DomainTools 101: How Domains are the Eye of the Cyber Hurricane
NOTE: Iris Detect has supplanted PhishEye, with dramatically expanded capabilities. Please explore Detect for your brand protection, anti-fraud, and spoof infrastructure analysis needs.
As a proud jorts-wearing Floridian, I learned early on to be wary of hurricane season. Hurricane watches turn into warnings while those on the ground scramble for bottled water and canned goods. NOAA forecasts and advisories are hotly anticipated with an eye on evacuation orders and flood zone maps. While the residents of Texas and Florida deal with the aftermath of Harvey and Irma, they’ll also contend with a wide array of scams: spamming, phishing, fake charities and services. Naturally, a large number of these scams now happen online as the barriers to entry are low, and a wide audience can be found just a click away. The past few weeks have seen a significant number of new domain registrations containing the terms hurricane, Harvey, Irma, relief and donate. While the vast majority of these domains are likely registered with good intentions, there are already domains finding themselves on industry blocklists.
What’s in a name?
How did we get stuck with the names Harvey and Irma for these hurricanes anyway? In the early 50s it was determined that short and distinct names were easier to remember in both written and spoken communication, and had the added benefit of reducing confusion in the event of multiple storms occurring simultaneously.
There are 21 hurricane names for the region including the Caribbean Sea, Gulf of Mexico and the North Atlantic each year, and there is a 6 year cycle of names that is repeated with deadly and costly names retired every year. A full list of these names can be found on NOAA’s website: http://www.nhc.noaa.gov/aboutnames.shtml.
When are these domains registered?
On average, only a few names are retired from the list every year, and the list itself is cycled through every 6 years. This makes for some old domain names: the average age for the .com of each of these hurricanes (hurricane+name.com) is 4,893 days, or over 13 years old.
So what’s new?
The newly created domains affiliated with these hurricanes generally fall under a few broad categories: legal services, insurance services, construction/cleanup services or charity sites.
To get a better look at all of these domains, I set up PhishEye monitors on the terms “HurricaneHarvey” and“HurricaneIrma” and I used our Domain Search API to catch domains using the hurricane names with the terms “donate” and “relief”. This resulted in a list of over 1,000 newly registered domains. I then ran these domains through our Domain Risk APIs to find those that scored highly based on our proprietary algorithm.
This allows us to discover a highly scored domain like helphurricaneharveyvictims[.]com, which can be found on a phishing blocklist using VirusTotal.
Another domain that stands out, harveyrelief[.]club can be found on a SURBL spam list:
In some cases, diving a bit deeper into our Iris Investigation Platform on a domain with a high risk score can uncover connections to other opportunistic new domain registrations: a quick pivot on the registrant info for hurricaneirmadisasterrelief[.]com shows that the same actor also recently registered equifaxcyberattack[.]com and equifaxcybersecurity[.]com, both of which have been flagged for phishing.
Take-Aways
Scammers know that the devastation caused by a natural disaster will drive their potential victims to action, and a Harvey or Irma domain registration can be a low-cost way to gain false trust in your inbox. In addition, bad actors rarely stand up just one domain. Whois and DNS data continue to be very effective ways of mapping the full infrastructure being provisioned in a scam or attack. Be sure to remain vigilant in screening any emails you receive from organizations claiming to be involved in hurricane relief. If, like many others, you find yourself moved to donate to a charitable cause you can use www.charitynavigator.org to see how any registered charitable organization rates.