Introducing iQ Risk Alert Reports: Highlighting potentially malicious domain name patterns

As part of our ongoing commitment to keeping our audience, community and partners informed and protected, we are excited to announce the launch of our  risk alert reports.

We believe that by pooling our collective resources and expertise, we can create a safer and more secure online environment for everyone. To achieve this, we will be releasing regular updates that highlight suspicious domain patterns identified by iQ Risk Score, so that you can stay informed and take action to protect yourself and your customers.

iQ Risk Alert is a feed that we have been working on for some time. It is an AI-powered risk assessment feed that uses Large Language Models to provide a confidence score on whether domain names are likely to be malicious, both during and after registration.

It has been in closed beta for the past few months and the results are very encouraging to say the least.

What kind of results?
Well, rather than go into a lot of buzzwordy, techno-babble, here are some actual examples. Which ones would you have marked as benign or potentially malicious?

Understanding of linked or adjacent categories. In this case it identified multiple domains using the "medical" keywords but then expanded the results to include adjacent keywords (nursing, dental) but also other services (plumbing, cleaning, etc.)

  • medical-insurance03
  • mechanic-jobs-398505
  • warehouse-cleaning-1
  • nursing-home-771269
  • plumberservice-1-110
  • dental-implants-jp-ja-9833
  • dental-implants-258268
  • cleaning-jobs-44086

Understanding context

  • mothersagainstfentanyl - Benign - The domain suggests advocacy against the drug fentanyl, aligning with legitimate social campaigns and having clear readability.
  • getcheapfentanyl - Malicious

Understanding the use of brands for malicious purposes

  • mounjaro-lilly - Malicious  - The domain name appears to impersonate the pharmaceutical company 'Eli Lilly and Company' by including 'lilly' and presenting a pharmaceutical product 'Mounjaro'.

Understanding that "weird" domains are not always malicious

  • pnjakpusapp - Benign - Although the readability is low, and the combination of letters seems arbitrary, it might represent an acronym or a specific, niche application. Lacks explicit evidence of malicious intent, but low readability can be a minor concern.
    • "pn" is an abbreviation for "Pengadilan Negeri" which means "District Court".
    • "jakpus" an abbreviation for "Jakarta Pusat" which means "Central Jakarta".
    • "app" is likely referring to an application or mobile app.
    • This level of interpretation would be beyond the reach of most humans not versed in Indonesian.

And these are just small snippets of the results we have seen across 10s of thousands of registrations.

One other incredible result is that iQ Risk Score is detecting these potentially malicious domains way in advance of other traditional feeds. iQ Risk Score's Time to Identification can be as much as 6 days faster than feeds we compared it against.

We feel that the results are too important not to share, so starting immediately, we will be publishing regular snippets that highlight common patterns and characteristics of malicious domain names that have been identified in our analysis.

These alerts will be designed to provide you with valuable insights and information that can help you protect yourself and your business from potential threats.

What will be in the alert reports ?

  • Pattern Details: A detailed breakdown of the identified malicious domain name pattern, including the specific characters and combinations that were found to be suspicious.
  • Domains: A snippet of the list of the actual domains that matched this pattern.
  • Reason why iQ Risk Score feels they may (or may not) be malicious
  • Multi-TLD: We will highlight if it is present across multiple TLDs
  • TLD Count: If present across across multiple TLDs, how many

What won't be in the alert reports ?

  • TLD name
  • Registrar Name

Benefits of the Risk Alert Messages:

  • Early detection of potentially malicious domain names
  • Increased awareness of the latest patterns and trends in malicious domain names
  • Ability to take proactive measures to protect yourself and your business
  • Reduced risk of a successful attack
  • Time and resource savings

Stay tuned for our first risk alert, coming soon!

If you'd like to be informed as soon as they are published, please join our newsletter and we'll let you know.