DomainTools 101: How Dead is Dead?
Sometimes while doing an investigation in Iris Investigate, it seems as if I’m fighting a multi-headed beast. In a recent example, I was curious to know if the good guys really killed the beast in its entirety or just crushed a single site? Let’s dig in to find out.
When threat hunting with a law enforcement lens, it is important to note that incident responders have a duty and obligation to dive deeper since they’re focused on attribution and catching a bad player or group. Many of our customers are more focused on identifying malicious actors and threats, and ensuring that they are no longer able to access their organization’s network. Law enforcement, on the other hand, has to turn over every leaf, look through all of the domain history and find every breadcrumb that might be a part of the threat actor’s trail.
For this example I’m going to try to find the threat actor that was identified by a report from Crime in the Suites about domain name seizure. In this article they unearth a major raid on an illegal gambling ring and describe the take down and arrests. Another article with more current details is from CalvinAyre.com, which outlines the actual plea deal and fines. These articles are great reads and provide some additional context for this example.
One head of the beast was a single domain, platinumsb[.]com but this domain was in fact only a small part of a larger organized gambling operation. Here are screenshots of before and after the takedown.
Let’s start by hunting for the named threat actor behind platinumsb[.]com Sports Betting site. In this case, the police raided a party and took down this domain in February of 2013, so I’ll start with Whois History and look at those dates and earlier to see if I can uncover additional domains and other details about this actor.
One of the first things I notice is that it was registered under privacy protection at the time of the raid. But with DomainTools Whois History, I can look backward to see what I can learn about who actually owns this domain. By accessing Whois history from 2009-05-12, I can expose more information about the ownership of this domain. It was registered to Ole Svendsen with an email of pleased2helpyou[@]yahoo[.]com. Now I have some additional information that I can utilize to help with my hunting efforts. Email is usually the tightest connection to other domains owned by the same group or actor, therefore, it is a great place to start this investigation. This data point leads to a gold mine of sports betting sites: 1,248 domains (as of 4/28/17). These newly uncovered domains share enough registration details to deduce shared ownership.
Next, I can begin tracking any new domains registered by pleased2helpyou[@]yahoo[.]com. Since I first started tracking this registrant, he has registered over 50 new domains which answers my first question about whether he’s gone dark, and the answer is no. It looks like law enforcement captured and killed a single web site and the person has been arrested but this is still a thriving and growing gambling enterprise.
Happy Threat Hunting.
More links to articles I found interesting on this arrest and takedown:
http://neerdowellblog.blogspot.com/2016/09/gordon-baird-admits-role-in-103m.html
http://qcostarica.com/with-servers-in-costa-rica-canadian-man-admits-role-in-illegal-gambling-ring-allegedly-linked-to-mafia-hells-angels/
https://www.casino.org/news/hells-angels-operated-mafia-linked-platinum-sports-book-tech-guy-fined-400000