Archive

Archive for the ‘Whois’ Category

The Monday Media Wrap Up

November 28th, 2016 Comments off

Articles from November 19-24

Deliveroo Under Fire After Hungry Hackers Defraud Firm
Infosecurity Magazine | Phil Muncaster | November 23, 2016
Takeaway delivery service Deliveroo has come under criticism after an investigation revealed customers have had their accounts broken into and used to run up huge bills. BBC’s Watchdog program discovered some users of the popular service were left several hundred pounds out of pocket. “I noticed that I had a ‘thank you’ email from Deliveroo for a burger joint in Chiswick,” Judith MacFayden, from Reading, told the program. “I thought that was really odd so I went on to my account and had a look and there had been four orders that afternoon to a couple of addresses in London.” Deliveroo claimed the accounts were hacked because customers reused credentials from other accounts which were compromised in a data breach. It added that no financial data had been stolen as a result. Deliveroo claimed it didn’t want to comment on which anti-fraud measures it has in place, for obvious reasons, but said it’s always working to improve such measures.

Ransomware abusing encrypted chat app Telegram protocol cracked
ZDNet | Charlie Osborne | November 23, 2016
Ransomware which abuses the Telegram app API has been stopped in its tracks only weeks after discovery. The malware, TeleCrypt, is typical ransomware in the way that the malicious code operates. If Russian-speaking victims accidentally run and execute the software — potentially through malicious downloads or phishing attacks — TeleCrypt will encrypt a system and throw up a warning page blackmailing the user into paying a ‘ransom’ to retrieve their files. In this case, victims are faced with a demand for 5,000 roubles ($77) for the “Young Programmers Fund.” However, the malware also has unusual aspects, such as the use and abuse of Telegram Messenger’s communication protocol to send decryption keys to the threat actor, which, according to Secure List, appears to be the “first cryptor to use the Telegram protocol in an encryption malware case.” While cryptors either maintain offline encryption or don’t, this Trojan chooses to. In order to keep communication lines between the threat actor and ransomware concealed and protected, secure channels need to be created — and this often increases the cost of malware development. To circumvent these costs, TeleCrypt abuses the publicly available Telegram Bot API by operating as a bot which generates unique tokens that are inserted into the malware’s body so the Trojan can use the Telegram API.

Two-thirds of London Councils Suffered Breach in Past Four Years
Infosecurity Magazine | Phil Muncaster | November 23, 2016
Around two-thirds of London’s councils have been breached over the past four years, according to a new Freedom of Information request. Identity management firm Secure Cloudlink’s research revealed that 21 out of the capital’s 33 local authorities had suffered a data breach over the period, although Hackney and Kensington and Chelsea refused to disclose the information – ironically for security reasons. Barnet, Camden, Croydon, Greenwich, Lambeth, Lewisham, Wandsworth, Westminster and the City of London were among those affected, while Bexley, Bromley, Ealing, Enfield and Haringey were on the list of those which managed not to spill data during the period. Fortunately, there’s no evidence to suggest that any breached citizens’ data has been subsequently been used in follow-up fraud or cyber attacks. However, the research confirms that data protection in local government is still far from perfect. “Designs that were once suitable have not been updated to keep pace with today’s digital economy, and because of this, hackers have been able to capitalise and steal information much more easily,” argued Secure Cloudlink chairman, Mark Leonard.

Madison Square Garden admits hackers spent a year harvesting visitor credit-card data
ZDNet | Liam Tung | November 23, 2016
The Madison Square Garden Company has revealed that for a year malware has been capturing payment-card data from a system that processes payments for several of its properties. MSG warned customers on Tuesday that the breach had exposed customer data held on the magnetic strip of credit cards, including card numbers, cardholder names, expiration dates, and internal verification codes. Card-issuing banks recently notified MSG of suspicious transaction patterns, which led to an investigation by MSG and confirmation of the infection in the last week of October, it said. It’s not clear why the company only revealed the incident now. “Findings from the investigation show external unauthorized access to MSG’s payment processing system and the installation of a program that looked for payment-card data, as that data was being routed through the system for authorization,” MSG said. Cards used to buy merchandise and food and drinks at several properties between November 9, 2015 and October 24, 2016 may have been affected.

The Black Friday Heist: Financial Phishing Increases During Holiday Season
Information Security Buzz | Kaspersky Lab | November 22, 2016
A peak season for sales is obviously also a peak hunting season for criminals. In fact, some £5 billion of transactions are predicted over that period – five times higher than 2015. Retailers offer lots of hard-to-resist deals as people plan on spending money on gifts for family, friends and themselves. Therefore, while e-commerce customers are making wishes for the upcoming sales, retailers are preparing their stores for a massive rise in the number of visitors. Financial infrastructure owners – banks and payment systems — are similarly getting ready for a huge increase in the number and value of transactions. However, cybercriminals are preparing too, as suggested in research from previous years. As Kaspersky Lab threat statistics shows, in 2014 and 2015 the proportion of phishing pages that hunt financial data (credit cards details) detected by the company during Q4 (which covers the holiday period) was around nine per cent higher than the average for the year. In particular, the result for financial phishing in all of 2014 was 28.73 per cent, while the result for Q4 was 38.49 per cent. In 2015, 34.33 per cent of all phishing attacks were financial phishing, while in Q4, that type of phishing was responsible for 43.38 per cent of all attacks. Holidays influence the type of financial targets that criminal’s target. Both in 2014 and 2015, Kaspersky Lab researchers witnessed a significant (several per cent) increase in phishing attacks against payment systems and online stores. Attacks against banks also grew, but at a lower rate.

Catastrophic botnet to smash social media networks in 2017
ZDNet | Charlie Osborne | November 22, 2016
Social media networks and their prolific use will prompt a plague of botnets in 2017, security researchers have warned. Botnets are networks of compromised devices, such as connected home gadgets, PCs, and mobile devices, which have been infected with malware specifically designed to enslave such products. The botnet is run by an operator who utilizes a command and control (C&C) center to send commands to these devices, including what could be flooding a web domain with traffic in what is known as a distributed denial-of-service (DDoS) attack that can severely disrupt online services. These botnets can cost hosting companies a fortune to combat. For example, in September prominent security blog Krebs on Security was the target of a 620Gbps DDoS attack made possible through the Mirai botnet, a network which enslaved millions of vulnerable IoT products. The hosting provider, which offered to host the domain without a fee, was forced to withdraw its services due to the sheer cost of the ongoing attack.

Malicious images on Facebook lead to Locky Ransomware
CSO | Steve Ragan | November 21, 2016
Researchers have discovered an attack that uses Facebook Messenger to spread Locky, a family of malware that has quickly become a favorite among criminals. The Ransomware is delivered via a downloader, which is able to bypass whitelisting on Facebook by pretending to be an image file. The attack was discovered on Sunday by malware researcher Bart Blaze, and confirmed later in the day by Peter Kruse, another researcher that specializes in internet-based crime and malware. The attack leverages a downloader called Nemucod, which is delivered via Facebook Messenger as a .svg file. The usage of SVG (Scalable Vector Graphics) files, is important. SVG is XML-based, meaning a criminal can embed any type of content they want – such as JavaScript. In this case, JavaScript is exactly what the attackers embedded. If accessed, the malicious image will direct the victim to a website that appears to be YouTube in design only, as it’s hosted on a completely different URL. Once the page is loaded, the victim is asked to install a codec in order to play the video that’s shown on the page. If the codec (presented as a Chrome extension) is installed, the attack is this spread further via Facebook Messenger. Sometimes the malicious Chrome extension installs the Nemucod downloader, which ultimately delivers Locky. The attack seems to have variations, so it isn’t clear if there is more to it than rogue extensions and downloaded Ransomware.

Happy Birthday Conficker: Malware hits 8
SC Magazine | Doug Olenick | November 21, 2016
As Conficker hit its eighth birthday Monday, it’s still going strong, according to researchers at ESET. Since 2008 the worm has targeted Microsoft Windows computers in 190 million with a total of 11 million devices being infected to date, according to a retrospective blog done by ESET, which estimated damage done by Conficker to be in the $9 billion range. A few of the higher profile targets it has nailed are the U.K. Ministry of Defense and the German armed forces. “Ultimately though, the worm leveraged – and indeed, continues to leverage – an old, unpatched vulnerability to crack passwords and hijack Windows computers into a botnet. These botnets would then be used to distribute spam or install scareware (again, as they are today),” ESET researchers wrote. The malware is now being used to target Internet of Things (IoT) devices, ESET said. Hacked IoT devices were recently responsible for a massive Mirai DDoS attack that knocked Twitter, Spotify, Netflix, GitHub, Amazon and Reddit. One reason Conficker has endured the test of time is the constant upgrades and new variants developed by cybercriminals. Over the years it has graduated from being spread via USB to analysts now believe it can move laterally through a network to target specific devices.

Over 97 Percent of All Phishing Emails Deliver Ransomware
eSecurity Planet | Jeff Goldman | November 21, 2016
According to PhishMe Inc.’s 2016 Q3 Malware Review, the proportion of phishing emails that deliver some form of ransomware reached 97.25 percent in the third quarter of 2016. Locky ransomware executables were the most commonly-identified file type in the third quarter, PhishMe found. “Locky will be remembered alongside 2013’s CryptoLocker as a top-tier ransomware tool that fundamentally alterered the way security professionals view the threat landscape,” PhishMe CTO and co-founder Aaron Higbee said in a statement. “Not only does Locky distribution dwarf all other malware from 2016, it towers above all other ransomware varieties.” And while just 2.75 percent of phishing emails delivered non-ransomware malware, the diversity of malware samples in those emails far exceeded that of the ransomware campaigns.

Homeland Security Chief Cites Phishing as Top Hacking Threat
Fortune | Jeff John Roberts | November 20, 2016
Why are people still such suckers for phishing? At a security event in New York this week, top law enforcement officials shared their concerns and, to my surprise, their biggest pre-occupation was plain old e-mail. “The most devastating attacks by the most sophisticated attackers almost always begin with the simple act of spear-phishing,” Homeland Security Secretary Jeh Johnson told the crowd, referring to malicious emails that appear to come from a credible source. He has a point. The debacle over leaked emails from Hillary Clinton’s campaign chairman began when the chairman, John Podesta, fell for a fake Gmail message. And those celeb-gate hacking victims likewise got tricked by phishing. So what can we do about it? Education is one approach. Secretary Johnson says his agency sends emails to its own employees with suspicious links for goodies like “free Redskins tickets.” Those who click on the link receive instructions to show up to a spot to collect their tickets—where they instead receive a free lesson on cyber-hygiene. And of course technology is another way to fight phishing. At the security event, Manhattan District Attorney Cyrus Vance announced that the non-profit Global Cyber Alliance had created a free tool to help organizations install DMARC software, which helps authenticate email messages. “Phishing—mundane as it is—is the biggest threat we face and need to tackle,” said Vance, who added that, after terrorism, cyber-security is New York’s top priority.

Share

Don’t be Schooled by Brexit Phishing Tactics

August 17th, 2016 Comments off

Barracuda Networks, whose early claim to fame was a spam firewall appliance, published a blog post on a phishing campaign that’s been making the rounds. The campaign capitalizes on a timely event—Brexit—by evoking the market uncertainties surrounding Britain’s move. The gist of the spam/phishing emails is that now is a great time to refinance or buy a new home; links in the emails go to phony lending site pages that are likely to do harmful things to the victim.

A screenshot on the blog post shows the sender’s email address, which includes the domain ancybo[.]com (link goes to our Whois record, not to the domain itself). I decided to dig into this domain with DomainTools Iris to see what I could learn about the spammer and any infrastructure connected to that domain. The results were interesting.

The domain is not registered under Whois privacy, which means I had a registrant email address to pivot on. This yielded 6 domains, all registered under the name Jeremy Arias. That may be the spammer’s actual identity, or it may be a stolen or made-up identity; either way, it exposes additional infrastructure related to the initial spam domain.

Mortgage_Phishing

All of the domains have scores of 100 from the DomainTools Reputation Engine, which means they have been blacklisted. Jeremy’s consistent, at least!

Another common pivot that exposes infrastructure is to look at what else is hosted on the same IP address as a domain of interest. That pivot in this case, on 104.140.152[.]160, yields 26 additional domains, the vast majority of which are all blacklisted (shown here using the visualization tool in Iris):

Mortgage_Phishing_1

Pivoting on the non-privacy email addresses in this group of domains ultimately yields a total of 87 domains, all of which score 82 or higher on the DTRE (we have found that 70 and above indicates likely badness). 34 of the domains are below 100, which means that the DTRE flagged them as being closely connected to known badness without having (yet) been put on traditional blacklists. Many of these domains may be “on the shelf” awaiting later weaponization. The domains all have been registered within a 9 month period starting in October of 2015.

The additional IP addresses in this set of domains could yield additional pivots that might be instructive—indeed, if I were looking to protect an organization against threat infrastructure, or if I were law enforcement interested in taking action against the offenders, I would add those to my search. The pivots aren’t time-consuming, either; the entire investigation up to this point represents less than 10 minutes’ time in Iris. It can be informative–not to mention satisfying—to explore malicious infrastructure in this way.

Happy exploring,

Tim

Share

DomainTools Membership Evolution

April 25th, 2016 Comments off

Earlier today DomainTools announced an evolution of our membership model for individual users. Going forward DomainTools will only offer one retail membership level, the Personal Membership.

I appreciate all of the feedback that we have received from many of our loyal and longtime DomainTools users. It’s clear DomainTools is a critical resource for our customers.

For 15 years DomainTools has been the leader in Whois and DNS data for a wide variety of customers: webmasters, domain professionals, attorneys, brand managers, investigators, cybersecurity professionals, journalists, researchers and many more. Over that time we have evolved the individual membership levels a number of times, but never asked any legacy customer to change either their price or package allotment.

Customers that have been watching the evolution of our website and public persona will know that in the last three years we have executed a pretty strong pivot towards building tools for enterprise-class threat intelligence enrichment within cybersecurity and incident response environments within organizations worldwide.

As the growth of our enterprise business consumed our focus and resources, we were forced to make some very difficult decisions, including how to streamline our legacy retail business in order to be able to continue to support it with the industry’s best data and toolsets. The Personal Membership level was designed to capture most of the product usage bell curve for our retail members, with only very heavy users falling outside the new boundaries. As with everything, I know we will miss the mark for some longtime users. It’s a unique irony that increasing our monthly price by $5 per year would likely have been better for our reputation than grandfathering tens of thousands of great customers until this one-time membership redesign in 2016.

DomainTools mission today is to continue to develop an invaluable service for cybersecurity teams worldwide who come to work every day on the right side of a very nefarious and rapidly evolving battle that affects all of us. The work we do gets built into the increasingly powerful and expansive products available to our individual users. Many of our users have told us their membership with DomainTools is worth orders of magnitude more than $99/month, but for others it is clear we have to earn that price point. And that’s what we’re going to do.

Share

Introducing DomainTools Reverse IP Whois

March 21st, 2016 Comments off

We are excited to announce the addition of Reverse IP Whois to our DomainTools products. This powerful tool shows you all of the IPv4 address allocations for a given search term—usually an organization like a company, educational institution, or government entity. This can be very useful when trying to gain context, or situational awareness, related to an IP address or organization of interest.Reverse_IP

Just as domains have Whois records, IP address ranges do as well. In DomainTools products such as Iris or the Whois web page, you can enter an IP address or subnet and see the Whois record. While this can be helpful, it often tells only part of the story. That’s where Reverse IP Whois comes in. In many cases, an organization could have other allocations across different network blocks. Reverse IP Whois will show you those.

Some common use cases for this include:

  • Mapping all the IPv4 holdings of an entity
  • Monitoring or defending against the extended infrastructure tied to a suspicious IP address
  • Learning more about an entity by studying its infrastructure–for example, seeing parent, child, or peer business units of an organization, as is sometimes reflected in IP Whois records

Using Reverse IP Whois is easy. In the search box, you typically will enter either the name of the organization you’re researching, or a keyword that you know or believe will appear in the IP Whois records.

  1. When you enter the organization name, Reverse IP Whois displays the IPv4 allocations belonging to that entity.
    • You can click the IP ranges to see the IP Whois records for those ranges
    • Or you can filter the results by the organization, the Whois server, or the country
  2. You can also enter a keyword. For example, if you want to see all IPv4 allocations where the Whois record contains “percussion,” Reverse IP Whois will show them. While this specific update brings Reverse IP Whois as a Web interface, it’s also available as an API.

Reverse IP Whois is another way that DomainTools shows you more about the entities that operate various parts of the Internet. We hope you’ll find it helpful in your investigations.

Thanks for reading, and happy exploring!

Share

The Monday Media Wrap Up

January 25th, 2016 Comments off

Articles from January 16-22

Dive into this past week’s security news:

4 essentials to creating a world-class threat intelligence program
Michael Kassner | TechRepublic | Jan. 22, 2016
Businesses, large and small, are changing tactics when it comes to information security. Rather than spend hard-earned cash attempting to cover every base defensively, company officials are developing information security postures based on the outcome of risk assessments. The purpose of risk assessment, according to the 2012 Guide for Conducting Risk Assessments, is to inform decision makers and support their responses by identifying relevant threats to organizations, vulnerabilities both internal and external, likelihood that harm will occur, and impact to organizations resulting from a successful attack. Any successful threat intelligence program requires an operational and strategic component, involving expert analysis of how current and future threats will affect the business and its assets.

Got threat intelligence data? The value will vary
Fahmida Rashid | InfoWorld | Jan. 21, 2016
Former analyst Rick Holland speaks with Fahmida Rashid about the future of threat intelligence and his new role at threat intel provider Digital Shadows. Organizations are critical of threat intelligence because they don’t see how the indicators they receive are relevant to their organizations. The feeds contain details that aren’t for their geographic location, don’t match their industry, and don’t fit their threat models. They are “more indicators of exhaustion that overwhelm users,” Holland said. “The first piece of threat intelligence is getting the funnel to give better data, to enrich what you are getting,” Holland said. The second is figuring out how to use the information being provided — which is where APIs come in.

Deloitte 2016 Trends Study Finds Analytics Essential for IT Success
Chris Preimesberger | eWEEK | Jan. 22, 2016
eWEEK editor Chris Preimesberger reports on the third annual Deloitte Trends Study, which identifies several trends. The first trend involves security: Enterprises are no longer satisfied with simply “locking the doors” where cyber-security is concerned and are instead going on the offensive by employing more predictive approaches to threat intelligence and monitoring. This, along with other trends detailed in the 2016 report, is driving significant changes in the types of investments the C-suite is making to support business priorities.

FireEye to grow intelligence capabilities with iSight Partners deal
Jeremy Kirk | CSO | Jan. 21, 2016
FireEye has acquired Texas-based iSight Partners for $200 million, a deal that executives say will give FireEye stronger intelligence on cybercriminal and hacking groups before they strike. Intelligence capabilities made iSight attractive, said Travis Reese, president of FireEye’s Mandiant subsidiary. While FireEye and Mandiant study how attacks affect victims, iSight collects intelligence about the attackers.

Share

Not the Boots I Was Looking For

December 22nd, 2015 Comments off

Guest Blogger Shawnda Potvin (a DomainTools Account Specialist) shares a personal experience with Iris 

I was recently on a mission to treat myself to a pair of boots. I went to a website which I thought was an authentic UGG® boots website, as both websites were identical. After I purchased the UGG boots and received a confirmation email, I realized the boots were shipped from outside of the U.S with an expected delivery of 10-15 days (which was a little disconcerting). The boots were advertised at $75 with an additional shipping cost of $15 (for a grand total of $90). Although this price seemed very low, I was not overly troubled as it seemed consistent with a Black Friday deal. My shopping experience took a negative turn when I checked the balance on my card and noticed a charge from Singapore in the amount of $103, which did not reflect the advertised price.

Ugg WebsiteA month later I received the boots, which looked nothing like the ones I ordered and were cheaply made. There were now too many red flags to ignore, so I made contact with an UGG representative through the official website to see if wildoxpromotions.com was a distributor of theirs, which they were not. They took note of my experience and forwarded the information to their fraud department. To protect my own credit, I was also sure to cancel my credit card.

Being the curious person that I am, I went to work the next day and started researching this Wild Ox Promotions. I used a product that DomainTools offers, called Iris, which is intuitive and can access a wealth of domain and DNS information. I was able to put wildoxpromotions.com into the search box, which then brought up two other emails associated with this domain. I then used the Whois History tool to see where this domain was registered to see if it matched the address on my billing statement. Iris allowed me to see inaccurate information in their Whois record. As an example, the registrar identified their state as the United States (which, last time I checked, is a country). They registered their origin country as AR, which is the country code for Argentina. These two examples gave me enough information to reach out to ICANN and report this particular Whois record. Finally, I continued my investigation by expanding my search to the registrants IPs. I was able to locate 8 other domains hosted on that IP address, providing me with even more context and the ability to monitor these data points moving forward (see the domains below):Ugg on Iris

  • Wildoxpromotions.com
  • Extradinarybreathbag.com
  • Chicbagdesign.com
  • Evergreenshops.com
  • Casualluggagshop.com
  • Thickwarmsnowboots.com
  • Qualityovergold.com
  • Beautifullywumart.com
  • Carriefruitbrand.com

It’s hard to believe the lengths that people go through to replicate a company’s website and deliver counterfeit products. The bottom line is that you do not have to be a cybersecurity expert to use DomainTools’ Iris Platform. With minimal time and effort, I was able to search for a single domain and locate several other domains associated with a single IP address. I was then able to pinpoint eight other websites selling counterfeit products.

Note: Since I did this research, some of these websites have been removed. And I’m apparently not the only one who has fallen victim to this UGG boots scam. An article in the UK publication This is Money describes a similar set of circumstances.

 

Share

Hacktoberfest 2015

October 21st, 2015 Comments off

Hack Days has become a quarterly tradition here at DomainTools, and although the “hack days” concept is now considered as cliche as owning a ping pong table and kegerator in the tech industry (check and check), there are a few things that make our own take unique. For example, rather than solely empowering our technical teams to participate, we also encourage cross-functional collaboration. These multi-faceted projects enable both sides of the house to innovate. As a result, many hack days projects evolve into DomainTools products and in-house improvements.

To sweeten the pot, our CTO Bruce always comes up with a few quick project categories that we vote on as hack days comes to a close. Now, as serious as we are about stopping cybercrime, we also enjoy the goofier things in life. Below are the category winning projects. A big thank you to all our team members who participated in hack days; we are already looking forward to our Q4 projects!

unnamed (2)Testament to Your Leadership Award: “Nomad“ Mobile App – Kirk Leon Guerrero and Ray Henriksen

Engineers Kirk and Ray were interested in finding ways to grab DNS data on hard to reach domains (not included in public root zone files). Their solution was to pair Google’s Places API with our own Whois database for a powerful (and fun) mobile app. The app itself uses an algorithm that finds local businesses listed on Google’s Places and generates domain name guesses by deleting unusual characters (like dashes) from the business name and then appending the TLD (.com, .de, .bike, etc). The app compares the resulting domains with our Whois database to quickly capture the creation of new domains. This project won the “testament to your leadership award” because it was bold, challenging, and labor-intensive but not entirely without flaws.

Screen Shot 2015-10-15 at 3.54.08 PM

Illustration: Joaquim Marques Nielsen (www.jomani.dk)

Best Newbie Hack: DNS Video Game Explainer – Josh Hou and Spencer Carstens

Explaining DNS can be a daunting and sometimes impossible task depending on your audience. Front-end developers Josh and Spencer took a stab at making DNS education fun and memorable with their DNS-themed video game. The game’s hero (let’s call him Bob) is on a tireless quest to resolve domain names, seeking help from upstream counterparts in his efforts to get reliable answers. Will Irene know the answer or will Bob have to go all the way to the Root? Every game comes out differently!

Best in Show: Office Morale Booster – Greg Haas Greg

As Greg is our expert in the sometimes-dry field of accounting, we give him a lot of credit for his creative pranks and culinary experiments (curried tuna with bacon and guacamole, anyone?). This quarter, Greg decided to present a subject that would have a noticeable and direct impact on office morale, and be a great complement to our kegerator and ping-pong table. Naturally, it is a fro-yo machine. Greg walked through a variety of financing options ranging from resource-reallocation to an employee funded option to make this dream a reality. (The real joke here is that our morale is already fantastic…not that anyone would object to a fro-yo machine, mind you.) Please feel free to reach out if you are interested in sharing this clever and refreshing presentation at your own office (team@domaintools.com).

Share

Google Hates ICANN’s Attempt to Eliminate Whois Privacy Calling it “Impractical & Ineffective

July 7th, 2015 Comments off
  Google filed it’s comment on the whois privacy issue with ICANN today. Google  seems to hate the proposal of the ICANN working group to prohibit  commercial domain registrants from using proxy or privacy services calling it unfair to small businesses and individuals. Google even cites it’s own Charleston Road Registry an example of how […]
Categories: External Articles, google, ICANN, Whois Tags:

Profiling malicious domains in The DomainTools Report

May 5th, 2015 Comments off

DT-report-iconAt the 2015 RSA Conference in San Francisco, we released the first edition of The DomainTools Report: A Profile of Malicious Domains.

In this report, we investigate the attributes of malicious domains connected to malware, spam, phishing, and botnets. Using an aggregation of blacklists and DomainTools’ data, we compared the bad actors’ preferences for TLDs, email domains, privacy providers, and hosting locations. We identified some key trends that should help to profile cybercriminal behavior.

Why did we create this report?

Much of the malicious activity on the Internet is classified and tracked in domain blacklists and reputation scores. But these do little to profile and predict cybercrime to proactively protect against domains that have yet to exhibit illicit behavior. Malicious actors often behave in a predictable manner, and the more thoroughly we profile that behavior, the better we can defend against them. With that purpose in mind, we analyzed domains from several popular blacklists. This report uses DomainTools’ leading Whois and DNS data to define attributes of those malicious domains and begin to create a profile of locations and privacy preferences of cybercriminals.

What did we learn?

DomainTools Report Chart - EmailsOur comprehensive coverage of Whois records enables us to take a broad look at registration attributes of all domains. Overlaying the domain data with data on malicious activity gave us quantitative insights into where the malicious and innocuous domains “live,” logically as well as geographically.

For example, one of the attributes we analyzed was the email domain used to register domains. In particular, we compared free email domains such as gmail.com, yahoo.com, hotmail.com and their variants and international counterparts. The results were very interesting and both expected and unexpected. Gmail.com was used for the most domain registrations, malicious or not. But based on percentage, some Japanese free email providers were the most malicious, primarily due to a large quantity of spam originating from those domains.

For more information and analysis, download a copy of the full report.

We will also be planning a live webinar later this quarter to discuss the report, and to answer your questions about the data and results. In the meantime, if you have any questions, please email us at team@domaintools.com.

 

Share

Beyond Whois, Part 3: Two Faces of Lucy

September 3rd, 2014 Comments off

Lucy_FacesIn the first two installments of this series (Beyond Whois: The Domain Profile and Beyond Whois: IP Addresses Tell Many Tales), we looked at how there are a lot of datapoints in the DomainTools database that go beyond Whois and DNS records to help you find elusive answers to domain ownership and the connections among domains. In this entry, we’ll see how historical information can assist your investigations, too.

Lucy 1: The Missing Link

You’re probably familiar with AL 288-1. Or, more likely, you know this Australopithecus celebrity by the whimsical name “Lucy.” (I’m taking some metaphorical license here, because paleontologically speaking, Australopithecus is not technically considered the “missing link.”) This Lucy represents the way historical artifacts shed light on chains of connection; sometimes a “digital fossil” is the missing link that can advance an investigation.

investigation_reverse_whoisMany attack attribution or website fraud investigations call for you to look back in time, and if you’ve explored our offerings, you’ll be aware that Whois History is just one of the ways you can do your time-traveling explorations. Hosting History provides insight into how the domain has evolved over time, based on a combination of canonical Whois datapoints (name server and registrar) and our IP address data. Screenshot History can do the same.

Earlier, we saw how Reverse IP can show connections between domains that otherwise don’t look connected–especially if the IP in question has a small number of domains on it. Even if the present hosting doesn’t show such connections, though, comparing the Hosting History entries for domains where you suspect a possible connection could help confirm or refute your hypothesis. A shared–and “small”–IP address could be your missing link.

One usage of Screenshot History that we particularly like for attribution work is to look at the threshold of when a domain went into privacy protection. If the “before” screenshots–those taken before domain privacy went into effect–closely match the “after” screenshots, then this raises confidence that the visible owner of the domain before privacy is the same individual or organization behind it after privacy was enabled.

investigation_screenshot_history

Lucy 2: Using only 10% of our brains?

The 2014 sci-fi hit Lucy trades heavily on the old canard that “we only use 10% of our brains” (which is actually discredited by most neuroscientists, but nonetheless is a common assumption). By using only Whois/DNS data to conduct a digital forensics investigation, you’re missing out on a wealth of other information that can be crucial to finding important answers. If you’re not already using the information we’ve covered in this series, carve out some time to get familiar with the various “beyond Whois” tools. They might just solve some thorny puzzles.

Happy exploring!

 

Share