domains: a phishing chokepoint - icann · the goal a simple, straight-forward system that can...
TRANSCRIPT
![Page 1: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/1.jpg)
Domains: A phishing chokepointCarel Bitter | ICANN IDS 2019
![Page 2: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/2.jpg)
Are these bad?(Spoiler alert: Yes)
![Page 3: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/3.jpg)
Many are not marked as badNo messages seen...No significant traffic...No website to crawl...
...yet!
![Page 4: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/4.jpg)
![Page 5: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/5.jpg)
?
![Page 6: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/6.jpg)
The goalA simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain string, with the goal of making a phish / not phish judgement, without having the actual phishing message available.
![Page 7: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/7.jpg)
The goalA simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain string, with the goal of making a phish / not phish judgement, without having the actual phishing message available.
![Page 8: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/8.jpg)
The goalA simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain string, with the goal of making a phish / not phish judgement, without having the actual phishing message available.
![Page 9: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/9.jpg)
The goalA simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain string, with the goal of making a phish / not phish judgement, without having the actual phishing message available.
![Page 10: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/10.jpg)
Why target domains?The domains are a choke point. Break the chain and the phishing fails.
Domains are also well-supported to execute filtering decisions on. Browsers, email and DNS all support filtering on domain level.
![Page 11: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/11.jpg)
Why target domains?There is a big opportunity for registries and registrars to proactively contribute towards fighting abuse.
![Page 12: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/12.jpg)
?
![Page 13: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/13.jpg)
1) Domain (string)Lots can be learned by just looking at the base (2nd level) domain.
Advantages: Readily available (zone files, pDNS, registrations)
![Page 14: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/14.jpg)
Brands, context, actionsicloud.com-id-confirm.comlogin.icloud.com.igsx.gahelp.lnstagram-copyrightsupport.mlpaypallimitedsec-confirm.comaccounts.google.com.support-centre.sitepaypallimitionmanage.com
![Page 15: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/15.jpg)
Brands, context, actionsicloud.com-id-confirm.comlogin.icloud.com.igsx.gahelp.lnstagram-copyrightsupport.mlpaypallimitedsec-confirm.comaccounts.google.com.support-centre.sitepaypallimitionmanage.com
![Page 16: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/16.jpg)
Brands, context, actionsicloud.com-id-confirm.comlogin.icloud.com.igsx.gahelp.lnstagram-copyrightsupport.mlpaypallimitedsec-confirm.comaccounts.google.com.support-centre.sitepaypallimitionmanage.com
![Page 17: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/17.jpg)
Brands, context, actionsicloud.com-id-confirm.comlogin.icloud.com.igsx.gahelp.lnstagram-copyrightsupport.mlpaypallimitedsec-confirm.comaccounts.google.com.support-centre.sitepaypallimitionmanage.com
![Page 18: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/18.jpg)
Infrastructurenwolb.verification-ref4322.comoperator-security-config4.infofls-na.amazon.com.ssl-us.cfsecure.runescape.com-sdk.topsecure2.appleid.apple.com-app-ids299192.cominternet-security-0p3nei.ml
![Page 19: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/19.jpg)
Infrastructurenwolb.verification-ref4322.comoperator-security-config4.infofls-na.amazon.com.ssl-us.cfsecure.runescape.com-sdk.topsecure2.appleid.apple.com-app-ids299192.cominternet-security-0p3nei.ml
![Page 20: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/20.jpg)
Obfuscation help.lnstagram-copyrightsupport.mlappleld-flnd.cnpaypallimitionmanage.comaccountsumaryverfyapplyca.comlcloud-fmi-appleid.com https-pay-netf1ix.icu
![Page 21: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/21.jpg)
Obfuscation help.lnstagram-copyrightsupport.mlappleld-flnd.cnpaypallimitionmanage.comaccountsumaryverfyapplyca.comlcloud-fmi-appleid.com https-pay-netf1ix.icu
![Page 22: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/22.jpg)
Obfuscation detection (1)Edit distance: the number of operations required to change one string into another.
lnstagrarn > instagram = 3
![Page 23: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/23.jpg)
Obfuscation detection (2)N-gram analysis, in this case using trigams.
security > sec ecu cur uri rit itysecurty > sec ecu cur urt rty
![Page 24: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/24.jpg)
HomοglyphsHomoglyphs provide for an excellent obfuscation method.
![Page 25: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/25.jpg)
HomοglyphsHomoglyphs provide for an excellent obfuscation method.
![Page 26: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/26.jpg)
HomοglyphsHomoglyphs provide for an excellent obfuscation method.
github.xn--aetwork-4x2zag.comgithub.aꜱꜱetworkꜱ.com
![Page 27: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/27.jpg)
HomοglyphsHomoglyphs provide for an excellent obfuscation method.
github.xn--aetwork-4x2zag.comgithub.aꜱꜱetworkꜱ.com
![Page 28: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/28.jpg)
?Domain String
![Page 29: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/29.jpg)
2) Domain metadataDomain metadata can be of great help in amplifying some other measurements.
Advantages: Mostly available (although sometimes difficult to get at scale).
![Page 30: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/30.jpg)
Domain ageReputation is gained over time. Old means a long standing and continuous investment.New can be suspicious.
![Page 31: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/31.jpg)
Domain expiryNew, and for <1 yearNew, and for >1 yearOld, and for <1 yearOld, and for >1 year
![Page 32: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/32.jpg)
Domain TLDFree vs. paid-forccTLD/gTLD/new gTLD/free TLD/pseudo TLDOpen vs. restricted registration
![Page 33: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/33.jpg)
Domain TLDFree vs. paid-forccTLD/gTLD/new gTLD/free TLD/pseudo TLDOpen vs. restricted registrationOperationally hard: pricing and promotions
![Page 34: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/34.jpg)
?Domain String
Domain Meta
![Page 35: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/35.jpg)
3) DNSDNS information gives us anchors for attaching history and reputation.
Advantages: Cheap to get at scale, history exists, reputation exists.
![Page 36: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/36.jpg)
NS RecordsThese can be found without touching miscreant infrastructure.
Age, self-NS vs external, NS IP addresses, reputation of those IP addresses, volatility, pDNS history ...
![Page 37: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/37.jpg)
A/MX/TXT/etc recordsCaveat: by doing a record lookup that needs an answer from the domain authoratives you might reveal yourself.
Augment and expand as you would for NS.
![Page 38: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/38.jpg)
?Domain String
Domain Meta
DNS
![Page 39: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/39.jpg)
4) SSL certificatesNewly created SSL certificates are public, thanks to the Certificate Transparency project.
Advantages: Free and open, near realtime.
![Page 40: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/40.jpg)
Certificate issuerWho issued the certificate?
Paid vs. free
![Page 41: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/41.jpg)
Certificate calendar mappingCompare certificate issue date to the domain issue date.
Same considerations apply as to domain age.
![Page 42: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/42.jpg)
Common Name (CN)A certificate is usually given out for a specific name on a domain.
![Page 43: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/43.jpg)
Common Name (CN)A certificate is usually given out for a specific name on a domain.
com-id-login.uscopyright-10000739255.info
joonggonara-613901.cf
![Page 44: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/44.jpg)
Common Name (CN)A certificate is usually given out for a specific name on a domain.
appleid.apple.com-id-login.usfacebook.com.copyright-10000739255.info
pay.naver.com-cafe.joonggonara-613901.cf
![Page 45: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/45.jpg)
Common Name (CN)Sometimes the entire domain is new: Certificates can be an input by itself.
The stream itself is a valuable source of domains (but: good and bad).
![Page 46: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/46.jpg)
?Domain String
Domain Meta
DNS
Certs
![Page 47: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/47.jpg)
ConclusionFinding suspect phishing domains without having the phishing message is certainly possible. There is plenty of low-hanging fruit and places to pick it. Depending on your appetite for risk, various mitigation strategies are possible.
![Page 48: Domains: A phishing chokepoint - ICANN · The goal A simple, straight-forward system that can expand using readily or easily available data on nothing more than the second level domain](https://reader034.vdocument.in/reader034/viewer/2022051804/5fee7286bec84504bc1b4044/html5/thumbnails/48.jpg)
Thank you!For domain reputation discussions, metadata tales and my famous salmon recipe: