September 29, 2022

Every month, about 13 million malicious domains were detected according to Akamai. The company claimed it flagged nearly 79 million newly observed domains (NODs) as malicious in the first half of 2022.

Akamai classifies a NOD as a domain that has been queried for the first time in the last 60 days. A domain is classified as malicious when it resolves to a destination that is intended to phish, spread, control malware or cause some other online harm.

Akamai uses various methods to analyze which domains are malicious. Approaches include looking at a list of known domain generation algorithms (DGAs) that help the company create a predictive list that can be used to identify DGA-registered domains. Cybercriminals use DGA domains to exchange malware, host phishing sites and other malicious activities, as they are suitable for short-lived campaigns.

The company also uses “more than 190 NOD-specific detection rules” to address NOD-based detection. Akamai’s NOD-specific rules allow the company to detect most of the malicious domains, and it had a false-positive rate of 0.00042 percent among the 79 million malicious NODs detected in the first half of the year.

There is a contradiction between the malicious NODs marked by Akamai and the domain names on the queried aggregator. The company claimed that it had not found 91.4 percent of its detections in the aggregator.

Although the contradiction raises questions, Akamai said that the differences, coupled with the proclaimed low rate of false positives, show that a variety of detection methods are needed to build a complete picture of cybersecurity risks.

The sources for this piece include an article in TheRegister.