If you’ve never heard of malvertising or need a better understanding, then you should read the article on malvertising first. If you’re familiar with malvertising and have run into issues with blocking advertisements, then I might have a solution for you. I recently ran into problems with blocking ads because non-ad images weren’t loading due to being served from an ad network which is ideal from a content delivery aspect, but terrible from a security aspect.
Every network is different and what works for me might not work for you so take the time to monitor your network DNS and IPS/IDS traffic to find which top-level domains (TLDs) are blocked based on suspiciousness or called too frequently that aren’t a [,]org, [.]net, or [.]com.
I use a combination of top 10 or 20 (depending on the vendor) of the most abused TLD’s for spam and malicious activity such as malware distribution and command and control activity.
Top lists:
- Trend Micro
- Symantec (1Q 2018, recompiled quarterly)
- Spamhaus
- Malware Domain List
- Malware Domains
- Quttera
I look for TLD’s that are a minimum of 40% malicious, or there isn’t a business need to visit. I’ve gone back several years in these lists and found that there is a semi-regular pattern where new TLD’s are released and quickly abused then the usual crop are used in rotation.
Blocked TLD’s with their regular expression:
- [.]gq – ^https?://([A-Za-z0-9.-]*\.)?.gq/
- [.]cf – ^https?://([A-Za-z0-9.-]*\.)?.cf/
- [.]men – ^https?://([A-Za-z0-9.-]*\.)?.men/
- [.]loan – ^https?://([A-Za-z0-9.-]*\.)?.loan/
- [.]ml – ^https?://([A-Za-z0-9.-]*\.)?.ml/
- [.]top – ^https?://([A-Za-z0-9.-]*\.)?.top/
- [.]work – ^https?://([A-Za-z0-9.-]*\.)?.work/
- [.]click – ^https?://([A-Za-z0-9.-]*\.)?.click/
- [.]tk – ^https?://([A-Za-z0-9.-]*\.)?.tk/
- [.]country – ^https?://([A-Za-z0-9.-]*\.)?.country/
- [.]pw – ^https?://([A-Za-z0-9.-]*\.)?.pw/
- [.]party – ^https?://([A-Za-z0-9.-]*\.)?.party/
- [.]trade – ^https?://([A-Za-z0-9.-]*\.)?.trade/
- [.]review – ^https?://([A-Za-z0-9.-]*\.)?.review/
- [.]club – ^https?://([A-Za-z0-9.-]*\.)?.club/
- [.]bid – ^https?://([A-Za-z0-9.-]*\.)?.bid/
I realize that blocking TLD’s isn’t ideal, but it’s better than blocking by country IP blocks and even though there is fluctuation in the percent of maliciousness there usually isn’t any reason that most businesses should be going to domains with the TLD’s list above.