Research
Publications
RegCheck: A Real-Time Approach for Flagging Potentially Malicious Domain Name Registrations
Thomas Daniels, Maarten Bosteels, Pieter Robberechts, Jesse Davis.
ACM SIGKDD Conference on Knowledge Discovery and Data Mining V.2 (KDD '25).
Read on ACM Digital Library
Thomas Daniels, Maarten Bosteels, Pieter Robberechts, Jesse Davis.
ACM SIGKDD Conference on Knowledge Discovery and Data Mining V.2 (KDD '25).
Read on ACM Digital Library
Miscreants use domain names for malicious purposes such as phishing websites or fake webshops.
Reactive approaches such as blocklists play an important role in fighting such abuse but have limitations,
namely that the domains are typically only included in such a list after abuse has been reported (e.g., there may already be some victims).
We propose RegCheck, a system designed to proactively flag suspicious domains at registration time. The core of RegCheck is a machine learning
classifier that assesses the risk that the domain name will be used for malicious purposes based on characteristics known at the time of registration.
Based on this assessment, it flags some registrations and requires them to undergo additional verification prior to the domain name being activated.
The system has been developed collaboratively between SIDN (.nl) and DNS Belgium (.be) and has been deployed as a real-time system at the .be registry
since March 2024. Since its deployment, the registry has witnessed a decrease in the number of .be domain name registrations that have been revoked
for breaching the terms and conditions, indicating a decline in the number of active malicious registrations.
Characterizing and Mitigating Phishing Attacks at ccTLD Scale
Giovane C. M. Moura, Thomas Daniels, Maarten Bosteels, Sebastian Castro, Moritz Müller, Thymen Wabeke, Thijs van den Hout, Maciej Korczynski, and Georgios Smaragdakis.
ACM SIGSAC Conference on Computer and Communications Security (CCS '24).
Read on ACM Digital Library
Giovane C. M. Moura, Thomas Daniels, Maarten Bosteels, Sebastian Castro, Moritz Müller, Thymen Wabeke, Thijs van den Hout, Maciej Korczynski, and Georgios Smaragdakis.
ACM SIGSAC Conference on Computer and Communications Security (CCS '24).
Read on ACM Digital Library
Phishing on the web is a model of social engineering and an attack vector for getting access to sensitive and financial data of individuals
and corporations. Phishing has been identified as one of the prime cyber threats in recent years. With the goal to effectively identify and
mitigate phishing as early as possible, we present in this paper a longitudinal analysis of phishing attacks from the vantage point of three
country-code top-level domain (ccTLD) registries that manage more than 8 million active domains -- namely the Netherlands' .nl, Ireland's .ie,
and Belgium's .be. We perform a longitudinal analysis on phishing attacks spanning up to 10 years, based on more than 28 thousand phishing domains.
Our results show two major attack strategies: national companies and organizations are far more often impersonated using malicious registered domains
under their country's own ccTLD, which enables better mimicry of the impersonated company. In stark contrast, international companies are impersonated
using any domains that can be compromised, reducing overall mimicry but bearing no registration and financial costs. Although most research works focus
on detecting new domain names, we show that 80% of phishing attacks in the studied ccTLDs employ compromised domain names. We find banks, financial
institutions, and high-tech giant companies at the top of the most impersonated targets. We also show the impact of ccTLDs' registration and abuse
handling policies on preventing and mitigating phishing attacks, and that mitigation is complex and performed at both web and DNS level at different
intermediaries. Last, our results provide a unique opportunity for ccTLDs to compare and revisit their policies and impacts, with the goal of improving
mitigation procedures.