Which internet domains your browser is actually visiting

February 18, 2018


Do you know which internet domains you are actually visiting when you are browsing your favorite websites?

In this blog we are attempting to answer this question by filtering all domain visit attempts while browsing the Majestic top 10.000 most popular internet domains.

While browsing these domains, the browser actually made 460.717 attempts to contact a total of 86.645 unique domains.

Analysis shows that a total of 38% of all attempted domain visits could be categorized as Online Marketing and Tracking, Malware Distributing, Phishing, Telemetry, Social Media, or Crypto-jacking services.

Setup


We have a cleanly installed test system with Microsoft Windows 10 Pro and Mozilla Firefox as the default browser. A simple script automates the consecutive browsing of all 10.000 domains. Finally, we installed Barriqade on the system to log all domains visited during our experiment. Also, we configured Barriqade to detect and filter domains listed in any of the following categories of domains:

  • Online Marketing and Tracking Domains
    • Websites and domains related to internet marketing, advertisement and in-browser user / visitor tracking services. These include services showing ads on different websites, but also services your browser connects to in order to record your actions – such tracking services are used to allow for (amongst other things) targeted advertisements through detailed profiling of you as a visitor to a broad range of websites.
  • Malware Distributing Domains
    • Websites and domains known for either distributing malicious applications and plugins, or being used in ransomware activities, like command and control systems.
  • Phishing Domains
    • Domains that are known or suspected of being used to mislead a visitor in thinking the domain and its websites are hosted and operated by a legitimate party. The visitor of such domains may be tricked into revealing personal information, like passwords or credit cards.
  • Software Telemetry and User Tracking Domains
    • Software telemetry services usually disclose some degree of information about the use of software or online solution – it tells the author of the software how it is used. Some telemetry services may actually capture sensitive information about you. Blocking such domains known for collecting user tracking / telemetry information stops the software or service in question ‘calling home’.
  • Social Media Domains
    • Social media services, like Twitter, Facebook and many more. Some users like to block these kinds of domains as well.
  • Crypto-jacking Domains
    • Also known as domains related to web crypto-mining services. It involves the secret use of your computing device to mine cryptocurrency, making money for someone else. When your browser performs such mining operations, it significantly increases your browser’s CPU load, which may result in a noticeable increase in your electricity bill.

Our lab environment continuously browses the web and detects domains meeting any of the above categorizations, based on our own automated detection methods, manual inspection, reporting by Barriqade users, and the categorizations made by independent third parties.

Barriqade allows the user to determine for each of these categorizations individually what Barriqade should do when a visit to any of them is detected: block, allow, or show a notification. The user can also add any number of custom rules.

Results


Highlights


Two domain visit attempts were filtered as a result of a Phishing Domain classification by Barriqade. While browsing all of the Majestic top 10.000 domains, two references were made to third party domains known for phishing activity. Similarly, 112 references were made to domains known for hosting malware / ransomware.

A total of 57 attempted visits to Crypto-jacking, or web mining domains were filtered. Most of these were references to coinhive.com and jsecoin.com. Other research shows that this number is on the rise.

Filtering Software Telemetry and User Tracking Domains resulting in 738 domain visit attempts being blocked. These are mostly the result of Microsoft Windows 10 on the test system trying to contact telemetry and/or user tracking domains during the 20 hour-test.

The number of filtered Social Media domain visits can mostly be attributed to Twitter and Facebook widgets. Such widgets usually refer to images and other content hosted on servers of Twitter, Facebook, or others.

Finally, the large number of filtered domain visits related to Online Marketing and Tracking can be explaining by the fact that most websites show advertisements, which are usually served by known third party ad and tracking services. Filtering those domains means that the browser is unable to connect with them, which stops the browser downloading ads, or sending your behavior characteristics during your visit of a website as analytics information to such a third party service.

Interested in filtering domains on your device?


Try Barriqade yourself and stop your browser and device contacting unwanted domains!

For this blog we configured Barriqade to filter everything Barriqade can without using custom rules, but you don’t have to do the same. Simply enable the filters for the categories of domains you don’t want your device to visit, not just your browsers.

Try Barriqade