Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC: Scammer Emails and Instant Domain Whois record Disappearance - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Scammer Emails and Instant Domain Whois record Disappearance
One of my client were targeted by scammers with an email apparently coming from the CFO to accounts payable team instructing them to wire transfer amount to an account in USA.

The team had an internal process of verification that detected email as a fraud and were protected against it. My client domain is "example.com" and the email came from "exanple.com" (notice the spellings).

The webpage for the domain showed a default page from hosting provider, and DNS resolution queries produced valid "A" and MX records. Within couple of hours of getting noticed and visiting the webpage, the domain has disappeared from the internet and a whois lookup is showing this domain available for registration.

My questions:
1. Is there any history (wayback machine does not have any record of it) or archiving that can give us previous whois record (I am sure it will be forged, but still want to get that)? It was there couple of hours ago but now all is gone.

2. I see lots of private IP addresses in the scam email headers in this order: public IP ---> public IP ----> some private IP addresses ---> public IP--->public IP --- destination domain. How these private IP addresses came in the middle? are they routing and re-routing through public proxies and then their (or some hacked) private LAN that then sent it via a public IP in the sequence?

3. What are the legal options we have here?

4. Should i ask my client to buy this domain now when it is available to prevent any future attacks from this same domain?

Thanks!
Anonymous

I don't have any answers to your first 3 questions, but for question 4, I would say YES definitely! I remember attending a presentation at DefCon or BlackHat this year, where the presenter had done research in very same area: He registered domain names that were 1-character off of some of well-known domains & then he was able to perform some malicious activities. Of course, he had let them know ahead of time and unregister them after he was done. I'll see if I can find a link to it & share it here for more in-depth information. AAInfoSec

40 Posts
1. Yes, as an example (not an endorsement or recommendation), I know domaintools.com archives records. They require a subscription, though, but there's a 7 day free trail (probably with CC# and account creation, I do not know). I'm sure there are others with the historical records, too, I just know they have that service.

2. I don't know a ton about SMTP, but I think your theory is correct; I'm not sure on the bad or hacked idea really, sorry.

3. I would report it to your local FBI office; they will eventually maybe look into that account and get it shut down or start monitoring it. Since you didn't actually fall victim to a crime here there's no legal recourse that I'm aware of. The suspects are probably out of country anyway. However it could be valuable intelligence for them on a case they're working.

4. I would not bother with that, just block it on your email filters. Again as an example and not a recommendation, I also know DigiCert has a certificate monitoring service that is in beta and free (for now). One of the features of that service is visually similar domain name registration alerts. Just add your domains and it will alert you if anything similar gets registered. You can then look at it and evaluate if it's probably malicious or just a legitimately similar domain.
xencon

5 Posts

Sign Up for Free or Log In to start participating in the conversation!