Don't just defend - go after attacker infrastructure

Don't just defend - go after attacker infrastructure

Our SOC investigates hundreds of phish emails, malicious URLs clicked and AiTM attacks everyday. Many of them adopt a “spray and pray” approach, sending poorly worded emails containing obviously dodgy links but then there are the attacks that get escalated because of their targeted nature or high level of deception. These very clever mails will continue an internal email conversation, contain links to legitimate services and company branded pages that will actually authenticate against the companies real directory to steal passwords and tokens that bypass MFA. Another very clever attack is to poison search results or to even sponsor paid results on Google that are clicked by users, thinking that these are legitimate sites. Our response is quick and goes out across our customer base to protect them against the discovered indicators - blacklisting typosquatted domains and IP addresses, feeding content into the latest user awareness campaign, resetting stolen credentials and clearing their sessions. For most cybersecurity people we speak to, that’s normally where the story ends…

Raising costs on the attacker

Those clever attacks - words carefully chosen, domain names purchased, web sites hosted and kits configured - all take some serious investment of time and maybe even a little money. Sure, our SOC thwarted the attempts on our customers but succeeding as a bad guy is a numbers game - volume and scale, because although a defender has to stop every attack, a bad guy only needs to get lucky once. That investment of time and money in infrastructure will get used by the attacker again and again and again. So why leave it there to eventually succeed? Why leave it there to eventually hit your kids school, your local council or perhaps even your bank? 

Well firstly, it’s frustratingly hard to get things taken down. Some of the hosting services are happy to profit from being service providers to bad guys and are based in parts of the world where that is alright. We see the same names over and over again to the point where we know that a domain is likely malicious based on its domain registrar. They all of course, advertise their Terms and Conditions and abuse contact information - as any seemingly legitimate business should but are not compelled to do anything about complaints received.

Secondly, there is just no direct incentive for defenders. Of course customers are interested in whether the infrastructure remains a risk to themselves and ask us to do all we can to mitigate it but when the discovered material threatens others… We know that if we offered takedowns as a standalone service to go after known bad infrastructure that the reporting customer had already protected themselves against - nobody would buy it. 

Whose responsibility is it? The government’s? Well we can tell you that they are already flat out doing exactly this but they only have so many resources which we would rather have them prioritise on doing things that perhaps we did not have the capability or legal right to do ourselves. So, the attacker continues unfazed and perhaps even emboldened to continue their crime spree. The “Broken Window Theory” could explain why cyber crime is rising, as the number of perpetrators increase under the assumption that they are untouchable and as defenders, we’ll eventually be faced with an untenable situation.

What can you do?

Although the process is frustrating, it is not impossible and just imagine how frustrated the clever bad guys will be when their campaigns, painstakingly configured, have been taken offline - all their investment in poisoning SEO, setting up phishing kits, crafting journeys to do their best to deceive users. It won’t stop them all but it will slow them down, cost them some money and time. Maybe even deter some of them.

1. Start with WHOIS

The domain name or IP addresses will come through in an incident ticket (related to a phishing mail or dodgy link clicked) or through pre-emptive attack intelligence from your dark web monitoring provider. Create a list of all the IPs and domains involved and check them out in a sandbox - this will likely expose more domains and IPs, so add them to the list. Screenshot everything. If there are phishing kits involved, you can then also usually fingerprint them - which is useful in other ways.

Start researching the domains and IP addresses in WHOIS - you'll be looking for a number of interesting things:

  1. The registrar - who the domain was likely purchased from. Most times the registrants contact details have been hidden but the registrar will have listed their contact details (for reporting abuse). The registration date will also be useful.
  2. The host of the DNS records - Sometimes still with the registrar but sometimes they have moved them to Cloudflare (or similar) to hide real infrastructure IPs.
  3. Mailservers - Most typosquatting domains involved in phishing campaigns will have a mail server that can receive mails.
  4. TXT Records - Any other services that needed DNS authentication will require TXT records so you'll find DocuSign, Mimecast, Zoom accounts etc.
  5. CNAME and A Records - a bit tougher to discover all of them... maybe names and IPs will be revealed through the links and phishing mails themselves or you can use a fuzzing service to discover common names. Follow all those IPs to identify where that infrastructure might be hosted.

Screenshot everything.

2. Follow the documented processes and report it

If you've got clear evidence of abuse, this is much easier to do. Make sure you have all the original emails (with their headers intact) exported usually as attachments by your end-users. The WHOIS research will give you the abuse contact emails of all the hosting providers, registrars etc. but it's also a good idea to read the Terms and Conditions of the various providers (normally hosted on their website) so that you can refer to specific clauses that the bad guy has contravened. Sometimes, there are also different routes to take based on the type of abuse. An example of this is:

or

Fillout the online forms, write the emails and be sure to include all the required information and evidence. If you don't have evidence, then this is a little trickier and requires that your customer should have previously registered a trademark (text and/or logo). If you're lucky and they have, you can grab the link to their trademark registration to include as evidence in a Copyright/DCMA report. Search the UK trademark register here:

https://www.gov.uk/search-for-trademark

Follow this process for every IP and domain discovered during research to takedown the mail servers, hosting services, cloud services and DNS providers but start with the registar first.

3. Follow up and escalate

Don't expect a reply and most times, you don't even get an automated one. The Terms and Conditions may have SLAs on responses - normally 48 hours - but even then, we have rarely received a formal response. Keep tracking the domains and IPs and check them daily.

We normally follow up on the original mail, stating the number of hours passed since the incident has been originally raised without feedback and report that the domain or IP is still up and contravening the Terms and Conditions of the provider. At this point, most mail server, hosting services and cloud services will respond positively, thanking you for bringing the abuse to their attention. Registrars on the other hand are always sticky.

You can escalate registrar complaints. When seven (7) days have passed without a response (and no change on the domain or DNS hosting), your next step is to file a complaint against the provider with ICANN. You can normally file that using this link:

https://www.icann.org/compliance/complaint

We have found that process quite effective but you do have to demonstrate that you have given the provider enough time to respond before escalating to ICANN. It once happened that the sub-links stopped working, which means the online forms couldn't be completed so we mailed ICANN directly (also reporting the links down):

compliance-cases@icann.org and compliance@icann.org

ICANN will send you some automated responses with cases numbers which you can use to follow up on. Every ICANN report we have filed has been successful, having carefully followed the process and included as much information and evidence as possible.

Job done

Well, not exactly the job - it's more than just a job and we truly believe that defenders who care about cybersecurity should put in the effort to close down attacker infrastructure they discover. 

The UK NCSC also has some additional guidance on reporting which can be found here:

https://www.ncsc.gov.uk/collection/phishing-scams

Don’t do it for your customers, for money or for recognition - do it because you actually care about the community you live in and it’s the right thing to do.