In our previous article we discussed how to find malicious domains. Now that you’ve found a way to see all newly registered domains, it’s time to determine which was are malicious by doing some analysis. This way, you can try to stay ahead of domain attacks by identifying them quickly and protecting your brand before the threat actor is able to fully launch their attack. The only problem of course is that there’s probably around 180.000 domains to analyse every single day.
Finding malicious domains faster than anyone else is what we do at Bfore.Ai with our PreCrime Technology. So if you want to spare yourself the pain of finding, analysing and taking down malicious domains by yourself feel free to have a convo with us to see what we can do! But if you insist on going it alone, then let’s take a look at how to do this.
There are several methods and tools that can be used to analyse a domain to determine if it is malicious. Here are some steps that you can take:
1. Check the domain name
The domain name can tell you a lot about the purpose behind the domain and its potential target. Here are some things to look out for that are suspicious:
-
Does the domain include well-known brand names?
-
Has the brand name been misspelled?
-
Does the domain contain words such as, login, support, or account?
-
Is the Top Level Domain (TLD) uncommon? A TLD is the [.]com or [.]net part of the domain. A domain can use any TLD however some are known to be used more by malicious actors.
Source: SSL2BUY
2. Check the Domain Name System (DNS) Records
DNS is a hierarchical system that translates human-readable domain names, such as www.example.com, into machine-readable IP addresses, like 192.168.0.1. When you type a website’s domain name into your web browser, your computer sends a DNS query to a DNS resolver (usually provided by your Internet Service Provider) to look up the IP address associated with that domain name. The DNS resolver then returns the IP address to your computer, which uses it to connect to the web server hosting the website. Basically, this is the system that allows your to find a website without having to remember a string of numbers. DNS records are data files that contain information about a domain name’s associated IP addresses, mail servers, and other DNS settings. So, one of the first things you can do is check the DNS records of the domain to see if there are any red flags:
-
Internet Protocol (IP) records. Check the IP address used and determine its location, ASN, ISP and whether it’s been blacklisted or has a bad reputation. Compare the results with the legitimate domain you believe the domain is targeting to see how different the results are.
-
Take a look at the Mail Exchange (MX) records. MX records specify the mail server responsible for accepting email messages on behalf of a domain. Is the mail server used different to the targeted domain? Has the mail server been blacklisted?
Example of DNS records for legitimate Apple domain
3. Check WHOIS records
WHOIS records are publicly available databases that contain information about registered domain names and their owners. The information contained in WHOIS records includes the domain owner’s name, contact information (such as email, phone number, and physical address), and the domain’s registration and expiration dates. When analysing domains, you want to check the WHOIS records for any red flags, such as:
-
An unusual registrar? Threat actors can use any registrar they want, however, some registrars are known to statistically register more malicious domains.
-
Is it a newly registered domain (NRD)? If a domain is newly registered it may be an indicator of maliciousness as many attacks are carried out in the early days of domain registration so threat actors have the best chance of success.
-
Do the WHOIS details of site not match the WHOIS details of the legitimate site? Compare the WHOIS records of the malicious site with those of the legitimate site you believe the threat actors are impersonating or targeting. If the records are vastly different it is a clear sign that this is a domain which does not belong to the legitimate company.
Example of WHOIS records for legitimate Apple domain
If any of these indicators are true, it may be a sign that the domain is malicious. Make sure to note that some domains may be legitimate but just choose to use a domain register that is unusual. Therefore, you’re going to need multiple indicators such as both an unusual registrar, a NRD and a typo squatted domain name to reinforce one another.
4. Check the domain certificate
Domains have certificates to secure communication between a website and its users. When a user visits a website, their browser establishes a connection with the server hosting the website. SSL/TLS certificates are used to encrypt this communication and ensure that the data transmitted between the website and the user is secure. You can see whether a website has a certificate or not by checking whether there is a padlock next to the domain. If a domain does not have a certificate, it’s a red flag. However, even though a domain has a certificate, it does not necessarily mean that the domain is safe as many threat actors have started using certificates in order to avoid detection. Check for information about the certificate so you can determine whether it’s suspicious or not.
-
When was is registered and when does it expire? Malicious indicators include certificates that are only valid for three months.
-
What organisation has issued it?
-
What organisation is it issued to? Is the certificate domain or organisation validated?
Example of SSL certificate for legitimate Apple domain
5. Check the domain content
Remember that some of these domains may be malicious and visiting the site may be harmful to your computer. Make sure to use a sandbox to check the domain so you can see the content without putting yourself at risk. When you’ve done that you can check for the following:
-
Does the website host content related to another brand?
-
Is it a direct clone of the website?
-
Are there a lot of pop-ups?
-
Are there any suspicious links that don’t work or lead you to an unexpected site?
-
Does with website redirect your to another domain?
-
Is malware downloaded when you visit the site?
Sandbox example of legitimate Apple domain
So you you’ve found a malicious domain – yay congrats! … now what?
If a domain get classified as malicious we of course want to take it down so we can ensure that it doesn’t cause harm to people who may either stumble upon it or be led there in a targeted attack.
Read more about taking down a malicious domain in our next article, coming very soon! Spoiler alert: At Bfore.Ai we offer a fast takedown service of malicious domains, through our PreEmpt Active Defense technology that eliminates the threat and keeps brands protected.
Anyway, once you’ve initiated a takedown, it’s time to move on and start analysing the next one on the list. What number are we at? Oh right… 1 down… 179.999 to go. Are you sure you don’t want us to help you?