Domains and domain names are fundamental to the operation of the Internet. They provide a hierarchy of unique identifiers that guide traffic across the Web and identify websites, servers and other resources. However, in the form of malicious domains, they are a basic tool in the hands of cybercriminals.

As with other aspects of computer security, there are no silver bullets for protecting against malicious domains. However, understanding domain names can help firms and individual employees guard themselves against attacks.

Domain names form a hierarchy of domains and subdomains. For example, is a subdomain of In turn, this is one of the many subdomains of the familiar top-level domain (TLD) com. It is typical to type a period in front of TLD names, as in .com, though the period is technically a separator, not part of the TLD itself.

Looking at the TLD Landscape

A recent IBM security intelligence and research report, “The .Bizness Behind Malicious Domain Names,” looks at malicious domains and their distribution across the overall domain name structure, particularly the various TLDs, such as .com, .net and .org. The report builds on research from IBM security partner CrowdStrike, which keeps track of ongoing malicious activity online.

CrowdStrike’s survey found that the largest single group of malicious domains, about one-third of the total, fall under the TLD .biz. This TLD was created specifically for business use in 2000 to alleviate overcrowding within the original .com TLD (which dates back to the 1980s).

It should be emphasized that most .biz websites are perfectly legitimate businesses. However, the difficulty of policing an entire global TLD has let cybercriminals register domain names that often mimic well-known, legitimate domains, such as the websites of major firms. Most other malicious domains fall under the long-established .org, .com and .net TLDs. Some have country-specific TLDs, often to either target victims in those countries or disguise their own origins.

Protecting Against Malicious Domains

The best protection against malicious domains is user awareness. For example, a domain name such as should trigger immediate suspicion. It is deceptively trying to masquerade as a subdomain of the .com TLD when, in fact, it is a subdomain of .biz.

Overly clever spellings, such as, should also raise a red flag. Unfortunately, all too many users have “domain blindness” and pay little or no attention to where they are actually going online. Moreover, mobile devices such as smartphones may hide address bars in order to conserve limited screen space.

Firms and other organizations can use a brute-force method to protect against some malicious domains by blocking entire TLDs. If, for example, a company has no business partners with a .biz subdomain, it can bar all connections to .biz. Individual exceptions can then be white-listed.

However, this is not practical for TLDs such as .com or .org. Along with encouraging user awareness, the best protection is provided by a security partner that can provide up-to-date listings of malicious domains to avoid.

more from Intelligence & Analytics

CISA Certification: What You Need to Know

The globally-recognized Certified Information Systems Auditor (CISA) certification shows knowledge of IT and auditing, security, governance, control and assurance to assess potential threats. As you can imagine, it’s very much in demand. It can also be confusing.  Is CISA Certification Related to the Cybersecurity and Infrastructure Security Agency? CISA, the certification, is related to CISA, the federal agency, right?  Wrong.…

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security…