Security Experts:

Connect with us

Hi, what are you looking for?



Short-Lived Websites Provide Cover for Malicious Activity: Blue Coat

After analyzing hundreds of millions of hostnames, researchers have determined that many of them are live only for a 24-hour period, timeframe in which they can be used for malicious activities.

After analyzing hundreds of millions of hostnames, researchers have determined that many of them are live only for a 24-hour period, timeframe in which they can be used for malicious activities.

Over a 90-day period, Blue Coat monitored 660 million unique hostnames requested by 75 million users from all over the world. Of these hostnames, 71% (470 million) only appeared for a single day, which is why they’ve been dubbed by the company as “one-day wonders.”

Most of these “one-day wonders” are legitimate and they’re associated with content delivery networks (CDNs), which use them to provide enhanced user experience, and blogging platforms (Tumblr, Blogspot, WordPress). The list of companies that create such websites includes Google, Yahoo and Amazon. Roughly 36% of them are assigned United States IP addresses, while 8% of them have Chinese IPs, Blue Coat said.

While most of these short-lived websites are used for legitimate activities, researchers found that 22% of the top 50 parent domains that most frequently used “one-day wonders” were malicious. For example, one .info domain used as a command and control (C&C) server for a Trojan dialer had more than 1.3 million subdomains during the 90-day period in which it was observed by Blue Coat.

“Blue Coat security researchers have long observed that malnet operators love to generate large numbers of subdomains on a smaller set of evil domains. These transient sites are a critical component of mass attack support infrastructures. They both ensure additional bots can easily be added to an existing army and give cyber criminals the ability to manage their botnets for a longer period of time, increasing the return on investment for any given attack,” the company noted in its report.

According to experts, short-lived websites can be used to develop dynamic command and control (C&C) architectures that are easy to implement, but difficult to track. In the case of spam campaigns, “one-day wonders” can be used to create unique subdomains for each email to bypass spam and Web filters.

 In general, cybercriminals rely on such domains because they’re more difficult to thwart compared to static domains. Furthermore, security solutions can be overwhelmed and chances are that they’ll miss at least some of the many domains.


“By simply combining One-Day Wonders with encryption and running incoming malware and/or outgoing data theft over SSL, organizations are typically blind to the attack, impacting their ability to prevent, detect and respond,” Blue Coat said.

 While the use of “one-day wonders” might help cybercriminals, there are certain measures that organizations can take to ensure they’re protected. The recommendations include the use of real-time intelligence for blocking access to malicious short-lived domains, solutions that automate defenses and prioritize incidents, creating a baseline of transient hostnames that can later be used to detect anomalies, and granular policy controls.

 The complete report, titled “One-Day Wonders: How Malware Hides Among the Internet’s Short-Lived Websites,” is available online.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...