Cybercriminals capitalize on high-profile events to exploit public interest by registering deceptive domains mimicking official websites to sell counterfeit goods, offer fraudulent services, and spread malware.
During the COVID-19 pandemic and the rise of ChatGPT, attackers launched phishing campaigns, distributed malware, and promoted fake tools to steal credentials and infect systems.
To identify and mitigate cyberthreats associated with high-profile events, security analysts monitor domain registration trends, textual patterns in domain names, and DNS traffic anomalies.
By analyzing newly registered domains (NRDs) containing event-specific keywords, they can detect suspicious activity like phishing, malware, and C2 operations.
Investigating textual patterns in domain names, including keywords, structure, and TLDs, helps uncover deceptive domains, while monitoring DNS traffic for unusual patterns can reveal potential attacks.
The analysis of DNS and URL traffic trends reveals insights into user behavior and potential malicious activities. Significant increases, spikes, and changes in the ratio of suspicious DNS and URL traffic can indicate unusual activity, such as C2 communications or phishing attempts.
Users are able to identify potential attack strategies employed by threat actors by examining these trends, particularly during particular events or time periods which are significant.
Palo Alto Networks analyzes the top 10 most visited domains to identify shifts in user interest and potential threats and also monitor change requests for domain recategorization in their URL testing system.
Sudden spikes in these requests can indicate significant incidents or evolving threat landscapes. By analyzing these trends, users can proactively adapt the security measures to mitigate risks and ensure optimal network protection.
The 2024 Paris Olympics saw a significant surge in malicious cyber activity, where threat actors registered numerous suspicious domains, particularly during the event, tripling the average daily rate, which often used keywords like “Olympic” and “aoyunhui” and were hosted on popular TLDs like .com and .shop.
During significant events such as the opening ceremony, malicious activity escalated to its highest point, with suspicious domains accounting for twenty percent of all new registrations on that particular day.
DNS and URL traffic analysis revealed increased malicious activity leading up to and during the Games, as a persistent threat actor targeted both the 2021 Tokyo and 2024 Paris Olympics, using similar tactics and infrastructure.
Scams involving fake data giveaways, fraudulent cryptocurrency investments, and malicious gambling sites further exploited the Olympic hype. Threat actors exploit high-profile events by leveraging deceptive domains, phishing, and malicious traffic to capitalize on public interest.
Security teams can proactively mitigate these threats by monitoring critical metrics such as domain registrations, textual patterns, DNS anomalies, and change request trends.
By analyzing these trends, security teams can identify and block malicious domains, thereby preventing opportunistic scams and safeguarding organizations from potential cyberattacks.
