So much critical data can be obtained and operationalized just by monitoring newly registered domains, yet many security vendors just don't do it. ThreatSTOP utilizes Farsight's Newly Observed Domains (NOD) to create tiered, automated targets (blocklists), protecting users from new attacks and threat infrastructure. For a comprehensive solution, our team also analyzes new domain data to enrich the threat intelligence aggregated in our system.

Searching for typosquats and patterns in newly observed domains can be the key to uncovering new (and old, unknown) attack infrastructures. Just look at PayPal for example. Over the last week, hundreds of new, malicious domains were first seen in DNSDB's passive DNS, as subdomains to these typosquats:

  • paypal-net[.]com
  • paypal-mobiletopup[.]net
  • paypalupdate[.]biz
  • verification-paypal[.]org
  • account-paypal[.]biz
  • processing-paypal[.]net
  • pypl.com[.]tw

Just by taking a look at these domains, pretty much anyone can tell that they're bad. But to make things even more obvious - all of these domains resolve to the same IP (72.52.10[.]14), meaning they are probably being used by the same threat actor/s for a broader malicious campaign. Most commonly, domains like these will be used for phishing or as parents for DGAs.

paypal_domains

Image: VirusTotal

Interestingly enough, this IP is part of an Akamai AS meant to provide extra protection from DDOS attacks - AS 32787 (PROLEXIC-TECHNOLOGIES-DDOS-MITIGATION-NETWORK). Well, based on the number of malicious files communicating with it - this IP is definitely not living up to its mission (kind of like all the maliciousness on DDoS Guard).

paypal_virustotalImage: VirusTotal

So what are you waiting for? If you aren't already, block those malicious domains (and any subdomains) ASAP. For ThreatSTOP customers it's easy - these IOCs and similar campaigns are already blocked from your network in our Core Threats bundle, incorporating NOD data with our security team's research and enrichments. Not a ThreatSTOP customer yet? Want to see ThreatSTOP instantly eliminate malware on your network?

Get a Demo