DOMAINS AND SURFACE WEBTHREATS PLAYBOOK

APRIL 30, 2020

Defending Against an Ever-Evolving Threat

PHISHLABS IS INTELLIGENCE ACTIONED

Proprietary and Confidential | Copyright 2020 PhishLabs 2

Comprehensive across digital channels

Extensive CollectionAutomated and expert analysis

Expert CurationBest in the world threat mitigation

Effective Mitigation

5OF THE

WORLD’S LARGESTCOMPANIES

10OF THE 13

LARGEST FINANCIALS IN NORTH AMERICA

10OF THE

MOST VALUABLE GLOBAL BRANDS

2008PHISHLABSFOUNDED

JOIN THE CONVERSATION

Have questions or Feedback?Use the questions box.

3 Copyright 2020 PhishLabs

ANNOUNCEMENTS

4

1. New COVID-19 Threat Intelligence resource:www.phishlabs.com/covid-19-threat-intelligence/

2. Upcoming webinar

Social Media Intelligence:

Real World Threats, Real World Impact

May 28 at 2 PM ET

Copyright 2020 PhishLabs

DOMAINS AND SURFACE WEB THREATS

1. Domain Threats

2. Surface Web Threats

3. Mitigating Surface Web + Domain Threats

4. Q&A

5

AGENDA

Copyright 2020 PhishLabs

POLL: HOW OFTEN ARE YOUR BRANDS TARGETED WITH MALICIOUS DOMAINS?

1. Rarely2. Sometimes3. Often4. Unsure

7

Elyse NeumannDirector of Client Operations

INTRODUCTIONS

Andrew RobinsonClient Threat Manager, Team Lead

DOMAIN THREATS

8

INTELLIGENCE ACTIONED

DOMAINS 101

Copyright 2019 PhishLabs 9

The Internet maintains two principal namespaces: the domain name hierarchy and the Internet Protocol (IP) address spaces.

• ICANN administers the DNS root• TLDs are delegated to Registries• Registrants control subdomains

.

com

youtube amazon

uk.amazon.com

edu

stanford

net

speedtest

org

wikipedia

en.wikipedia.org

redcross

DNS Root

Top Level Domains (TLDs)

Second Level Domains

Subdomains

Domain Name System (DNS) Hierarchy

DOMAIN LIFECYCLE

10

Names deleted during Add-Grace

become available for re-registration

Drop catch activity

Name is available for re-registration

Redemption possible

Available 5-day Add-Grace Period

EXPIRED

Auto-Renew Grace Period

(0-45 days)

Redemption Grace Period(aka "Pending Delete - Restorable”)

(30 days)

Pending Delete (5 days)

Released (Available)

Registered (1 to 10-year

term)

Renewal andtransfer possible

Domain tasting activity

Domain no longer in zone(website and email no longer function)

Domain may bein the zone file

Domain isin the zone file

Pre-Drop Alternatives

Life Cycle of a Typical generic Top-Level Domain (gTLD) Name

HOW DOMAINS ARE ABUSED

Copyright 2020 PhishLabs 11

• Host malicious content or phishing sites

• Redirect schemes

• Typo-squatting

• Look-alike or spoofing

• Parked domains

• Unauthorized brand use

• Newly registered domains

• Abuse of free domains

• Abuse of TLDs, gTLDs, and ccTLDs

MONITORING FOR DOMAIN THREATS

Copyright 2019 PhishLabs 12

• Monitoring for newly registered domains

• Typically an automated tool• Search for brand names, keywords, and using fuzzy matched terms• Identifies illicit, malicious, or unauthorized use (collectively spoofed domains)

• Spoofed domains frequently used as part of sophisticated phishing attacks

Mature solutions follow a multi-pronged approach:

1. Detection2. Analysis3. Monitoring4. Mitigation Spoofed URL: amazonn.com

DOMAIN MONITORING - EXAMPLES

Copyright 2019 PhishLabs 13

netflixgiftcode.comcineplex.network

COLLECTING DOMAIN INTELLIGENCE

Copyright 2019 PhishLabs 14

1. Use zone files and third-party domain services to reviewnewly-registered Generic TLD and Country Code TLD

• gTLD's include:o .com, .org, .infoo Sponsored TLDs: .gov, .edu, .telo Brand TLDs: .bmw, .barclays, .abc

• CcTLD's include: .ca, .us, .uk

2. CSSL transparency logs to find new SSL certificate registrations that contain key terms

• Close to 70% of phishing attacks are hosted on SSL pages• Identify concerning subdomains

2. Automated tools tend to produce a high volume of white noise made up of false positives

DNS zone file

ANALYZING DOMAIN INTELLIGENCE

Copyright 2019 PhishLabs 15

1. Review domain feeds and score

2. Review each result

3. Categorize the domain

MONITORING INCIDENTS

Copyright 2019 PhishLabs 16

Once an incident has been created, it should be monitored for:

• Content changes

• MX record changes

Domain monitoring: status updates

2020/04/17 02:12 PM

2020/04/16 02:10 PM

2020/04/15 08:09 AM

SURFACE WEB THREATS

17

INTELLIGENCE ACTIONED

SURFACE WEB 101

Proprietary and Confidential Copyright 2020 PhishLabs 18

Surface Web: any readily accessible content on the web

• Can be accessed by search engines

• Isn’t hidden behind forms or logins

• Occasionally referred to as the Open Web

• Consists of over a billion websites

SURFACE WEB THREATS

Proprietary and Confidential Copyright 2020 PhishLabs 19

Surface web threats steal hard earned credibility from organizations using:

• Unauthorized associations• Traffic diversion schemes• Counterfeit goods• Other misrepresentations

Common surface web threats abuse:

• Logos• Domains• Brands• Trademarks

SURFACE WEB THREATS

Proprietary and Confidential Copyright 2020 PhishLabs 20

• Attackers taking advantage of free domain names. Freenom offers free registrations for several TLDs -.tk, .ga, .ml, .cf, .gq

• Beyond this, cheap, low-requirement TLDs are the most popular for abuse - .com, .co, .ru

• Free webhosting being leveraged by attackers, i.e. 000webhost.com

• Other paid options are popular for longer-term attacks, such as Cloudflare

SURFACE WEB THREAT INTELLIGENCE

Copyright 2019 PhishLabs 21

1. Continuously review content indexed by search engines containing key terms

2. Score each flagged item

3. Detection of brand references on third-party websites:

• Illicit activity using your brand (pornography/gambling)

• Abuses of Intellectual Property

• Unauthorized association by 3rd parties

• Prohibited channel activity

• Lost revenues due to traffic diversion using your brand name

Low

Medium

High

RISK

SURFACE WEB MONITORING AND ANALYSIS

Copyright 2019 PhishLabs 22

1. Review each scored result to assess the threat

2. Categorize the result and create an incident if it’s a threat

• Unauthorized association

• Counterfeit activity

• Traffic diversion

• Channel compliance

INTELLIGENCE COLLECTION AND ANALYSIS

Copyright 2019 PhishLabs 23

RELEVANCY ALGORITHMS

EXPERT ANALYSIS

AUTOMATEDANALYSIS

TargetReferences

Machine-Filtered Results

MONITORING& MITIGATION

CollectedData

CuratedIncidents

1 2 3 4

SURFACE WEB THREAT EXAMPLES

Copyright 2019 PhishLabs 24

Domain: www.kitchenaid220.com Domain: livingstoninc.com

SURFACE WEB THREAT EXAMPLES

Proprietary and ConfidentialCopyright 2019 PhishLabs 25

Domain: coffee.hownd.com& iframe around content

MITIGATING SURFACE WEB + DOMAIN THREATS

26

INTELLIGENCE ACTIONED

DOMAIN ABUSE MITIGATION

Proprietary and ConfidentialCopyright 2019 PhishLabs 27

• Registries are given broad anti-abuse authority by ICANN

• However, they do not generally host content – simply point a name to an IP

• Therefore they tend not to act on content complaints

Types of abuse that qualify for a registry takedown:

• Spam• Phishing• Malware Hosting

• Fraudulent actions (requires a court ruling)

• Botnet C&C• CSAM distribution

DISPUTE RESOLUTION AND MITIGATION OPTIONS

Copyright 2019 PhishLabs 28

ACPA - Anticybersquatting Consumer Protection Act• Designed to act against cybersquatters• Extension of the Federal Trademark Dilution Act• Range of potential remedies

UDRP – Uniform Domain-Name Dispute-Resolution PolicyBinding arbitration – registrants agree to this when they register a name.Two remedies available:

1. Cancel the domain registration2. Move the domain to an account of the plaintiff's choice

ccTLDs do not fall under this process; some have alternate resolution policies

Most Domain/Surface Web abuse does not fall into these 2 categories• IP/Trademark issues• It is not always feasible to dispute every typosquat with UDRP• Costs are lower than legal action but don't scale well

MITIGATION WORKFLOW EXAMPLE – RU-CENTER

Proprietary and ConfidentialCopyright 2019 PhishLabs 29

Threat: Malicious Domain

MITIGATION WORKFLOW EXAMPLE – RU-CENTER

Proprietary and ConfidentialCopyright 2019 PhishLabs 30

Registrar response

MITIGATION WORKFLOW EXAMPLE – RU-CENTER

Proprietary and ConfidentialCopyright 2019 PhishLabs 31

Domain taken down; site removed

KEY TAKEAWAYS

Proprietary and ConfidentialCopyright 2019 PhishLabs 32

1. Collect data for relevant references to your brand, flag results, score, and review each scored result to assess the threat.

2. Continual monitoring allows for visibility into domains or content that may have been dormant and action when activity is detected.

3. Monitor suspicious domains rather than relying on defensive registrations.

4. Keep in mind that takedowns require a range of evidence and tactics.

QUESTIONS?

For additional questions, reach out to our team

info@phishlabs.com