This post is authored by Tazz.



At the end of February, one of the researchers on the team received a solicitation email from a domain reseller, which she reviewed the first week of March.  The email was from Namecheap offering deeply discounted domains for .88 cents. The timing of the email couldn’t have been more ironic as it overlapped with some current research into determining if there is a relationship between domain pricing and an aggregation of domains related to malware/phishing/spamming. This article will discuss the relationship between deeply discounting domains and nefarious activities.  For the purpose of discussion in this article, the word malicious will include malware, phishing, and spam activities.


Talos has previously investigated the magnetic relationship between bad guys and cheap/free services.  When it comes to the Internet, undoubtedly you get what you pay for, and when it’s cheap/free it’s bound to be infested with bad guys.  We saw this philosophy ring true with dynamic DNS, and saw bad guys leveraging cheap services when actors migrated to dynamic DNS which you can read more on https://blogs.cisco.com/security/dynamic-detection-of-malicious-ddns.

Any businessman, good or bad, seeks to make money, fast.  To do this, one must maximize return on investment and/or find a market with a low cost of entry.  If it costs $5,000 to get started, that might not be feasible for many, especially a criminal, but if it only costs $50 or even $5, well there’s obviously a greater chance that many people will seek out that market.  These rules are no different when it comes to bad guys doing bad things on the Internet.  So, given this email offering deeply discounted TLDs, the team formed a hypothesis and we began digging.

Hypothesis:  When domain prices are <= $1 there will be an increase in registrations and a corresponding increase in malicious activities associated with the TLDs.



Talos Group

Talos Security Intelligence & Research Group