Whois Alerts

Utilising Whois Transparancy Logs, to trigger alerts on brand abuse and phishing campaigns.

Phishing & Brand Abuse

One of the biggest security concerns from our customers is web-based phishing campaigns and brand abuse.

Attackers to create fake domains and attempt to legitamise them through signing freely available SSL certificates. A cheaper alternative is usually to attack the brand through subdomains, available cheaper top-level-domains (eg. *.dk, *.vip, *.online), or typo-squatted domains.

Instead of going after gmail.com, its easier for attackers to include other names or keywords and register those domains. E.g.

  • wwwexample.com
  • examplebanking.com
  • secure-example.com

We cannot use Certificate Transparency Alerts (ct-alerts) unless the attackers have registered for SSL certificates. Some attackers may choose not to implement SSL inorder to not trigger ct-alerts. Our trusted customers even asked us (Netscylla) if we could improve on our detection and response times, by triggering on the registration of actual domain names, or rather specific keyword's (E.g. their brands, their corporation names, etc).

How Domain Registration & Whois Works

Registries are organizations that manage top-level domains (TLDs) such as domains ending in ‘.com’ and ‘.net’. These registries are managed by the Internet Assigned Numbers Authority (IANA), a department of the Internet Corporation for Assigned Names and Numbers (ICANN). Registries delegate the commercial sales of domain name registrations to registrars. For example, VeriSign is the registry for ‘.com’ domains. When a registrar sells a ‘.com’ domain registration to a user, the registrar must notify VeriSign in order to properly reserve the domain. The registrar must also pay VeriSign a fee, which is factored into the price that the registrar charges the end user. image of registrar-flow Although people will often speak of buying and owning domain names, the truth is that registries own all of their domain names and registrars simply offer customers the opportunity to reserve those domain names for a limited amount of time. The maximum reservation period for a domain name is ten years. Users can hold onto domain names for longer than ten years, as registrars let them keep renewing reservations indefinitely, but users never truly own the domains; they are just leasing them.

Resellers

In addition to registrars, there are also resellers who sell domain name registrations. These resellers sell domain names on behalf of a registrar in return for a finder’s fee. While these resellers are legitimate, they are usually something of a side business, and they can lack dedicated customer support. Resellers’ websites rarely explicitly state that they are resellers, and it can be tricky to tell them apart from registrars. Fortunately there’s an easy way to know if a company is a legitimate registrar: ICANN has a published list of every accredited and active domain name registrar on their website.

How do domain name registrars protect user privacy?

Everyone who reserves a top-level domain name must fill out WHOIS information for that domain. This is information about the person who registered the domain (the registrant), including their name, email address, physical address, and phone number. Many registrars provide the option of a private registration; in this arrangement, the registrar’s information is provided in the WHOIS listing for that domain, and the registrar acts as a proxy for the registrant. This private registration is only as secure as the registrar, since the actual registrant’s information is held in the registrar’s database.

Why we use Whois/Registrar Logs

If all domain registrations are public, then every website should have a record. Whois Transparency brings accountability to the web. It puts all registrar registrations into a list and makes that list available to anyone. That sounds easy, but given the decentralised nature of the internet, there are many challenges in making this a reliable bedrock for accountability.

ICANN Whois Query Online

image of whois record

A monitor is a service that helps alert corporations of brand abuse and potenital phishing websites. It crawls logs for new regsitrations and alerts website owners if a new website is found for their domain.

Why Netscylla

We permit you to search via a keyword or organisation name (e.g. example, mybank, myorgname). We believe this gives you more coverage of early detection and response capabailities, on dealing with brand-abuse and potenital phishing websites; Our technology enhances the capabilities of your blue/SOC/monitoring teams, whereby they can quickly detect new phishing websites or brand abuses, as soon as possible; and orchestrate the takedown of the potential maliciouis and damaging websites and domains before the attackers campaign has been launched against your company.

image of email alert

Contact

Should you wish to enquire more about our offering, or request a demo. Please contact us.

enquiry@netscylla.com