Phishing, Phishing E-mails and Domain Squatting
In this article, I will briefly write about Phishing and its methods, then I will explain the tips in order to detect the Phishing E-mails. Finally, I will explain one of the main tasks of a Cyber Threat Intelligence (CTI) Analyst, the detection of Phishing Domains and the precautions to be taken against to them.
1. Phishing
Phishing is one of the cyber attack methods that aims to seize personal's or corporate's valuable or sensitive information by imitating a legal institution through fake website, email, phone or text message and similar methods.
It is aimed to gain profit by using this information or other information obtained through this information by attackers. Phishing methods can be used by small (individual, group) and large (government) threat actors. Their main motivation is Money.
Phishing is the most used cyber attack method and has a rate of approximately 70%. They are named differently according to the size/type of phishing itself or the target. Phishing is very diverse and is an example of Social engineering used by malicious people.
The most common method of phishing is being redirected to another site that imitates an official institution by connecting to a link in phishing email or to save a malicious program to the computer, that comes as an attachment via phishing email. Second most used methods as Phishing is redirecting people to a fake website by social media, Browser Ads etc. With these methods, some personal and private information is obtained by threat actors.
Figure.1: Phishing Types ( https://www.webroot.com/us/en/resources/tips-articles/what-is-phishing )
2. Phishing E-Mails
When an incoming E-Mail is examined as stated below, it can be easily understood whether it is for phishing purposes or not. An E-Mail should not be answered immediately, links should not be clicked and attachments should not be downloaded without adequate examination.
Links: When the mouse is hovered over the link, the domain to be connected to is displayed. If the actual link is different from the one displayed, there is a possibility that it is Phishing. Even the links in the e-mail, which is thought to come from a known address, should not be clicked, the desired website should be opened from the Browser.
From: Pay attention to who the message is coming from. Although it seems to come from someone familiar, there is a possibility that it is Phishing.
To: We should consider who this E-mail is sent to and why it is sent to us.
Text format and the requirements: The text should be examined, including spelling errors and style, what they are demanding and for what reason.
3. Domain Squatting
Domain Squatting (also known as Cybersquatting) is registering, trafficking in, or using an Internet domain name with bad faith intent to profit from the goodwill of a trademark belonging to someone else. The cybersquatter then offers to sell the domain to the person or company who owns a trademark contained within the name at an inflated price.
Here, I will talk about how a CTI Analyst detects and monitors Phishing Domains created with a name similar to a customer’s website, and the precautions to be taken.
But, first of all, I should briefly describe the tricks that threat actors can use to bypass cyber heroes trying to detect the Phishing Domain they created.
a. Threat Actor Tricks
- Redirecting: Redirecting a person to a Phishing domain with malicious software.
- Misleading Content: At first pretending the site is for another purpose and then changing the content
- Time : The site is kept empty at first, then content is created for malicious purpose.
- SSL/TLS Certicate: Detection may be delayed sometimes due to lack of certificate
- Expired Domain: Re-activating and selling the unused domain
Phase-1: Detection :
At this phase, we will try to identify phishing domains among domains with similar names to our website.
We use some OSINT tool websites for this. When we enter the name of our own website on the tool website, all domains and information with similar names are displayed. Since the algorithm of each is different, we should use more than one tool website created for this purpose. Using them all may not always be cost effective.
We should first consider the newly created (Create Date) domains from the websites with similar domains. We should not dismiss the others, but the possible threat comes from newly opened domains. Of course, malicious software developers who know this can use methods to circumvent this (Misleading Content, Time, Expired Domain).
Similar Domain Detection Tools:
https://blackkitetech.com/community/
Figure.2: Example of Similar Domain Search ( https://dnstwister.report/ )
Then, we can examine other domains with similar names to our website, through some tool websites, without direct access, in order not to be exposed to possible dangers. This tool can preview the site on websites and examine information about it, as well as search for other sites with similar structure or similar information. There may be more than one phishing domain created by the same person/group with similar structures and information. It should also be taken into account that the site may be a legally operating website with a similar name.
Domain Preview Tools:
Figure.3: Domain Preview ( https://urlscan.io/ )
There are also different tool websites where we can access domain information and examine whether there are other domains created with the information we have obtained (domain owner, email, telephone, etc.).
Figure.4: Domain Information ( https://www.whois.com/ )
Figure.5: Email Registiration Check (https://www.whoxy.com/ )
Attention should be paid to the name of the institution, whether it is a valid email and whether there is an MX record. MX record is a feature that gives the possibility to send emails through the site and having an MX record increases the probability of it being a phishing domain. However, it should be considered that there may be a website with a similar name but legal activity.
Figure.6: MX Record Inquiry ( https://mxtoolbox.com/ )
In addition, it should be checked whether the target site is included in the threat list for various reasons through tool websites.
Figure.7: Blacklist Check (https://www.virustotal.com/gui/)
Domain Investigation Tools:
https://www.virustotal.com/gui/
https://hetrixtools.com/blacklist-monitor/
Phase-2: Tracking
We must eliminate the attack and uncover the general threat. We should periodically (daily, weekly) follow similar domains. There are tool websites with tracking and warning facility.
Tracking Tools:
Phase-3: Measurement
Emailing from phishing domains can be blocked by blacklist organizations. We should report the situation to them. For example, phishing domains can be reported to https://www.netcraft.com/ to prevent sending emails.
As another precaution, we can take action to take down the domain by notifying the hosting company of the situation. The following website (https://www.pixsy.com/how-to-send-a-dmca-takedown-notice/ )can be examined for legal regulation regarding the take down of a domain.
References
[1] https://www.webroot.com/us/en/resources/tips-articles/what-is-phishing)
[2] https://en.wikipedia.org/wiki/Cybersquatting
[5] https://dnstwister.report/
[6] https://blackkitetech.com/community/
[12] https://www.virustotal.com/gui/
[13] https://hetrixtools.com/blacklist-monitor/
[15] https://www.domainiq.com/
[16] https://www.netcraft.com/
[17] https://www.pixsy.com/how-to-send-a-dmca-takedown-notice/
