Using DNS Search to Uncover Phishing Infrastructure
By Karen Burke
It's been a sobering week for defenders.
This week alone, the FBI warned about the potential rise of Business Email Compromise schemes; the DHS’ Cybersecurity and Infrastructure Security Agency and the U.K.'s National Cyber Security Centre alerted about a rise in malicious emails impersonating trusted institutions such as the World Health Organization, and NASA reported a significant increase in malicious activity by nation-state hackers and cybercriminals targeting the U.S. space agency's systems and personnel. Microsoft reported that every country in the world has seen a COVID-19-themed attack.
Phishing remains an evergreen attack for cybercriminals because it works. Every phishing attack begins with a DNS artifact i.e. domain name, IP address, etc.
A single suspicious domain name or IP address can be a potential clue for larger, targeted campaign against an organization. Searching historical passive DNS, most notably Farsight DNSDB, with these "clues" can help investigators uncover previously hidden malicious infrastructures from phishing and other related attacks and reduce attacker dwell time.
“To understand what happened today, we need to look at what happened in the past. Perpetrators often may reuse the same artifacts. DNSDB allows us to expand the network of a criminal, current or historical, with different datapoints i.e. SOA records more. DNSDB enables us to uncover more malicious infrastructure to help defenders to keep up with threat actors, network expansion, etc,” according to a current DNSDB customer.
Among the answers DNSDB can provide:
- What IP addresses has a particular domain i.e. example.com used over time?
- What hosts have used a particular IP address i.e. 18.104.22.168… What domains live in 22.214.171.124/16?
- Tell me about FQDNs under *.example.com
- Show me how the domain and its nameservers looked during the time period during which the incident happened…
To learn more about other types of information that DNSDB can provide, visit 8 Common DNSDB Pivots for Threat Hunting. Interested in learning for yourself how passive DNS can help your organization better defend against today's cyberattacks? You can try our entry-level, free version, DNSDB Community Edition, apply for a trial API Key of our enterprise DNSDB, and, if you are a non-profit, researcher or a member of law enforcement, apply for a grant here. Interested in a commercial license or want to see a demo? Contact our sales department at firstname.lastname@example.org.
Karen Burke is the Director of Corporate Communications for Farsight Security®, Inc.