How to use name server records to locate malicious domains en masse
Reading time: 4 minutesMalicious domains often come in the form of phishing sites looking to steal usernames, passwords, and other sensitive information by impersonating a well-known brand. Mitigating phishing threats requires constant attention by information security teams. In this post we’ll demonstrate the value of DNS records, specifically name server (NS) records to locate phishing and other malicious sites en masse.
Before we jump in, let’s review what an NS record is. When registering a new domain, the registrar typically provides a name server to the customer. For example, if you register a domain name with GoDaddy the NS record will be ns**.domaincontrol.com. The NS record is also accompanied by a Start of Authority (SOA) record. The SOA record indicates what the primary DNS server is for the zone and should match one of the NS records. A name server is deemed authoritative because it hosts all the DNS records for the zone.
Phishing sites are a common technique employed by cybercriminals intent on stealing credentials and other sensitive data for financial gain. Cryptocurrency wallet services are frequently targeted because a successful attack can lead to money directly in the pocket of the hacker behind the campaign.
A relatively new method used by phishing domains is to use internationalized domain names (IDN) or punycode names to impersonate the target domain. This is best illustrated by viewing at the example domain xn--myethrrwallet-m0b[.]net
This is homograph phishing attack against MyEtherWallet as the browser renders the unicode characters that are visually similar to the characters in the real domain name. The phishing page attempts to steal the key to the user’s wallet. If these keys are stolen, all funds can be emptied from the wallet with no recourse.
Digging deeper into this example, we can query the [Security Trails API][features] to obtain the NS records for the domain This is done by simply posting a GET request to /v1/history/xn--myethrrwallet-m0b.net/dns/ns. The response sent back contains the NS records configured.
Now that we have the NS records for the domain, we can get a list of all the domains that share this name server.
This is achieved by posting the following query to the /v1/search/list API endpoint:
{
"filter": {
"ns": "ns1.hostbubbledns.com"
}
}
The response returned yields 82 domains. At first glance, many appear to be phishing related.
Further analysis can be done by scanning and archiving the domains via the bulk submit feature of URLscan.io. This saves a copy of the source code of each website and allows for a safe analysis. A screenshot is also taken that shows how the site looks in a browser. These features make investigating malicious sites quick and easy.
The IDN domains impersonating MyEtherWallet are easy to spot due to the punycode.
Of the eight domains that currently resolve, each phishing kit appears to be hosted on www.mining24[.]info. An open directory for each active domain is found.
The URLscan results show www.mining24[.]info also engages in cryptojacking as Coinhive is embedded on the site.
The theme of cryptocurrency-related phishing sites continues as another is found targeting users of the IDEX exchange. Similar to the MyEtherWallet case, the attack attempts to steal the private keys of a user’s wallet.
A domain pushing an ETH scam likely used for targeting Twitter users also shares the hostbubbledns.com NS records. A recently published case study found at least 15,000 Twitter bots engaging in this type of malicious activity. Additional reports found that Twitter’s algorithm was encouraging users to follow bots pushing these scams.
Another domain contains a phishing kit targeting Deutsche Telekom users. Luckily, this one appears to be well known with 16 detections confirmed on VirusTotal.
Other domains sharing the same NS records aren’t limited to phishing sites. This site claims to be selling exploits for Microsoft Office products. It’s clear numerous domains sharing the hostbubbledns.com NS records have a malicious intent and/or engage in illegal activities.
Using the NS records provided by SecurityTrails, you can quickly perform reverse lookups to locate malicious domains en masse. Proactively monitoring NS records for domains that impersonate your brand can help you mitigate the impact of phishing attacks.
SecurityTrails API provides current and historical IP, domain, and other network data. Contact us for a customized solution for your app to enrich your existing data sets.
