This article was published on June 16, 2015

Pills, porn and LeBron James: Research finds a new way to spot malicious domains


Pills, porn and LeBron James: Research finds a new way to spot malicious domains

Most of the words favored by malicious domain name owners won’t surprise you – sites found to be involved in dodgy dealing have a liking for terms related to sex, money and medication – but there are some surprises.

Breaking Bad: Detecting malicious domains using word segmentation [PDF], a new paper from AT&T’s Security Research Center, looks at how effective studying the words in primary domain names can be in detecting illicit and illegal activity.

The larcenous lexicon they developed while working on the project shows terms such as “medic, pills, loan, fee, cash, payday, pharmacy, webcams, cams, lover, sex and porno” remain popular, along with references to luxury brands.

The big surprise is that basketball players including LeBron James, Kobe Bryant and Michael Jordan are particularly popular names to drop among dodgy domain owners.

The <3 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

The researchers used 15,000 ‘benign’ URLs sourced from AOL’s Open Directory Project as their control group and compared them against a corpus of malicious domains.

The academics believe “the names [will] change over time as new basketball players become popular,” but it seems MJ’s popularity among the Web’s criminal classes remains strong.

They say the inclusion of numbers in a domain name is also a strong signifier that it’s an ‘unsafe’ site, though combinations such as 411, 365 and 123 are more likely to be safe.

The researchers suggest their word-segmentation methods could be used to power “near real time detection” of malicious domains on mobile combined with Web content-based analysis and machine learning.

Their ideas for combating ‘bad’ domains such as active blocking or inserting a ‘speed bump’ to warn users are good, unless you’re a legitimate site owner hit with a false alarm. But then, perhaps you shouldn’t be running a site called LeBron5678pillsandporno.net in the first place.

Breaking Bad: Detecting malicious domains using word segmentation [arXiv via The Stack]

Read next: Google’s research on ad injecting malware shows millions of its visitors are affected

Image credit:  meunierd / Shutterstock.com

Get the TNW newsletter

Get the most important tech news in your inbox each week.