ThreatSTOP Blog

Duck DNS imposters spotted phishing for trouble

Written by Ofir Ashman | December 7, 2021

If you work in security research, you probably know Duck DNS. The free dynamic DNS hosting provider lets anyone point traffic from one of their subdomains to an IP of choice. At ThreatSTOP, we see these subdomains on a daily basis headlining various threat intelligence blacklists. In other words - they're everywhere, and they're bad.

Image: Duck DNS

During a completely different project, one of our threat researchers noticed a bunch of newly registered domains that look like Duck DNS subdomains under the legitimate duckdns[.]org. Only they're not. Threat actors are squatting the free DDNS provider's domain in every way possible, and are constantly registering new domains under them (like ebpmmurscs.ducksdns[.]org). These typosquats include:

  • ducksdns[.]org
  • duckddns[.]org
  • ducknds[.]org
  • duck-dns[.]org
  • ducksns[.]org
  • duckcns[.]org
  • dockdns[.]org
  • dukdns[.]org
  • ducdns[.]org
  • duc.kdns[.]org
  • duckns[.]org
  • duck.dns[.]org

While some of these are easier to recognize as strange (dockdns for example), a concerning Alexa statistic shows that many of the domains such as ducksdns[.]org and duckns[.]org are in the top 1 Million domains worldwide. A simple Google search though, shows that there is no legitimate website to visit on the domain.

Taking a closer look at the domains' infrastructure revealed that a bunch of the typosquats are hosted on three distinct IPs (170.178.168[.]203, 103.224.182[.]242, 70.32.1[.]32), and use name servers by above[.]com. While the latter is a legitimate service for domain registering and parking, we have seen quite a few instances of their infrastructure being abused for malicious activity.

Image: VirusTotal

In addition to these three super malicious IPs, four others receive honorable mention:

  • 81.171.22[.]7 - hosts duckns[.]org
  • 23.82.12[.]31 - hosts ducksdns[.]org
  • 192.185.167[.]252 - hosts duck.dns[.]org
  • 199.59.242[.]153 - hosts ducksns[.]org

 

Monitoring newly registered domains is overlooked more often than not, yet it is one of the most effective ways to immediately protect yourself from new malware and attacks. ThreatSTOP utilizes Farsight's Newly Observed Domains (NOD) to create tiered, automated targets (blocklists), protecting users from new attacks and threat infrastructure. For a comprehensive solution, our team also analyzes new domain data to enrich the threat intelligence aggregated in our system.

 

Not a ThreatSTOP customer yet? Want to see ThreatSTOP instantly eliminate attacks on your network?