Tag Archives: DomainTools

Webinar: 5 Ways to Get an “A” in Cybersecurity – DomainTools Cybersecurity Report Card

The cybersecurity landscape is evolving at a rapid pace. As a result, security teams are working hard to stay on top of the learning curve and maintain a mature security posture. With this state of flux in mind, we conducted a global survey with more than 500 security professionals to better understand the current state of maturity of security teams.

October 3, 2018 at 10 AM PT/1 PM ET

Join DomainTools Sr. Product Marketing Manager, Corin Imai, to discuss key takeaways from the DomainTools second annual Cybersecurity Report Card Survey. More than 500 security professionals from companies ranging in size, industry and geography were surveyed about their security posture and asked to grade the overall health of their programs. Their responses, particularly when compared to the results of the 2017 Report Card, shed light on how cybersecurity practices are evolving, and what the most successful organizations are doing to ensure they stay ahead of the ever-growing and changing threat landscape.

In this webinar, you will learn:

  • Key trends over the past two years in Cybersecurity
  • How the use of automation technology plays a significant role among highly-rated programs
  • Where there is room for improvement: Even with top marks, there is always opportunity for growth
  • Actionable best practices you can implement in your organization

To register for this DomainTools webinar, see:

.NZ Wins Preliminary Injunction Against DomainTools to Keep Registrant Data Private

New Zealand’s Domain Name Commission this week won a motion for preliminary injunction in a US court [pdf] to prevent DomainTools from accessing .nz’s Whois details and downloading the information into their own database.

The DNC, whose role they describe as being to develop and monitor a competitive registrar market, as well as creating a fair environment for the registration and management of New Zealand’s country code top level domain, comes under the InternetNZ umbrella. They viewed the victory as important for the .nz domain name space and for domain name holders wanting to keep some of their personal details from public view. It also strikes a precedent for other registries wanting to keep registrant data private.

The DNC notes that managers of other ccTLDs will want to pay attention to the judgment. This may raise confidence to fight their own cases should DomainTools be breaching their terms of use.

The preliminary injunction prevents DomainTools from “sending ‘high volume’ queries, “accessing the .nz Register ‘in bulk’”, “storing or compiling register data”, “publishing historical or non-current versions of the register data; and publishing register data in bulk.”

In the leadup to the decision, in November 2017 the DNC allowed individual registrants who are not in trade to choose to withhold their phone number and contact address from publicly appearing in the domain registrant search (Whois). Earlier this year, this became mandated. More than 20,000 domain names have already taken up the privacy option.

DomainTools is a digital intelligence-gathering company in the US and has been scraping registration data from New Zealand’s Domain Name Commission for many years. This mass collection of data breaches the Commission’s terms of use and exposes details of domain name holders who choose to have their details kept private. This is because DomainTools makes available historic records which show the now withheld information.

Domain Name Commissioner, Brent Carey, says winning this lawsuit is good news for .nz domain name holders and their privacy.

“The ruling allows the Commission to continue balancing online accountability with respect for individual privacy. The ruling temporarily puts to an end DomainTools’ bulk harvesting of .nz domain holders’ personal information and selling that data for a profit.

“This is a step in the right direction to ensure that any person or company looking to build a business on domain name data, in violation of our Terms of Use, can’t do so,” says Carey.

DomainTools argued that this lawsuit may cause an avalanche of litigation as other registries attempt to protect the privacy of their registrants – and Judge Lasnik stated they may be correct.

“We look forward to presenting our full case to the Court, as we seek to permanently prevent DomainTools from ever building a secondary .nz database offshore and outside the control of the Domain Name Commission,” says Carey.

In court, DomainTools requested $3.5 million (over NZ$5m) in bond to compensate for reworking database files to ensure that .nz data is not provided to its customers. However, the judge ruled that a nominal bond of only $1,000 (NZ$1,500) is required.

DomainTools: Lack of Whois Data ‘Severely Impairs’ Democracy

Whois data is “more important than ever before” as malicious actors seek to undermine democracy, according to a post on the DomainTools blog.

“2018 has been a tough year to be a domain name Whois record. For years Whois has been a favorite and uniquely effective tool of security researchers and law enforcement to battle cybercrime and cyberattacks, yet now that data will be kept under wraps to be metered out, if at all, under the watchful eye of domain name registrars whose strongest orientation in this matter is to their own legal certainty and the privacy of their customers. The situation DNS finds itself in is the unfortunate result of today’s privacy-centric global policy regimes.”

The introduction of the EU’s General Data Protection Regulation (GDPR) has meant it’s much more difficult to obtain the Whois data that was, for all but those domain names that utilised privacy protection, freely available. Although it wasn’t always accurate of course. DomainTools note that less than 25% of domain name registrants utilised privacy protection.

In their post DomainTools note that the “proponents of the anonymization of the internet are saying that ‘see, the sky is not falling, Whois didn’t really matter after all’. Except that it does matter. It matters a great deal to the very same people GDPR is designed to protect.”

DomainTools give a couple of examples of where they believe “security investigations or processes [have been] impaired by the current global inability to identify the people or organizations that register and use domain names on the internet.”

“Election meddling is a hot-button issue, it gets to a very closely held civil right in most democratic countries. So last week’s announcements by Microsoft, cybersecurity company FireEye, Facebook, and Google regarding US midterm election influence campaigns being run on social media and also via state-sponsored phishing attacks, was widely distributed, read and referenced.”

In one example, DomainTools note “FireEye’s confidence to name Iranian actors as the responsible party stems from ‘a combination of indicators, including site registration data’ as well as ‘Registrant emails from the sites ‘Liberty Front Press’ and ‘Instituto Manquehue’”.

“Facebook builds on the FireEye research and through investigation of Facebook Accounts and Pages is ‘able to link this network to Iranian state media through publicly available website registration information, as well as the use of related IP Addresses and Facebook Pages sharing the same admins.’”

“Google’s blog post implicates the Islamic Republic of Iran Broadcasting (IRIB) by noting ‘Technical data associated to these actors is strongly linked to the official IRIB address space…domain ownership information about these actors is strongly linked to IRIB account information…(and) Account metadata and subscriber information associated with these actors is strongly linked to the corresponding information associated with the IRIB’”.

DomainTools concludes that “Whois data isn’t going to solve the world’s cyberattack problems all on its own, but these investigations, centering on an issue of global importance that threatens our very democracy, likely get severely impaired without it. And this is just the tip of the iceberg, a few uniquely important investigations among the hundreds of thousands of cyberattacks going on all day every day all over the globe by people and organizations that can now hide behind the anonymity inherent in today’s internet. It’s reasonable that domain names used for certain commercial or functional purposes should require transparent registration information. Whois is not a crime.”

DomainTools Sees 1 Billionth Domain Name

There are currently around 335 million domain names registered around the world, but many domain names are deleted or expired and some are re-registered. So DomainTools has announced they’ve seen their 1 billionth unique domain name in the 17 years they’ve existed. But how many domain names that have come and gone, nobody knows. Continue reading DomainTools Sees 1 Billionth Domain Name

DomainTools Webinar on 22 May: Introducing Iris 3.0

As the threat landscape continues to change, and with more advanced attackers than ever, security teams need all the help they can get to more effectively prevent, detect and respond to threats. With this in mind, DomainTools recently added three new features to Iris to help analyst and hunters: Guided Pivots, SSL Certificate Profiles, and historical reverse Whois support.

Join Director of Product Management, Tim Helming, to learn how these new features will help you better profile adversaries, map their infrastructure, and characterize suspicious domains. Additionally, in light of the upcoming GDPR-related changes to Whois, discover new data sets that will help you go “beyond Whois”.

May 22, 2018 at 10 AM PT/1 PM ET OR 14:00 BST

In this webinar, you will learn:

  • How to conduct an effective investigation using guided pivots and historical Reverse Whois
  • How SSL certificates can help you determine whether you’re looking at a suspicious domain
  • How information from Iris can help immediately secure your organization, discover more about known or suspected incursions, and defend against future moves by threat actors

To register for the webinar, go to the DomainTools announcement at:

DomainTools Find Cybercriminals Using Typos to Spoof Top UK charities

Cybercriminals are using fraudulent domains to lure unsuspecting members of the public towards spoofs of well-known UK charities, for malicious purposes, according to the results of a DomainTools investigation.

Following on from the National Cyber Security Centre’s warning that cybersecurity poses the most serious threat to UK charities, DomainTools selected ten well-known and popular charitable organizations in the UK to analyse, and found that every charity selected was being spoofed online by cybercriminals, who often used typos in order to dupe unsuspecting Internet users. The team analysed domains associated with Cancer Research, The National Trust, NSPCC, Oxfam, The Red Cross, Salvation Army, Wateraid, Save The Children and Unicef. In total, over 170 domains were deemed high-risk for phishing, malware and other forms of cybercrime. Some examples of fraudulent domains with risk scores of 100 – the highest possible score – include:

  • fundraisecancerresearch[.]org
  • nationltrust[.]org
  • nspcv[.]org
  • oxfamsol-mail[.]be
  • redcroas[.]com
  • salvationarmycapitalregion[.]org
  • svaethechildren[.]org
  • sheltern[.]com
  • unicefpro[.]org
  • vistwateraid[.]org.

“It remains incredibly easy for anyone to purchase an available domain,” said Tim Helming, director of product management at DomainTools. “This is part of what helps keep the Internet open and democratic, but it also helps cybercriminals exploit users. In this case the spoofing of charity websites has the added benefit of exploiting people’s wish to donate to these charities, making them a particularly lucrative target.”

Explaining the method by which these websites will be introduced to Internet users, Helming explained “these domains will often be directed towards people via email or SMS phishing campaigns, which hope to encourage users to click on seemingly legitimate looking links such as those included above, which in turn begins another cycle of cybercrime. Phishing can be used by criminals simply to gain credit card or banking information, or as a gateway to install malware on a device or network, which leads to even more serious crimes such as data breaches and or identity fraud.”

DomainTools offers top tips for consumers to avoid falling foul of a spoof website:

  • Watch out for domains that have the pattern com-[text] in them. We’re so accustomed to seeing .com that we can easily overlook the extra text that’s appended to it with a dash.
  • Look for typos on the website, coupon, or link that is directing you – for example, check for extra added letters in the domain, such as Yahooo[.]com.
  • Look out for ‘rn’ disguised as an ‘m’, such as modem.com versus modern.com.
  • Watch all website redirects by hovering over URLs to see where the link will take you.Realise that if something is too good to be true, it likely is.
  • Get into the habit of hovering your mouse over links, and then looking for a pop-up that shows what domain the link points to. Typo domains can often be exposed using this method. Chrome and Firefox both have this feature.

DomainTools Launches Innovative Predictive Domain Risk Scoring Model

[news release] DomainTools, the leader in domain name and DNS-based cyber threat intelligence, today [21 Feb] announced its Domain Risk Score, a new method of predicting the level of danger or risk associated with internet domains. Providing unparalleled accuracy and breadth over newly registered domains, this model is the first to enable proactive evaluation and risk scoring of a domain based purely on the domain’s intrinsic characteristics. Leveraging machine learning and predictive insights, DomainTools’ Risk Score identifies factors inherent in high-risk domains from their inception, even if they have not been previously observed in malicious activity. It also predicts which type of threat the domain is most likely to represent, whether phishing, malware, or spam.

While the case for identifying and blocking dangerous domains is universally understood, a recent report from Enterprise Management Associates revealed that 79 percent of security teams are overwhelmed by the volume of alerts triggered on their network. This illustrates the need for accurate, automated identification of dangerous infrastructure. Risk Score was developed to increase efficiency among these resource-strapped security teams, many of which are looking for ways to reduce the number of false-positive notifications they receive. Machine learning and predictive analysis can intelligently automate and streamline certain security functions, and are inherently optimal for enabling risk scoring.

DomainTools has scored all of the more than 310 million currently-registered domains and continues to score tens of thousands of newly registered domains every day. Using the most complete current and historical records in the industry, DomainTools data scientists developed machine learning classifiers to identify domains that have a likelihood of being used for phishing, malware, or spam. The “F Score” data (a means of evaluating detection and false positive rates) for multiple test runs confirm that the classifiers render the correct verdicts over 99 percent of the time. Risk Score can be leveraged to:

  • Surface domains that pose a significant risk to a specific organization or environment;
  • Compare high-risk domains to others in the DomainTools database to identify related sites that may also pose a risk;
  • Search for domains with high-risk scores in archived logs to determine if an attacker has gained entry into the network;
  • Establish DomainTools monitors for alerts on future domains that are registered to the same threat actor or campaign as other known blacklisted sites.

“Our goal is to help security professionals detect, investigate, and prevent malicious activity online. Domain Risk Score further enables us to deliver on that commitment,” said Tim Chen, CEO, DomainTools. “Applying the expertise of our data science team to DomainTools’ detailed data sets on nearly every active domain on the internet has delivered a unique predictive model that truly helps security teams stay ahead of emerging threat infrastructure.”

Domain Risk Score can be utilized by a variety of security professionals, from network defenders who block the domains that are part of phishing, malware, or spam campaigns, to incident responders and threat hunters who determine the level and type of risk associated with various domains. With Risk Score, these teams can streamline their processes from the outset, starting with a point of relevance based on domains observed touching their network. This reduces false positives and allows security teams to focus their efforts.

Domain Risk Score is available as an optional add-on to DomainTools Iris, an enterprise-grade threat investigation platform, and the scores are also available as API queries. Learn more about Iris and how DomainTools is turning threat data into threat intelligence, or to request a demo of Domain Risk Score.

About DomainTools

DomainTools helps security analysts turn threat data into threat intelligence. We take indicators from your network, including domains and IPs, and connect them with nearly every active domain on the Internet. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure. Fortune 1000 companies, global government agencies, and leading security solution vendors use the DomainTools platform as a critical ingredient in their threat investigation and mitigation work. Learn more about how to connect the dots on malicious activity at http://www.domaintools.com or follow us on Twitter:@domaintools

This Domain Tools news release was sourced from:

DomainTools Webinar: How DomainTools & MISP Enable an Effective Threat Intelligence Program

The Malware Information Sharing Platform, or MISP, is an open-source threat intelligence platform deployed across major organizations to consume, catalogue, and share IOCs (indicators of compromise). In this session, we’ll hear from Beth Young, a Network Security Engineer at Jack Henry & Associates, about their MISP deployment and how it fits in their broader security ecosystem.

Then, Mark Kendrick, Director of Product Integrations at DomainTools, will demonstrate three custom-built modules for MISP that bring historical Whois data, risk scoring, and threat actor infrastructure mapping to any investigation in MISP. Mark will also show how the unique correlation capabilities in MISP can link otherwise disconnected pieces of intelligence, especially when an analyst discovers connected infrastructure with DomainTools’ APIs.

February 22 at 10 AM PT/1PM ET

In this webinar, you will learn:

  • Strategies Jack Henry uses to protects it’s employees and it’s customers with a custom MISP deployment.
  • Tips and techniques for integrating MISP with other security technologies, including a SIEM, an orchestration platform, and web / email filtering tools.
  • Capabilities of DomainTools modules for MISP, and how to implement them in your security practice.

To register for the webinar, go to:

Webinar: Mapping Connected Infrastructure with ThreatConnect and DomainTools

DomainTools logoThe more information you have about a potential threat, the better you can defend against it. In order to stay ahead of malicious actors, it is crucial that security teams add context and enrichment to their threat data. The combination of the DomainTools Spaces App for ThreatConnect and DomainTools Iris investigative platform empower security professionals to hunt APTs efficiently and effectively.

Join Director of Product Integrations at DomainTools, Mark Kendrick and Threat Intelligence Researcher at ThreatConnect, Kyle Ehmke to learn how the same techniques can help network defenders and incident responders efficiently protect their own organizations. In addition, get an inside view into how ThreatConnect and DomainTools work together to enable thorough domain, actor and IP investigations.

January 23 at 10 AM PT / 1 PM ET

Learn how DomainTools and ThreatConnect work together to:

  • Investigate domain names
  • Map connected infrastructure
  • Uncover hidden threats

About the Speakers

Kyle Ehmke – Threat Intelligence Researcher, ThreatConnect

Kyle Ehmke is a threat intelligence researcher with ThreatConnect and has eight years of experience as a cyber intelligence analyst previously in the Intelligence Community and within the healthcare sector. Kyle has followed a wide range of cyber threats ranging from the Middle East and Extremists to, more recently, those specifically affecting the healthcare and pharmaceutical sector. He is also actively involved with ThreatConnect’s research into Russian election activity and targeted efforts against Bellingcat, WADA, and others.


Mark Kendrick – Director of Product Integrations, DomainTools

Mark has spent over eight years at DomainTools helping major brand holders, cyber security companies, large Internet organizations and leading incident responders investigate online threats with DNS and Whois data. He has held engineering and product leadership roles at the company, led business development and partner integration activities, and pioneered sales relationships with major public and private organizations. Mark now leads partnership discussions with leading cybersecurity product companies and manages relationships with DomainTools customers in the public sector.

DomainTools: Majority of Consumers Aware of Online Publishing Scams, Yet Still May Fall Victim This Cyber Monday

[news release] DomainTools, the leader in domain name and DNS-based cyber threat intelligence, today [8 Nov] released the findings of its 2017 Cyber Monday Phishing Survey. The survey results highlighted that two in five U.S. consumers have fallen victim to an online phishing attack, despite the fact that 91 percent are aware of the existence of these spoofed websites or emails of trusted brands. As the holiday shopping season approaches, 92 percent of all consumers shop online and about half are planning to shop online on Cyber Monday, exposing an opportunity for malicious hackers to strike. DomainTools has illustrated its key findings in an infographic.

“Cyber Monday has grown in popularity year over year, and unfortunately, so has phishing and online counterfeiting. A range of techniques are used to trick shoppers into visiting a fake website or clicking on a malicious link. This can result in a shopper unintentionally sharing financial and personal information with these criminals or even downloading ransomware,” said Tim Chen, CEO of DomainTools. “As shoppers search for Cyber Monday deals, it’s important that they remember to look closely at links and email addresses before clicking. If something seems too good to be true, it may instead be very fake and very bad.”

According to the Anti-Phishing Working Group (APWG), nearly 119,000 unique phishing sites were detected during November 2016, with over 300 individual brands targeted that month. The brands most likely to be spoofed this November likely correspond with the most popular online retailers, which according to the survey include Amazon (82%), Walmart (36%), and Target (20%). Using DomainTools PhishEye, threat hunters identified some of the most recent brand abusing domains created by attackers in an attempt to trick unassuming online shoppers, including the following:

Cyber Monday DomainTools

Consumer education remains the number one way to prevent compromises via phishing. Online shoppers should heed these tactics to safely navigate links to Cyber Monday sales that are shared via email and social media:

Be paranoid. Assume links are dangerous until decided otherwise.

Navigate directly to a company’s website instead of clicking on links in emails or social media.

Closely examine URLs and email senders for typos. Examples could include:

  • extra added letters in the domain, such as Yahooo[.]com
  • ‘rn’ disguised as an ‘m’, such as modem[.]com versus modern[.]com
  • 1’s disguised as l’s, such as wa1mart[.]com
  • added affixes, such as starbucks[.]com-latte[.]us

The DomainTools Cyber Monday Survey was conducted online between October 5-7, 2017. Survey data is available by request.

For more information on DomainTools PhishEye, please visit www.domaintools.com/products/phisheye.

About DomainTools

DomainTools helps security analysts turn threat data into threat intelligence. We take indicators from your network, including domains and IPs, and connect them with nearly every active domain on the Internet. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure. Fortune 1000 companies, global government agencies, and leading security solution vendors use the DomainTools platform as a critical ingredient in their threat investigation and mitigation work. Learn more about how to connect the dots on malicious activity at domaintools.com or follow us on Twitter:@domaintools

This DomainTools news release was sourced from: