Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Scammer Emails and Instant Domain Whois record Disappearance - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Scammer Emails and Instant Domain Whois record Disappearance
I don't have any answers to your first 3 questions, but for question 4, I would say YES definitely! I remember attending a presentation at DefCon or BlackHat this year, where the presenter had done research in very same area: He registered domain names that were 1-character off of some of well-known domains & then he was able to perform some malicious activities. Of course, he had let them know ahead of time and unregister them after he was done. I'll see if I can find a link to it & share it here for more in-depth information. AAInfoSec

46 Posts
1. Yes, as an example (not an endorsement or recommendation), I know domaintools.com archives records. They require a subscription, though, but there's a 7 day free trail (probably with CC# and account creation, I do not know). I'm sure there are others with the historical records, too, I just know they have that service.

2. I don't know a ton about SMTP, but I think your theory is correct; I'm not sure on the bad or hacked idea really, sorry.

3. I would report it to your local FBI office; they will eventually maybe look into that account and get it shut down or start monitoring it. Since you didn't actually fall victim to a crime here there's no legal recourse that I'm aware of. The suspects are probably out of country anyway. However it could be valuable intelligence for them on a case they're working.

4. I would not bother with that, just block it on your email filters. Again as an example and not a recommendation, I also know DigiCert has a certificate monitoring service that is in beta and free (for now). One of the features of that service is visually similar domain name registration alerts. Just add your domains and it will alert you if anything similar gets registered. You can then look at it and evaluate if it's probably malicious or just a legitimately similar domain.
xencon

5 Posts

Sign Up for Free or Log In to start participating in the conversation!