NetBeacon MAP focuses on the use of the Domain Name System (DNS) for phishing and malware.

Phishing is an attempt to trick people into sharing important or sensitive information, for example logins, passwords, credit card numbers, or banking information in either a personal or business context.

Malware is malicious software designed to compromise a device on which it is installed.

Our methodology includes a process to determine whether any mitigation has been observed. This involves taking an initial measurement of various factors related to the URL and repeating these measurements for one month.

The information collected by KOR Labs includes the content of the malicious URL and the home page of the registered domain name, DNS, and RDAP/WHOIS records. KOR Labs extract features used to determine whether the maliciously registered domain has been removed from the zone and/or hosting service has been suspended and/or abusive content has been removed from the website. After the initial measurement, performed at the time of acquiring the malicious URL, KOR Labs repeat the measurements for one month: 5 minutes after blocklisting, 15m, 30m, 1 hour, 2h, 3h, 4h, 5h, 6h, 12h and then once every 12 hours. 

Typically, malware delivery and phishing attacks are mitigated within the first day after blocklisting. Therefore, KOR Labs perform more granular scans at the beginning of the measurements and less frequent measurements later. See our Methodology for more information.

We cannot definitively know which party took mitigating actions.This data could include mitigation taken by the registry, the host, or any other relevant party. The reference to a registrar is indicative that the domain is under their management.

We have published a transparent and comprehensive Methodology.

We define a special domain as a domain name that provides subdomains or a redirection that can be abused by attackers, but the original purpose of the registered domain name is legitimate. Those domain names are generally registered by operators of URL shorteners (e.g., bitly.com) or subdomain providers, for example, dynamic DNS providers (e.g., duckdns.org), free subdomain providers (e.g., 000webhost.com), or file

sharing services (e.g., docs.google.com). KOR Labs maintains and manually updates a list of special domains which is available to the research community. KOR Labs NetBeacon MAP methodology keeps only domain names likely to have been registered by end users and excludes special domain names, to avoid, for example, google.com being flagged as abusive. See our Methodology for more information.

Yes. See our Monthly Reports. Registrars and registries can also view their own data in their MAP Dashboard.

MAP is a collaboration between The NetBeacon Institute and KOR Labs, led by Dr. Maciej Korczynski, a professor at Grenoble Alpes University in France. This data is then provided to the Institute. The Institute works with PIR’s Data Analytics team to create the interactive charts and for the purposes of writing this report.

The four labels used to measure mitigation are Mitigated, Not Mitigated, Uncategorized, or Unprocessed. 

Mitigated: We believe a mitigating action has occurred. This action could be taken by a registrar, registry, a hosting provider, or another relevant actor.

Not Mitigated: We did not detect any indication of mitigation.

Uncategorized: We were unable to determine whether or not mitigation occurred.

Unprocessed: The domains were not processed due to network connectivity or server problems.

Our methodology includes three labels:

Malicious: a domain registered for malicious purposes (i.e., to carry out DNS Abuse).

Compromised: A benign domain name that has been compromised at the website, hosting, or DNS level. 

Uncategorized: A domain that our methodology was unable to categorize for a number of reasons, including problems in collecting the metadata necessary to categorize domain names accurately.