Malicious stockpiled domains are the collection of domain names that threat actors acquire in advance for several types of future malicious activities like:-
- Phishing attacks
- Malware distribution
- Scams
- Unwanted Program distribution
- Malicious Search Engine Optimization (SEO)
- Illicit content distribution
While all these domains are often kept unused initially to evade detection, and then later they are activated by the threat actors when needed to:-
- Exploit vulnerabilities
- Deceive users
Recently, the cybersecurity researchers at Palo Alto Networks’ Unit 42 hunted malicious stockpiled domains while analyzing the DNS records.
Malicious Stockpiled Domains
Attacker automation leaves several types of traces in diverse data sources, which are detectable by security defenders in locations like:-
- Certificate transparency logs
- Passive DNS (pDNS)
Researchers used info bits to create a stockpiled domain detector with benefits like wider malicious domain coverage and early detection.
Besides this, they employed more than 300 features to process terabytes of data, including:-
- Billions of pDNS
- Billions of certificate records
A vast knowledge base on malicious and benign domains helped in the following key things:-
- Reputation calculation
- Training a Random Forest ML algorithm
To detect the stockpiled domain names, researchers collect the following six categories of features:-
- Certificate Features
- Domain Name Lexical Features
- Certificate Domain Aggregation Features
- Certificate Reputation and Aggregation Features
- pDNS and Certificate Aggregation Features
- pDNS Reputation and Aggregation Features
More than 9,000 malicious domains were detected by Unit 42’s detector in a redirection campaign.
This detection rate shows the advanced capabilities of the detector that outperformed VirusTotal’s 31.7% detection rate. Unit 42 detected them 32.3 days earlier on average.
Despite Cloudflare use complicating pDNS ID, researchers traced random domain generation with shared characteristics.
Victims in the campaign faced redirection to adware or scam pages featuring:-
- Fake notifications
- Clickbait ads
According to a report by Palo Alto, a phishing campaign was discovered that targeted users in Italy and Germany. The detector found related domains in this campaign. Additionally, there was another campaign that impersonated USPS. In this case, over 30 domains were used on the same day between June 17 and August 28, 2023. The report notes that these domains were registered and certified under four certificates.
The aggregation of domains and synchronized creation suggest automated threat actor involvement. One campaign with more than 17 domains was focused on high-yield investment scams, using commonalities like-
- Certificate length
- IP address
However, all the victims were lured with promises of easy money, redirecting through pages and checkboxes to confirm phishing.
Threat actors actively automate their setups in domain wars, but, the bulk registration leaves several detectable traces. However, the success relies on defenders merging datasets to unveil malicious campaigns.
IOCs
Puppy Scam Example Domain
- Baronessabernesemountaindogpuppies[.]com
Malicious Redirection Campaign Domains
- Whdytdof[.]tk
- Pbyiyyht[.]gq
- Rthgjwci[.]cf
- Cgptvfjz[.]ml
- Thewinjackpot[.]life
Postal Phishing Campaign Domains
- Abschlussschritte-info[.]com
- Aksunnatechnologies[.]com
- 222camo[.]com
- Rothost[.]best
A Sample of USPS Phishing Campaign Domains
- Delivery-usps[.]vip
- Delivery-usps[.]wiki
- Delivery-usps[.]ren
- Usps-redelivery[.]art
- Usps-redelivery[.]live
USPS Phishing Campaign Certificate SHA-1 Fingerprints
- 18:FF:07:F3:05:A7:6A:C2:7A:38:89:C5:06:FD:D7:B8:D9:06:88:AB
- 89:29:97:5E:E9:F7:14:D9:95:16:9B:B3:74:33:0C:7B:D0:8F:98:30
- B6:74:45:84:0C:FF:81:05:C2:28:0F:EF:91:23:D8:A0:E8:ED:3A:2E
- 6A:21:31:8B:F4:0A:04:40:FA:37:46:15:A3:CE:1F:0A:C5:0A:93:C3
High Yield Investment Scam Campaign Domains
- Erinemailbiz[.]com
- Makemoneygeorge[.]com
- Natashafitts[.]com
- Julieyeoman[.]com
- Checkout.mytraffic[.]biz