featured image, joined lines, blurred image
Blog Farsight Long View

Using DNS Search to Uncover Phishing Infrastructure

04/09/2020
Share this entry
DomainTools Favicon
Farsight Security

It’s been a sobering week for defenders.

This week alone, the FBI warned about the potential rise of Business Email Compromise schemes; the DHS’ Cybersecurity and Infrastructure Security Agency and the U.K.’s National Cyber Security Centre alerted about a rise in malicious emails impersonating trusted institutions such as the World Health Organization, and NASA reported a significant increase in malicious activity by nation-state hackers and cybercriminals targeting the U.S. space agency’s systems and personnel. Microsoft reported that every country in the world has seen a COVID-19-themed attack.

Phishing remains an evergreen attack for cybercriminals because it works. Every phishing attack begins with a DNS artifact i.e. domain name, IP address, etc.

A single suspicious domain name or IP address can be a potential clue for larger, targeted campaign against an organization. Searching historical passive DNS, most notably Farsight DNSDB, with these “clues” can help investigators uncover previously hidden malicious infrastructures from phishing and other related attacks and reduce attacker dwell time.

“To understand what happened today, we need to look at what happened in the past. Perpetrators often may reuse the same artifacts. DNSDB allows us to expand the network of a criminal, current or historical, with different datapoints i.e. SOA records more. DNSDB enables us to uncover more malicious infrastructure to help defenders to keep up with threat actors, network expansion, etc,” according to a current DNSDB customer.

Among the answers DNSDB can provide:

  • What IP addresses has a particular domain i.e. example.com used over time?
  • What hosts have used a particular IP address i.e. 12.34.56.78… What domains live in 12.34.0.0/16?
  • Tell me about FQDNs under *.example.com
  • Show me how the domain and its nameservers looked during the time period during which the incident happened…

To learn more about other types of information that DNSDB can provide, visit 8 Common DNSDB Pivots for Threat Hunting. Interested in learning for yourself how passive DNS can help your organization better defend against today’s cyberattacks? You can try our entry-level, free version, DNSDB Community Edition, apply for a trial API Key of our enterprise DNSDB, and, if you are a non-profit, researcher or a member of law enforcement, apply for a grant here. Interested in a commercial license or want to see a demo? Contact our sales department at [email protected].

Karen Burke is the Director of Corporate Communications for Farsight Security®, Inc.

Related Content

A digital landscape illustration depicting a dynamic network of interconnected lines and points, reminiscent of USPS smishing attacks. The grid-like structure features various peaks and valleys, illuminated by glowing red and white dots against a shadowy backdrop.
Blog

How Domain Intelligence and Passive DNS Create A Fuller Domain Profile

Read more
New Developments in USPS Smishing Attacks
Blog

Phishmas Comes Early: New Developments in USPS Smishing Attacks

Read more
Blog

Post Quantum Cryptography (PQC): You May Already Be Using It!

Read more
DomainTools Logo
Pricing Contact Login Support Request a Demo

© 2025 DomainTools

DomainTools® and DomainTools™ are owned by DomainTools, all rights reserved.

Privacy Policy    |    California Privacy Notice
Do Not Sell My Personal Information    |    Terms of Service    |    Sitemap