hexagon of blue color, with dark background
Blog General Infosec

"I've Found Some Bad Domains—Now What?"

Introduction

When we talk about investigating bad domains, our focus is often on identifying starting clues or amplifying those starting clues by finding productive pivots in Iris Investigate, DNSDB or related tools. What often goes undiscussed is what happens after you’ve actually identified a set of bad domains. There may often simply be silence once that point in the process has been attained. But why?

  • Perhaps “everyone” assumes that “everybody else” must simply intuitively “know” what happens next?
  • Or perhaps there’s a belief that what happens next is a sort of hard-won “secret sauce” that must be kept within the “cone-of-silence?” 
  • Or maybe — simply as a consequence of increasing specialization and the partitioning of responsibilities — people who discover bad domains may never get told what happens to the results they’ve found.

Whatever the reason, this blog is going to say a little about “what often happens next.”

In general, there are three main approaches to handling bad domains, one technical, one involving attorneys, and one involving sworn LEOs (law enforcement officers).

Technical Approaches: Blocking Unwanted Network Traffic

Technical people tend to prefer to employ technical responses to online security issues, and in truth, many times technical approaches to technical security problems may be your only practical option. Generally speaking, technical responses to network security issues often involve blocking unwanted traffic.

Example A) Imagine you’re doing log analysis on an Internet-exposed server. That server has logged repeated login failures on port 22/TCP, the SSH (secure shell) port. We know that when an Internet-exposed SSH daemon gets found by a scanner, that attacker will then routinely proceed to try brute force password guessing attacks against that box. That’s likely what’s going on in this case. But to respond? This sort of behavior has become so common that many analysts simply encourage the target of those attacks to:

  • Automatically squelch the sources of those brute force login attempts with Fail2Ban or a similar tool, or
  • Move from a “default permit” model (blocklisting observed attack sources), to a “default deny” model, blocking everything (except for a small number of specially-exempted static IPs believed to be safe).

Note that DNSDB (or another passive DNS product) is not required for this example — the response process is all IP-address driven. Passive DNS may NOT “always be the answer.”

Example B) Another common problem? Volumetric distributed denial of service (DDoS) attacks. In that case, attackers attempt to flood a site’s connection to the Internet by flooding those “pipes” with unsolicited junk traffic.

If you encounter a volumetric DDoS, that unwanted traffic needs to be “scrubbed” (filtered) by your upstream network provider(s) before it can swamp your transit links. By the time that unwanted traffic touches a network you control (or that traffic gets blocked by your perimeter firewall), it will be “too late” for any action you can directly take — that flood of traffic will already have consumed your transit bandwidth capacity. So again, DNSDB (or some other passive DNS solution) isn’t the “answer” for blocking DDoS attack traffic, either.

Example C) Other times, however, there are DNS-based options that can help technically filter unwanted traffic. For example, some sites use Response Policy Zones to create a “DNS firewall.” For those who may not be familiar with Response Policy Zones (RPZs), they work by telling a site’s local recursive resolver to “lie” about specified sites, claiming they can’t be resolved, thereby keeping users from accidentally going to a site they can’t safely visit. RPZ files may come pre-built from commercial cyber security companies, from collaborative community information sharing efforts, or may be constructed in-house from directly observed data (and/or additional data found by leveraging DNSDB).

Technical Responses Beyond Just Blocking Traffic

Simply “putting your shields up” and blocking unwanted network traffic may feel like a very defensive cyber security posture — and it is.

Should I “Hack Back?”

When we begin to look at going beyond “strictly-defensive responses,” some people may begin to fantasize about “hacking back,” or “counter attacking” those who’ve attacked them. We strongly urge you to NOT adopt that approach for several reasons, including:

  • At a minimum, you may end up summarily kicked off your own network provider for violating the provider’s terms of service.
  • Attribution online is always imperfect. You may THINK you know who’s “really behind an attack against you,” but you just might be wrong. Deception and misdirection are integral parts of online attacks.
  • Collateral damage to innocent third parties may be effectively inescapable. Even if the party who “did you wrong” freely admits to what they did to you and where they did it from, perpetrating a “counterstrike” against them would likely unavoidably involve damage to innocent third parties who just happen to share common infrastructure with the actual target. You might even end up impacting life-safety systems at hospitals or at other critical infrastructure sites.
  • “Hacking back” is illegal in most locales. If you do choose to do it, you may be investigated, prosecuted, convicted and punished. Don’t do it!

What CAN I Do in Response?

So, what, if anything, MIGHT end up being done as an acceptable “technical” response to something like an infringing “knock-off merchandise” site? One commonly mentioned objective is to get the infringing site taken down. Infringing sites actually require a surprisingly large number of resources/services, including:

  • A source for the knock-off product itself (often these are overseas manufacturers)
  • Domain name registration services
  • Web hosting services
  • Authoritative DNS services (often provided by the DNS provider or web hosting provider)
  • SSL/TLS certificates for the web site
  • Web development services (these knock-off merchandise sites are often surprisingly-complex database-driven sites)
  • Redirector services
  • SEO services to influence the knock-off site’s placement in search engines
  • Affiliate programs to drive purchases of the knock-off products
  • Payment processing for credit card purchases of the knock-off products
  • Drop shipping services to pack and ship any tangible merchandise (such as knock-off sneakers or knock-off handbags).

In an ideal world, suppliers of those services would prevent them from being used for infringing purposes. If that happened, an infringing site would never be able to be created and brought online in the first place.

Unfortunately, there ARE providers who are completely disinterested in what their customers do “as long as the check clears” (and law enforcement officers aren’t at the door ready to seize business records and equipment). These providers are all too often participants in a “race-to-the-bottom” on price, and lack the revenue for even know-your-customer (“KYC”) onboarding programs, much less an abuse department to handle complaints received from 3rd parties after the customer has gone live.

The bad folks talk amongst themselves about which providers enforce strict terms of service and which don’t, sharing data about what any given provider will let customers get away with.

There are even providers who knowingly SPECIALIZE in servicing the needs of cyber criminals, ignoring any resulting complaints as long as that customer is willing to pay a premium price for “covered ears and closed eyes.”

What does this mean to a defender trying to get an infringing site taken offline? Convincing service providers to voluntarily terminate service to a paying customer may be difficult. Some providers will do so in order to avoid being blocklisted by Spamhaus or other block list operators. Others will only do so if forced to do so by a court order — and by that point the offender may have achieved their objectives and moved on to a new provider, using new domain names, etc., what some people succinctly describe as “lather, rinse and repeat.”

But let’s assume you’re tenacious, and you have a legal team that repeatedly gets  infringing sites taken down. What then?

  • The bad guys may try moving to the “darkweb:” Denied the ability to use a “regular” website, some cyber criminals may try replacing their oft-taken-offline conventional websites with “dot onion” sites accessible only from the ToR Browser or a ToR-enabled web browser. While ToR may help a bad guy resist efforts to have his or her site taken offline:
    • Most regular users don’t have the ToR Browser installed and don’t routinely use ToR, and
    • Most search engines don’t index dot onion websites in their results.

This means that, fortunately, the darkweb will only work as a viable alternative for a narrow slice of “highly motivated” sellers and buyers.

  • The bad guys may try using cryptocurrencies instead of credit cards: Credit cards represent both a potential control point and a source of potential de-anonymizing leads. If a credit card company receives complaints about a site selling infringing products and lifts a site’s ability to accept credit cards, that can really hurt. Credit cards also typically can be traced to real parties in “meatspace.” Using cryptocurrencies instead of credit cards minimizes both of these “shortcomings” —except for the fact that many potential customers may not be ready to buy and sell using cryptocurrencies at this point, and many crypto currencies may not be as anonymous as users might expect (an example of this: Inside the Bitcoin Bust That Took Down the Web’s Biggest Child Abuse Site)
  • The bad guys may diversify into online schemes that don’t require fulfilling tangible goods. For example, instead of selling illegal narcotics or fake watches, cyber criminals may move to high-yield investment program (HYIP) scams, pump-and-dump stock spams, cryptomining on compromised servers, ransomware attacks, etc.

Most cybercriminals, however, find their lowest-cost/easiest-to-implement/most successful options continue to involve selling actual retail consumer products via conventional domain name registrations, leveraging conventional authoritative DNS services, conventional web hosting, conventional payment channels, etc. The bad guys will continue to use the simplest and cheapest technology that they can “get away with” using.

The good news is that as long as this is true, defenders will continue to be able to at least theoretically take advantage of:

The biggest problem with these and similar processes is their inherent “asymmetry:”

  • Cyber criminals can easily slip from one domain name to another, much as a snake sheds its skin, while on the other hand,
  • There may be significant costs and overhead hindering defenders from successfully fighting those malicious actors.

Referral to A 3rd-Party Specialty Service Provider

If the above seems exhausting (and more than you want to have to figure out and fight with yourself!), there’s a convenient option that many may find attractive: outsource handling of potentially-problematic domains you’ve discovered to third party specialty service providers.

“Here. We’ve found the site . It looks bad to us. Please investigate and handle it appropriately. Bill our account. Thanks.”

Why is this an attractive option? Well, most companies prefer to focus on their core competency, while outsourcing miscellaneous functions to those who’ve chosen to specialize in those areas. For example, a manufacturer of luxury consumer products may be excellent at making and marketing those luxury goods, but may not have the in-house expertise needed to effectively tackle cyber criminals. They may prefer to outsource that work to a 3rd-party specializing in brand protection or trademark enforcement, instead.

This “buy rather than build” decision is often ultimately the result of multiple factors:

  • The capabilities and specialization(s) of the 3rd-party service provider
  • The volume of incidents that need to be worked (lot of incidents? more likely to be handled in-house. Fewer incidents? more likely to be outsourced)
  • Time-to-mitigate for the 3rd-party service provider vs. an in-house alternative
  • The cost of having an incident handled by a 3rd-party service provider vs. the cost of building and maintaining that capability in-house
  • The quality of outcomes—does the 3rd-party service provider obtain better outcomes than the company could itself?
  • Specialized techniques and unique relationships that the service provider may be able to leverage
  • Publicity, liability, and indemnification considerations.

Referral to Law Enforcement for Cases Involving Criminal Activity

Some categories of online content are the exclusive responsibility of sworn law enforcement officers or other entities designated by statute. For example, incidents involving online child sexual abuse materials (“CSAM”) are the responsibility of:

Anyone encountering CSAM online should immediately report that discovery to appropriate authorities. NEVER attempt to investigate CSAM yourself!

  • The Drug Enforcement Agency (DEA) and/or the FBI (most commonly if it involves Federally-scheduled narcotics and similar dangerous drugs, see https://www.dea.gov/drug-information/drug-scheduling)
  • State Police (or a specialized state drug enforcement agency) if a particular drug is scheduled more stringently at the state level than at the Federal level
  • The Food and Drug Administration (FDA), if the site you found involves non-scheduled prescription drugs (or medical devices) that the FDA is responsible for regulating, particularly in the case of drugs with so-called “boxed warnings” that represent a risk of serious or life-threatening risks.
  • U.S. Customs and Border Protection (CBP), U.S. Immigration and Customs Enforcement Homeland Security Investigations (HSI), and/or the Postal Inspection Service, depending on how drugs may be being moved from their source to their purchaser.

Another example of an area where the authorities may be interested and active is online drug sales.

Generally, you shouldn’t need to worry about getting your reporting to the right agency. Appropriate referrals (and deconfliction with already-ongoing operations, if any) will be handled cooperatively by the relevant agencies once you’ve made your initial report.

Not sure who to report fraud cases and other miscellaneous Internet crimes to? One excellent option is the FBI’s Internet Crime Complaint Center (IC3)

Sometimes It May Seem As If Nothing May Be Happening

Just like conventional “bricks-and-mortar” crimes, which all-too-often go unreported and unsolved, nothing may appear to be happening when suspected-to-be-bad domains are uncovered and reported to the authorities. This may be the result of:

  • Everyone already being very busy, perhaps even already working overtime, with literally no time to take on anything more
  • Some incidents may be dauntingly complex to understand and investigate —cyber criminals may intentionally obfuscate what’s happening to the point where non-technical users (and even some technical users!) may find themselves hitting what appear to be investigative “dead ends”
  • Some incidents may seem inconsequential, with investigators failing to recognize that what they’ve uncovered may just be PART of something FAR larger (then again, some incidents may truly not meet minimum thresholds which often need to be surmounted before further investigation can be approved)
  • The offending site may be located in an area rife with corruption, where it may be difficult to obtain official cooperation and enforce “rule of law”

Other times it may appear that nothing is happening while progress actually is being made, it just may be happening “slowly and steadily” with no visibility/transparency into that progress for you.

To understand why this occurs, you need to know that investigators may be forbidden from sharing the status of their investigations with any outsiders, even if the “outsider” happens to be a victim or an initial reporting party.

Investigations may also take months or even years of work to conclude as tedious processes play out.

In the face of that lack of visibility, patience — and sometimes even faith — may be required.

One other possibility to be aware of (most commonly in terrorism-related cases and organized crime-related cases), is that badness that’s been reported may INTENTIONALLY be “left up” so it can be monitored by the authorities for additional intelligence.

Leaving a known-bad site up might seem to be a counterintuitive thing to do, but remember that taking a bad site down might not stop what a bad group is doing (or planning to do). It may actually interfere with an ongoing investigation.

In fact, tearing down a bad site might force investigators to “start over from scratch.” Where did the bad guys go now? Can we discover their new location? Can we get new court orders to surveil that new site? Can we technically arrange to gain access to that new system or network? Or are we now effectively totally “blind?”

Sometimes you may just need to trust that your report is being handled in an appropriate way.

Conclusion

We hope you now have at least a somewhat better idea of what may happen after a suspicious domain name or IP address is discovered.

If you’d like to talk more about how DomainTools resources can help with your investigations, contact us today: