from IBM security partner CrowdStrike, which keeps track of ongoing malicious activity online.

CrowdStrike’s survey found that the largest single group of malicious domains, about one-third of the total, fall under the TLD .biz. This TLD was created specifically for business use in 2000 to alleviate overcrowding within the original .com TLD (which dates back to the 1980s).

It should be emphasized that most .biz websites are perfectly legitimate businesses. However, the difficulty of policing an entire global TLD has let cybercriminals register domain names that often mimic well-known, legitimate domains, such as the websites of major firms. Most other malicious domains fall under the long-established .org, .com and .net TLDs. Some have country-specific TLDs, often to either target victims in those countries or disguise their own origins.

Protecting Against Malicious Domains

The best protection against malicious domains is user awareness. For example, a domain name such as should trigger immediate suspicion. It is deceptively trying to masquerade as a subdomain of the .com TLD when, in fact, it is a subdomain of .biz.

Overly clever spellings, such as, should also raise a red flag. Unfortunately, all too many users have “domain blindness” and pay little or no attention to where they are actually going online. Moreover, mobile devices such as smartphones may hide address bars in order to conserve limited screen space.

Firms and other organizations can use a brute-force method to protect against some malicious domains by blocking entire TLDs. If, for example, a company has no business partners with a .biz subdomain, it can bar all connections to .biz. Individual exceptions can then be white-listed.

However, this is not practical for TLDs such as .com or .org. Along with encouraging user awareness, the best protection is provided by a security partner that can provide up-to-date listings of malicious domains to avoid.

More from Intelligence & Analytics

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…

What Can We Learn From Recent Cyber History?

The Center for Strategic and International Studies compiled a list of significant cyber incidents dating back to 2003. Compiling attacks on government agencies, defense and high-tech companies or economic crimes with losses of more than a million dollars, this list reveals broader trends in cybersecurity for the past two decades. And, of course, there are the headline breaches and supply chain attacks to consider. Over recent years, what lessons can we learn from our recent history — and what projections…

When Logs Are Out, Enhanced Analytics Stay In

I was talking to an analyst firm the other day. They told me that a lot of organizations purchase a security information and event management (SIEM) solution and then “place it on the shelf.” “Why would they do that?” I asked. I spent the majority of my career in hardware — enterprise hardware, cloud hardware, and just recently made the jump to security software, hence my question. “Because SIEMs are hard to use. A SIEM purchase is just a checked…

4 Most Common Cyberattack Patterns from 2022

As 2022 comes to an end, cybersecurity teams globally are taking the opportunity to reflect on the past 12 months and draw whatever conclusions and insights they can about the threat landscape. It has been a challenging year for security teams. A major conflict in Europe, a persistently remote workforce and a series of large-scale cyberattacks have all but guaranteed that 2022 was far from uneventful. In this article, we’ll round up some of the most common cyberattack patterns we…