Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
Passive DNS has long been described as a “phonebook for the internet.” In the past, though, it has only been associated with a domain and the IP address to which it resolves. But RiskIQ’s DNS record support has a lot more to offer than just a name and phone number. Using RiskIQ’s globally distributed sensors, along with terabytes of internet crawling data and partner data feeds, PassiveTotal provides insight into the depths of DNS records and their history—insight that truly enriches investigations.
The latest release of PassiveTotal now includes more of the DNS records RiskIQ has been collecting over the years. Historically, PassiveTotal has focused on displaying “A” records, which dictate the IP address a given domain should resolve to when querying DNS. These records are immensely useful but are only one of the types of DNS record that can provide analysts with interesting leads. The most recent platform update, however, also brings support for MX (mail exchanger), NS (nameserver), TXT (text), SOA (start of authority), and CNAME (canonical name) records to PassiveTotal.
Fig-1 Example highlighting the new DNS tab and filters
Community users of PassiveTotal will now see a “DNS” tab inside of their search results when these new DNS records are available. Similar to existing tab behaviors, users can apply various filters, add indicators to their existing projects, or pivot on new leads to perform a new search.
Fig-2 Another example of different records for the DNS tab
Supporting these new record types is exciting because they are proven to open up new research leads for analysts. For example, some malicious actors will stand up specific nameservers (NS records) to segment their infrastructure or configure a mail provider (MX records) to administer their command and control channel. Seeing these new records inside of PassiveTotal means an analyst can now pivot off those values to correlate more of the actor’s infrastructure.
Fig-3 Example record where SOA reveals actor email address
More complex record types like SOA and TXT offer unique information about adversary infrastructure. For example, when registering a domain, a valid email address is needed to complete the process. Sophisticated actors may choose to privacy protect their information, but unbeknownst to them, their original email address may get placed inside an SOA record that is associated with the DNS zone. Analysts can perform a search in WHOIS data to surface more domains registered using that email.
We’ve been using this new feature inside of RiskIQ for a few weeks now and have already come to rely on it as a vital data set to check when performing pivots inside of the platform. If you have a story where you found new leads because of the DNS tab, we’d love to hear it. Send your stories or other feedback over to email@example.com!
Sign up for a free PassiveTotal account to check out the new features, and see what else is new in the platform here. If you’re already a user, click here to login and experience our improved DNS record support.
RiskIQ is the leader in attack surface management. We help organizations discover, understand, and mitigate exposures across all digital channels.
“(...) RiskIQ has been able to track much more of the bad guy’s infrastructure used in their scam operations. We’ve identified around 400 domains so far that are all tied to these scams.” - @ydklijnsma
WHAT JUST HAPPENED? Security pros offered a range of opinions about the breach. All agreed the fault did not lie with each hacked account's owner. Some say it may have come from inside @Twitter.
@BradyDale and @benjaminopowers report
Targeted #cyberthreats are spiking during #COVID19. We provide one source for information to simplify and accelerate your investigation process #ThreatHunting https://bit.ly/3c9xKoq
RiskIQ researchers just doubled the number of IoCs in the Pastebin. Please continue to monitor it for updates as this situation evolves https://pastebin.com/h64CK3CG #twitterhack #twitterhacks #ThreatIntel #IOCs
Just in case my last tweet got lost in the thread storm, @RiskIQ's list of domains apparently tied to this scam gives us a pretty good idea of who was targeted here. https://pastebin.com/h64CK3CG
This is developing very quickly, but seems to have been staged well in advance. Take a look at some these domains set up to support this scam. H/T @RiskIQ https://twitter.com/ydklijnsma/status/1283508384335925248
Leveraging @RiskIQ's datasets we have identified more infrastructure tied to the current cryptocurrency scammers impacting @elonmusk , @billgates, etc. This is research data, validate before taking action, it might identify new targets also.
At this point we can just assume the entire platform compromised. https://twitter.com/ydklijnsma/status/1283503695796162560
And they've just crossed the cryptocurrency boundary https://twitter.com/ydklijnsma/status/1283501318917611521