November 24, 2016
The sending of emails with links redirecting toward malware sites is, unfortunately, a common practice of cybercriminals, targeting many people and companies.
Regularly updated black lists allow email service providers to filter malware contents. However, numerous malware networks are designed to register new domain names (quickly abandoned) on a regular basis, allowing the cybercriminals to stay ahead of the black lists.
It is in this context that a patent application filed by the American company BOEING has been published by the USPTO (Pub. N° 2016/0337394, available here. The patent application, entitled « Newborn Domain Screening of Electronic mail messages », proposes a solution against the constant use of new domain names by cybercriminals.
The aforementioned he patent application describes an apparatus consisting of several steps, summarized below: - The tool detects the domain name used by an URL displayed in the subject, body or enclosures of a received email; - The Tool launches a WHOIS request on the detected domain name and determines its registration date; - If the domain name is considered « too recent », the tool may, for example, deactivate the link, send a warning to the recipient or quarantine the email.
Without making any assumption about the patentability of this invention, the described apparatus appears to provide a simple, but potentially effective solution to the problem mentioned above. It could be argued that some Top Level Domains WHOIS services are known for not displaying information on the domains registration dates. However, it should be recalled that in most cases, cybercriminals favor inexpensive, easy to register/abandondomain names : GTLDs in most cases, whose creation dates are available in the WHOIS database.
We can only hope that this solution will be implemented and commercialized in the near future.