It might surprise you to learn that a very large percentage of websites have the lifespan of a typical mayfly—24 hours or less. Blue Coat dubbed such sites “One Day Wonders”, and has released a research study on the risks of these fly-by-night sites.
There are a select few Web domains that account for the vast majority of Web traffic—household names like Google, Amazon, and Netflix. There are probably fewer than 100—possibly even fewer than 25—that an average user visits with any regularity. The reality, though, is that there are hundreds of millions of domains in existence, and that many exist for very brief periods of time.
Blue Coat researchers were curious about these short-lived sites, so they analyzed more than 660 million unique hostnames, requested by 75 million users around the world over a 90-day period. What they found is that more than 70 percent of the requested hostnames were “One Day Wonders” that appeared, and disappeared from the Internet within a single day.
According to the Blue Coat study, of the top 50 parent domains that frequently use these “One Day Wonders” domains, 22 percent were deemed malicious. That means that roughly 470 million of the 660 million domains Blue Coat analyzed existed for barely more than the blink of an eye in online terms.
There are variety of reasons why legitimate companies might employ short-lived, One Day Wonders domains. There are also some very good reasons why cyber criminals would do so.
One Day Wonders are employed by cyber criminals to manage botnets, or host malware. By creating new, unique domains in sufficiently high volume, cyber criminals can overwhelm security solutions designed to analyze and assess the relative security of websites. Once a website is identified as malicious, security tools begin to detect and avoid it, so the avalanche of One Day Wonders helps the attackers stay one step ahead of your defenses.
The research from Blue Coat is an important step in defending against these threats, though. Those 11 domains (22 percent of the top 50 domains that most frequently use One Day Wonders) account for a huge percentage of the total malicious One Day Wonders sites. The unique domains themselves might be new, and capable of evading detection, but the shady reputation of the parent domain is all we need to assume that any subdomains are a greater-than-average risk.
The Blue Coat study illustrates why some of the traditional security tools offer little protection. Antimalware and firewall tools are generally reactionary, and depend on a threat being identified before the security tool is able to detect and avoid it. Guarding against these flash-in-the-pan threats requires a different approach that relies real-time threat intelligence rather than yesterday’s malicious code signatures.
To learn more, check out the complete report from Blue Coat.