The banking platform where you save your earnings. The employee portal where your team logs their hours. Your own company’s website. What have they all got in common? Cybercriminals spoof them to scam you online. It only takes one lapse in defenses for a convincing fake site to wreak havoc. Studies show that the largest 10% of attacks create over 89% of victims. Modern phishing scams combine decades of expertise with cutting-edge AI to host fake pages and launch email campaigns towards your inbox, and these convincing dupes appear indistinguishable to the human eye.
Consumers and businesses need strategies to beat these attacks that go beyond the eye-test. Data-led risk protection solutions use sources like a DNS lookup to strengthen security postures and deliver the tools you need to tackle scams. The tactics we’ll explore today help you combat phishing campaigns and protect your organization online.
How are phishing attacks evolving to trick their targets?
Phishing attacks typically involve whole webs of fake assets. Scammers pose as legitimate service providers to trick visitors into filling out forms and leaking passwords and financial data. In fact, EBRAND CTO Anouar Adlani recently highlighted ten different types of domain spoofing, from doppelgänger attacks to sound squatting, as criminals leverage new technologies to diversify their scams.
Recent studies also reveals what scammers do after monetizing stolen data. A University of Arizona research paper, supported by Google, PayPal, and an APWG Board Member, shows that “credentials of 63.61% of these compromised victims would additionally appear in a public dump”. Businesses and consumers therefore require a data-led anti-phishing strategy, empowered by insightful sources like DNS data.
What is a DNS lookup, and how is it relevant to phishing attacks?
DNS stands for Domain Name System. A DNS translates human-readable information, like website names, back and forth between machine-readable information, like IP addresses and other back-end website infrastructure. During a DNS lookup, we query a domain name system to find out specific back-end information, typically including an IP address.
With DNS lookups, anti-phishing solutions use IP and related information to learn more about threats online. This information reveals some clues about a website, which we can use to detect dangerous fakes and validate legitimate pages.
What tactics can the data from a DNS lookup support?
Digital Risk Protection experts protect businesses from phishing attacks and other threats by comparing DNS information with key data sources. These sources include insights from scam databases, and any information you’ve gathered yourself.
The phrase “know your enemy” holds true for anti-phishing strategies, and the kinds of data that DNS searches reveal support the following strategies:
Data Enrichment: Businesses use DNS search results to spark more insights for well-rounded threat intelligence. DNS records, Passive DNS logs, and WHOIS registration data provide detailed metadata about a domain, including when it was created, where it’s hosted, the services it uses and the IP addresses with which it historically interacts. This information often serves as a threat indicator for phishing attacks. For example, recently domains are often more suspicious than established ones.
Pattern Recognition: DNS data reveals patterns that phishing sites typically display, such as frequent IP address changes or the use of certain domain registrars known for hosting malicious sites.
Chain Analysis: A single DNS lookup can unveil associated domains or subdomains, uncovering possible phishing sites, and larger networks of cybercriminal infrastructure used to target business and consumers.
Geolocation Filtering: Knowing the geolocation of the IP address helps businesses identify high-risk zones that frequently launching phishing attacks, boosting threat intelligence.
Reputation Scoring: Several databases score domain reputations based on DNS and other network signals. When cross-referenced with these resources, DNS lookups deliver useful reputation insights that anti-phishing experts incorporate into their phishing detection algorithms.
How DNS data supports augmented threat intelligence
EBRAND informs its threat intelligence with DNS data from sources like the eCrime eXchange reports delivered by APWG, The Anti-Phishing Working Group. These reports provide records of maliciously registered domain names from APWG’s members’ personnel, along with other data assets such as known dangerous IP addresses. APWG, an organization with decades of anti-phishing excellence, forms an international coalition of peer-expert data correspondents dedicated to tackling cybercrime.
Through the curated exchange of cybercrime report records marked for reliability and strictly curated for data fidelity, APWG organizes effective anti-phishing action alongside their potential with EBRAND. The group also makes their data reports programmatically recruitable by security professionals and security applications developers. Their phishing Webpage tool, pictured below, lets individuals and organizations report suspicious websites. APWG members and personnel then review the reports, writing to APWG’s Phishing URL API endpoint (/phish). Adding confidence factors (CF) also helps indicate record reliability.
The group’s members, including EBRAND, write reports directly to /phish with CFs. These CFs immediately create usable records, beyond the capabilities of third-party or volunteer-assessed data pools.
Digital Risk Protection platforms like EBRAND’s X-RAY also incorporate DNS searches into its anti-phishing and threat detection tools. Whenever the solution detects suspicious activity online, EBRAND conducts a DNS search to learn more about the threat. EBRAND’s X-RAY then enriches DNS data with cross-channel sources to unmask phishing attackers. The solution reports any identified attackers to threat intelligence groups, including the globally recognized APWG eCX.
As a champion of round-table OSINT (Open Source Intelligence) APWG works as a formal data correspondent with EBRAND. Together, the organizations protect brands and tackling cybercriminals. EBRAND, a founding APWG.EU corporate collaborator, signed the APWG’s Data Sharing Agreement in January 2022. With APWG, EBRAND uses eCX and contributes to the global cybercrime data clearinghouse.
Conclusions: Proactive anti-phishing with DNS tools
Cybercriminals continuously diversify their phishing tactics, surpassing the eye-test and threatening brands, employees, and consumer-bases alike. Fortunately, for each new phishing trick, a data-led solution helps businesses boost their threat intelligence and outsmart criminal campaigns. DNS data delivers a vital source for anti-phishing strategies, whether you’re part of a team, or browsing solo. Anticipating DNS threat indicators with a risk protection solution, and collaborating with informed groups like APWG, helps make the internet a safer place.
