"We caught these things well back," Hay said.
In some cases, NLPRank could allow a domain to be blocked even before one is actively used. After cybercriminals register a domain, they'll often visit it once to make sure it's accessible. It may then go dormant for a few days before it is incorporated in a campaign, Hay said.
If a fraudster is connected to an ISP that uses OpenDNS's service, just a single DNS query for that new domain would allow OpenDNS to analyze and potentially block it before it is used for crime.
"As soon as we see that little bump on the wire, we can block it and monitor to see what's going on," Hay said. "It's almost an early warning system for fraudulent activity."
Sign up for CIO Asia eNewsletters.