The Forrester Wave™: Digital Risk Monitoring, Q3 2016 named RiskIQ a leader in Digital Risk Monitoring, and gave RiskIQ top ranking for Current Offering & Data Coverage.
Download the Report
Get vast internet data sets and advanced analytics to hunt digital threats and defend your company’s digital footprint.
Get RiskIQ Community Edition for Free
Get the Analyst Report
Putting Digital Threat Investigation and Response into Hyperdrive Join the SANS webcast on June 29 at 3:30 p.m. ET/12:30 p.m. PT.
Save Your Seat
May 11, 2017, Forrest Gueterman
Newly registered domains are an effective tool for threat actors.
Threat actors often create new infrastructure quickly, engaging in their attack campaigns and then ducking and running in a matter of hours or even minutes. From a security perspective, there are very few reasons someone would need to visit a domain that has just come online; likely, they were sent there via a URL from a malicious campaign.
Here at RiskIQ, we analyze quite a bit of the internet on a daily basis, and one of the insights that come with this is that we should treat newly registered domains with quite a bit more suspicion than established ones. With the large quantity of cheap and free domain registrations available out there, threat actors are using newly registered domains to prop up disposable websites to aid in their activities quickly and efficiently.
As an example, here’s an adult website from a recent RiskIQ blacklist incident showcases the trouble with newly registered domains with one of its dependent requests. An iframe on the page has a source of hxxp://procese[.]info/banners/uaps?, which, at the time of the crawl, had only been registered for fourteen days, an indicator that it may be part of malicious infrastructure:
Fig-1 PDNS data inside RiskIQ PassiveTotal showing when this domain began resolving
This specific URL does a couple of different things. The first is it runs a function called “getBrowser” which does exactly what you would expect it to do: grabbing the browser user agent and some other information to attempt to find out if the potential victim is a bot or not.
Fig-2 Part of the getBrowser function
If the victim’s information did not match certain criteria, a variable would be set to true. This variable is later checked, and if set to true, the page would be changed to look like a 404 message from an Apache Debian Server. However, RiskIQ’s crawlers were created to mimic real users and could easily bypass this page’s fingerprinting attempts. Because of this unique capability, the crawler reached the second part of the page. Once it was decided that there was no bot, the “victim” was sent elsewhere:
Fig-3 Contents of the Javascript frame that the page created after the fingerprinting passed
The next page the crawlers were sent to was a URL on hxxp://ssd.onlinedisabilityinsurancesanantonio[.]com. A look at the raw page XML showed the following:
Fig-4 Part of the raw page XML
This chunk of code is part of the base 64 encoded RIG exploit kit that is waiting for the redirected victims to be redirected to the malicious landing page. RIG is a common exploit kit that uses several layers of obfuscation to attempt to deliver its various payloads, with the end goal of downloading malware onto the victim’s computer.
Find Newly Registered Domains with RiskIQ Data
New or recently created domains may help confirm suspicions about malicious activity, as many domains are registered shortly before staging an attack. This may indicate dedicated attacker domain ownership and can strengthen an observation’s value as an indicator of compromise. On the other hand, domains with older registration dates may indicate the use of compromised hosts, hijacked domains, or purchase of older domains from a reseller service.
WHOIS is a protocol that lets anyone query for ownership information about a domain, IP address, or subnet. RiskIQ has a vast database of WHOIS data, which is available to query for registrant information. WHOIS records provide information that includes the name, email address, street address, and phone number of the individual who registered the domain, but also the date it was registered.
Organizations can also use the RiskIQ Newly Observed Domains data set to systematically block new domains (via a web filter or firewall) for a set amount of time after they’re first observed. This can act as an added layer of protection against quick attack campaigns.
RiskIQ data sets can be used by security professionals and threat analysts to connect the dots between threat infrastructure and understand the attack vectors and patterns used by attackers. Register for RiskIQ Community for free to begin using data sets such as newly observed domains and start surfacing threats against your organization.
