Tag Archives: DomainTools

DomainTools 2018 Predictions Survey

DomainTools logoDomainTools is conducting a survey among security professionals. DomainTools will use the data compiled from this survey to better understand current security trends, priorities, and concerns. This survey is closing on Tuesday, September 26 at 5 PM PT.

All responses will remain anonymous, and will be shared in the form of a survey report.

Here’s what to expect:

The 16-question survey is hosted on SurveyMonkey and should take about five minutes to complete. Participation is appreciated and survey respondents will be entered into a drawing for a $500 American Express Gift Card.

To participate, go to:

Webinar: How to Investigate Malicious Domains using DomainTools and ThreatConnect – 23 August

DomainTools logoThe more information you have about a potential threat, the better you can defend against it. In order to stay ahead of malicious actors, it is crucial that security teams add context and enrichment to their threat data. The DomainTools Spaces App for ThreatConnect arms users with access to a number of unique datasets with critical actor-centric intelligence on domain names including domain profile data, IPs, and Whois data.

Join Director of Business Development at DomainTools, Mark Kendrick and Threat Intelligence Researcher at ThreatConnect, Kyle Ehmke to better understand the key capabilities and benefits of this new integration.

The webinar will be held today, 23 August, at 10:00 United States Pacific Time, 13:00 US Eastern Time.

This webinar will cover:

  • How ThreatConnect and DomainTools work together to deliver valuable actor-centric intelligence
  • An in depth look at DomainTools data within ThreatConnect (including domain profile data, reverse pivots, historical identities)
  • A real-world example of how DomainTools and ThreatConnect work in tandem throughout an investigation into Fancy Bear infrastructure

About the Speakers

Kyle Ehmke – Threat Intelligence Researcher, ThreatConnect

Kyle Ehmke is a threat intelligence researcher with ThreatConnect and has eight years of experience as a cyber intelligence analyst previously in the Intelligence Community and within the healthcare sector. Kyle has followed a wide range of cyber threats ranging from the Middle East and Extremists to, more recently, those specifically affecting the healthcare and pharmaceutical sector. He is also actively involved with ThreatConnect’s research into Russian election activity and targeted efforts against Bellingcat, WADA, and others.


Mark Kendrick – Director of Business Development, DomainTools

Mark has spent over eight years at DomainTools helping major brand holders, cyber security companies, large Internet organizations and leading incident responders investigate online threats with DNS and Whois data. He has held engineering and product leadership roles at the company, led business development and partner integration activities, and pioneered sales relationships with major public and private organizations. Mark now leads partnership discussions with leading cybersecurity product companies and manages relationships with DomainTools customers in the public sector.

.STUDY, .SCIENCE and .RACING Have Highest Concentrations Of Malicious Activity: DomainTools

DomainTools has released their 2017 DomainTools Report that looks at the various “hotspots” of malicious or abusive activity across the internet, analysing the generic top level domains (gTLDs) with the highest concentrations of malicious activity. Their research found that .science had the highest concentration of bad domains, followed by .study and .racing. None of the 2017 most malicious TLDs were in meaningful operation in 2015.

The report examines four domain characteristics: gTLDs, Whois privacy provider, free email provider and IP geolocation.

“We expect a lot of churn for the foreseeable future as the Top Level Domain space continues to expand, but that should not stop investigators from paying attention to the top ten from this year,” said Tim Helming, Director of Product Management at DomainTools. Helming clarified that these TLDs are not inherently malicious, as single registrants can be responsible for the vast majority of nefarious domains.

“It is worth noting that in .science, of the 230,000 domains in the TLD, over 144,000 (63%) have been blacklisted and even more noteworthy, perhaps, is that the blacklisted domains in .science are dominated by a single registrant. Similarly, the blacklisted domains in the .racing TLD are also largely the work of a single registrant entity.”


The DomainTools team was also able to identify which email providers, based on registrant contact information contained in Whois records, had the highest concentrations of malicious domains and mynet.com was at the top of the list. This list also included Microsoft mail providers live.com and outlook.com. “Mynet.com went from being completely absent in 2015 all the way to the dubious distinction of top slot this year, and live.com showed a significant increase in the rates of unsavory domains linked to it” continued Helming. “While it bears repeating that the use of any of these providers is not proof that a domain is dangerous, many of the actual concentrations are extremely high. Only one of the top ten had a lower than 10% incidence of observed bad activity among the domains connected to it.”


The full research is available on the DomainTools blog: https://blog.domaintools.com/2017/05/the-domaintools-report-spring-2017/

DomainTools Launches New Cyber Threat Solution, PhishEye, to Stop Phishing Attacks Before They Occur

DomainTools logo[news release] DomainTools, the leader in domain name and DNS-based cyber threat intelligence, today announced the launch of PhishEye, a simple yet effective new security solution that helps to prevent phishing attacks before they happen.

Powered by DomainTools’ market-leading domain name discovery and profiling systems, PhishEye automates the process of identifying look-alike domains that spoof brand, product, or organization names. Security teams that use PhishEye can rely on DomainTools to identify potential domain-based threats and proactively defend networks against future phishing attacks.

Phishing activity is at an all-time high, causing significant financial and brand damage. In fact, fake website and phishing scams cost the average-sized organization nearly $4 million annually, noted in a recent report by the Ponemon Institute. What’s more, the Anti-Phishing Working Group (APWG) observed 466,065 unique phishing sites in the second quarter of 2016 alone, up 61 percent over the previous quarter and almost three times the number observed in the fourth quarter of 2015. With phishing attacks showing no signs of slowing down, proactive monitoring solutions which leverage DNS data have never been more necessary for organizations of all sizes and industries.

“Phishing campaigns are fundamentally trying to trick your employees or customers, and the ‘trick’ often involves a look-alike domain and website. To build an effective phishing prevention product it helps to have a very thorough mapping of domains in DNS today as well as highly effective and timely domain discovery systems, two things DomainTools is exceedingly good at,” said Tim Chen, CEO, DomainTools. “We created PhishEye for enterprises looking for a simple and effective way to automate the process of discovering phishing threats lurking on the internet well before they are activated.”

PhishEye’s highly intelligent typo and substring matching algorithm, working in concert with DomainTools’ proprietary Domain Reputation Engine, automates the discovery and notification of potentially nefarious domains very close to their actual registration time. These domains can then be entered into spam filters, firewalls, and other security systems to protect against phishing attacks on your network, or pushed into DomainTools Iris for further investigation and attribution.

To learn more about PhishEye and how DomainTools is protecting organizations from phishing attacks, or to request a demo, please visit: domaintools.com/products/phisheye.

About DomainTools
DomainTools helps security analysts turn threat data into threat intelligence. We take indicators from your network, including domains and IPs, and connect them with nearly every active domain on the Internet. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure. Fortune 1000 companies, global government agencies, and leading security solution vendors use the DomainTools platform as a critical ingredient in their threat investigation and mitigation work. Learn more about how to connect the dots on malicious activity at domaintools.com or follow us on Twitter:@domaintools

This news release was sourced from:

DomainTools Launches Threat Hunting App and Search Add-On for Splunk

[news release] DomainTools, the leader in domain name and DNS-based cyber threat intelligence, today (29 June) announced a new app and search add-on (SA) that are available in Spunk Enterprise’s Splunkbase immediately. Without leaving the Splunk environment, security teams can now leverage DomainTools data alongside proxy and DNS logs for threat hunting, incident response, and quick in-context triage of security events. Additionally, the new app and search add-on give security team members access to DomainTools’ industry-leading threat intelligence data on domain names, the individuals who control them, and the infrastructure that supports them.

DomainTools logoDomain names and DNS data are now getting the recognition they deserve as key sources of threat intelligence. Enriched with Whois data, these indicators provide a more effective platform for analysis and alerting than an IP address. DomainTools’ new app and search add-on help Splunk customers uncover that domain profile data faster. Once a threat is discovered, searches can be applied retroactively to find hostnames already active in the network that match a domain profile but missed previous detection, driven by data constantly sourced from DomainTools Parsed Whois recordset.

“Almost daily, we’re getting reports of security teams who are using their SIEM, specifically Splunk, for proactive threat hunting and incident response investigations. Given this increasing demand, Splunk was an obvious choice for our first major integration,” said Mark Kendrick, Director of Solution Engineering for DomainTools. “With our new app and search add-on, Splunk’s 11,000 customers have easy access to the most comprehensive domain name investigation tools available today.”

Key features of DomainTools’ new Splunk app and search add-on include:

  • API end point hooks to easily add context to any Splunk list with a domain name and set up custom rules and triggers from the reversing APIs.
  • Intuitive workflow actions that link to a Domain Profile dashboard for a quick triage on a single domain name.
  • A holistic view of the threat actor, related domains by IP address or Name server, the DomainTools Domain Reputation Score, and Reverse Whois results for the registrant.
  • Easy access to the industry-leading DomainTools Whois database, comprising of over 10 billion Whois records and over 300 million known domains in DNS.

DomainTools selected Hurricane Labs, a managed SIEM service provider with deep experience in security, as its app publishing partner. Hurricane Labs has previously built several other well-received apps in the Spunk ecosystem,

DomainTools Enterprise API customers can download the app on Splunkbase here. For questions about DomainTools, or to request a free API trial account to try the app, contact DomainTools here.

About DomainTools®
DomainTools helps security analysts turn threat data into threat intelligence. We take indicators from your network, including domains and IPs, and connect them with nearly every active domain on the Internet. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure. Fortune 1000 companies, global government agencies, and leading security solution vendors use the DomainTools platform as a critical ingredient in their threat investigation and mitigation work.


DomainTools Launches Iris For Cybersecurity Threat Investigations

DomainTools logoDomainTools has launched a new product called Iris they believe is an important product for cybersecurity threat investigations.

Iris, their CEO Tim Chen writes on the company blog, “combines our industry-leading domain and IP ownership data, domain profile data, DNS data, and 15 years of historical Whois and hosting infrastructure data into an intuitive web interface designed around DNS investigation workflows.”

Iris has been developed to make “it easier for investigators to follow clues, keep track of how they found those clues and put together a clear dossier on a threat actor” according to an IDG report.

Iris came about after DomainTools decided three years ago “to focus a majority of the company’s resources on building products for the cybersecurity industry.”

DomainTools began with data. For Iris DomainTools wanted to know about more registered domains in DNS, specifically in ccTLD zones, with the goal to make their extensive datasets more current and therefore more accurate and go beyond domain name Whois into other DNS datasets.

Iris, Chen wrote, is the web-based manifestation of those years of hard work.

Dark Reading And DomainTools To Host Cybersecurity Webinar On ‘Using Threat Intelligence To Improve Enterprise Cyber Defense’

DomainTools logo[news release] DomainTools, the leader in domain name and DNS research, today announced an upcoming webinar, ‘Using Threat Intelligence to Improve Enterprise Cyber Defense’ that will provide insight on how security teams can use DNS-based threat intelligence to assess cyber security risk and defend their businesses.

Co-hosted by Dark Reading and DomainTools, the panel will be lead by Michael Osterman, principle and analyst at Osterman Research, Jon Rant, contributing editor at InformationWeek, and DomainTools’ Tim Helming, director of product management, on Wednesday, Sept. 16 at 10:00am PDT.

During this webinar, the cybersecurity experts will share the results of a new survey revealing how organizations purchase and use threat intelligence, as well as offer advice on how domain and DNS-based threat information can help organizations assess risk, assess potential indicators of compromise, and even anticipate and block future attacks.

Webinar: Using Threat Intelligence to Improve Enterprise Cyber Defense


  • Michael Osterman, principle at Osterman Research
  • Jon Rant, contributing editor at InformationWeek
  • Tim Helming, director of Product Management for DomainTools

Where: https://webinar.darkreading.com/943

When: Wednesday, Sept. 16 at 10:00am PDT


  • Best practices on the right and wrong ways to make use of threat intelligence data;
  • Results of a major survey showing how enterprises are implementing threat intelligence services and technology, including the pitfalls and payoffs of using threat intelligence;
  • How domain and DNS-based threat data can help organizations see threats coming by detecting, investigating, and acting upon threat indicators.

For more information about the webinar and to reserve your space, please visit: https://webinar.darkreading.com/943

About DomainTools�
DomainTools is the leader in domain name and DNS-based cyber threat intelligence. With over 15 years of ‘cyber fingerprint’ data across the global Internet, DomainTools helps companies assess security threats, profile attackers, investigate online fraud and crimes, and map cyber activity in order to stop attacks. Fortune 1000 companies, global government agencies, and many security solution vendors use the DomainTools platform as a critical ingredient in their threat investigation and mitigation work. Learn more about how to connect the dots on criminal activity at http://www.domaintools.com or follow us on Twitter:@domaintools.

Verisign Announces Strong Growth As .COM Passes 100m Registrations

Total registrations of .COM and .NET domain names increased to 113.8 million at the end of 2011 representing an eight per cent increase year-on-year Verisign announced. The company also announced the total number of .COM and .NET registrations increased by 7.9 million registrations in the final quarter of 2011.While Verisign does not report separate registration figures for .COM and .NET, Domain Tools announced they believe there are now well over 100 million .COM registrations.In their announcement, DomainTools said:
“Verisign publishes a daily ‘zone file’ of registered .com domain names with their associated nameservers. Yesterday the zone file listed 99,837548 .COM domain names and that number has been growing by an average of about 22,000 net new .com domain names per day so far in 2012. But there are two general categories of domain names that exist but are not listed in the zone files.”DomainTools describes the two categories as thus:
“The first category is well known, at least to people who work in and around the domain industry: domains in the Redemption or Pending Delete periods. Each day tens of thousands of .com domain names hit their renewal date. There are currently 2.1 million .com domain names in either Redemption or Pending Delete status.”The second category is much less well known, a category DomainTools refers to as ‘dark domains’. Domain names that exist, but are not pointed to nameservers, are not listed in the zone file and therefore not counted by most sites that track domain registration data. An example of such a domain is Spectrum.com; it exists but has no nameservers, and does not resolve to a website. Another example is theexpertcare.com; the Whois record indicates a fraud alert on the domain name and a ‘suspended’ status. This domain is also not in the zone file and yet is certainly not available for anyone to register.”Commenting on the Verisign results, Jim Bidzos, chairman and chief executive officer said:
“In a year that saw strong growth in global internet adoption, increased demand on our DNS infrastructure, and a growing need for network security services, Verisign delivered security and stability. We were able to both invest in strengthening our infrastructure, and manage our business for growth. Also in 2011, we completed four years of board-directed restructuring, including divesting non-core businesses, and relocating our corporate headquarters. We returned divestiture proceeds to our shareholders. This restructuring has resulted in a more efficient, focused Verisign that we believe is better prepared for the opportunities ahead. We delivered for both the global community of Internet users that increasingly rely on us, and for our shareholders.”

100 domains related to Hurricane Gustav registered in 48 hours

Nearly 100 domains related to Hurricane Gustav have been registered in the past 48 hours, security experts said Sunday, some of which may be used by bogus charity and relief scams after the storm strikes the U.S. Gulf Coast.

According to television station KTAL in Shreveport, La., the office of Louisiana’s Attorney General Buddy Caldwell has warned residents of Gustav phishing attacks already in progress.

On Saturday, Marcus Sachs, the director of the SANS Institute’s Internet Storm Center (ISC), noted that numerous domains containing the word “gustav,” “charity,” “hurricane,” and “relief” had been recently registered.

“On the day [Hurricane] Katrina hit New Orleans [in 2005] hundreds of donation sites appeared online, many if not most were scam sites,” said Sachs in a post yesterday to the ISC research blog. “Well this time around it looks like the people who like to register domain names in anticipation of a storm’s arrival have already started registering them for Gustav.”

By Sunday, Sachs had listed almost 100 Gustav sites culled from the DomainTools Web site. “Most of these sites are parked domains and many of them are for sale,” he said. “They will be worth monitoring, particularly if ‘donate here’ messages appear.”

Several of the domains, in fact, do appear to be parked, or registered but not fleshed out with content. Others, including helpgustavictims.com and helpgustavvictions.net, were for sale on eBay as of mid-day Sunday.

A few, however, led to legitimate charities. The domain gustavcharity.com, for example, redirected users to the Web site of the evangelical Christian organization “Samaritan’s Purse,” while contributegustav.org took users to the Baton Rouge Area Foundation’s site.

Original article : http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyId=19&articleId=9113918&intsrc=hm_topic