They say timing is everything.
I’m not sure who “they” are, but examples are seemingly found at dinner parties everywhere where hearsay is thrown about like candy exploding from a piñata. Hours of captivating anecdotal ramblings about how a marriage proposal could have taken a disastrous direction if timing which influenced location didn’t work out, or the story about that choice property in the neighborhood that was scooped up just in the nick of time. I would be remiss to forget the increasingly present cryptocurrency-aficionado chattering on about details of how the timely offloading of their dump truck full of bitcoin worked out prior to a buttclenching dive of market value, and so on…
Think about this for a moment. While time is relative (hat tip to Einstein), time is also constant and consistent. In the world we live in, illicit actors with a wide-array of objectives are also subject to timing as a key indicator of the likelihood of their success. From a domain registration perspective, correlating timelines with current events may instigate some interesting thoughts and opportunities depending on your role in the greater scheme of things.
According to Google trends, interest so far in 2022 for the term ‘abortion’ peaked in early May of this year.
Google Trends: 2022 interest in “Abortion”
For the audience who has been following U.S. news, this peak isn’t surprising. On May 2nd, a copy of the initial draft opinion written by Justice Samuel Alito was leaked. This draft indicated an overturn of Roe vs Wade, which is the landmark decision made by the U.S. Supreme Court back in 1973.
Between May 1st through May 15th there were approximately 463 domains created that contained the world “abortion”. However, during the same time period in the previous year the result was a lowly 41. Quite a difference.
Would an illicit actor or group wish to take advantage of this event?
Should organizations be on the lookout for any associated phishing campaigns or other types of malicious activity?
Will some of these domains be used for misinformation, propaganda, or political influence?
Using DomainTools predictive risk scores allows for efficient focus on some of the domains likely created to be used for ill-intent from a cybersecurity perspective. In this example. 15.3% of the recently domains created containing the word ‘abortion’ have a current DomainTools risk score of 76 or above so finding malicious activity (i.e. malware, spam, phishing, etc) shouldn’t be very difficult.
DomainTools Risk Score associated with Domains containing the term “abortion” created between May 1-15, 2022
Should one decide to put these recently created domains under further scrutiny and really dig into tangible artifacts and additional context, many answers to questions such as these might be uncovered.
- How will these newly created domains be used?
- What are the objectives of the actor(s) intending on using these domains?
- Will there be any potential impact to my organization &/or supply chain?
Google Trends: 2022 interest in “Monkeypox”
Because we live in a dynamic world, there is a never ending wealth of current event examples to survey, or even consume in the literal sense. For example: Baby Formula.
It’s certainly not what everyone’s first daily thought is, but surely there is an adorable infant somewhere waiting for their regular rapid bottle service. In the vicinity of that same upset infant might be a concerned parent or caregiver who has been frantically hand-mashing their keyboard for hours searching the Internets for a source of formula.
Google Trends: 2022 interest in “baby formula”
If you haven’t been watching the U.S. news lately, recent weeks have seen a shortage of baby (infant) formula across the United States and dismally, looking at some of the recently created domains shows how the vultures are circling to take advantage of the situation.
Reviewing the uptick in domain creation and the associated DomainTools Risk Scores again may bring similar questions to the reader around the intent and potential damage these baby formula related domains may bring.
DomainTools Risk Score associated with Domains containing the term “babyforumula” created between May 1-15, 2022
The great thing about data is, as it turns out, it eventually speaks. For a further perspective, we can pick one of these domains to put under the microscope a little.
Tweet from @SecuritySnacks shining a light on typosquatting domains
Not long after the interest around the scarcity of baby formula hit the news, and the volume of domains referring to baby formula started spiking, it was observed that many of these were trying to steer traffic away from legitimate websites such as babyformulaexchange.com.
For example, on May 13th, buybabyformula[.]us was registered. DomainTools has built a threat profile associated with phishing activities and at the time of writing, the DomainTools Risk Score for this domain is a lofty 96 (out of 100, which would mean the domain has been seen on commercial blocklists).
DomainTools Risk Score associated with buybabyformula[.]us at the time of writing this publication
What if one wished to know more?
On May 13th (Pacific Time Zone) DomainTools captured an early screenshot of what appears to be a “hello world” WordPress holding page prior to the ‘real’ website being spun up but not long after, a full-blown website was stood up, offering baby formula of many varieties. There are numerous high star reviews, a pleasant font, eye-catching colors, and even a stock photo of a child wearing a cow hat. Even the price points don’t appear to be eye-watering.
DomainTools screenshot of buybabyformula[.]us on May 13th, 2022
DomainTools screenshot of buybabyformula[.]us on May 23rd, 2022
After a cursory review, no obvious malicious code was embedded within the site. However not all was as it appears.
Users clicking around would be eventually redirected to Nature’s One, a legitimate company based out of Ohio via Shareasale.com, which is an affiliate marketing platform.
While this isn’t necessarily a smoking gun from a legal perspective, however, the timing of the website spurs yet more scrutiny.
Finding out who registered the domains can be tricky on the surface. In recent years, in addition to various privacy services, regulations such as the European Union’s General Data Protection Regulation (GDPR), and State laws such as the California Consumer Privacy Act (CCPA) mean that tracking down individual names, addresses, and phone numbers typically requires legal involvement.
And let’s face reality for a moment. While the Internet Corporation for Assigned Names and Numbers (ICANN) requires that Registrars take reasonable steps to verify information contained in WhoIS records, not all registrars do a fantastic job of this.
Need some convincing?
Ponder this: How many domains does one suppose have been registered with inaccurate information such as using “Mickey Mouse” for a name?
While you’re reflecting on this, the answer is: 720.
How about John Doe? The number is 9,768. And that is only in the last decade.
Just imagine diving into addresses, phone numbers, and the rest of the information that is contained within a Whois record. Why imagine? Keep reading.
Here is some good news for anyone interested in capturing some context around this domain. Current policies do not permit .us ccTLD registrations by proxy or privatization services. This means that any .us domain should theoretically have some tangible data to add to an investigation.
By examining some of the data points contained in the Whois record for buybabyformula[.]us we’re able to see some other associations that may be important to note. For the purposes of this article, attribution details have been redacted but everything is in the open for those who wish to dive deeper in the Whois records.
Pivoting off of the email address we’re able to find other domains that may bring more to think about.
Domains associated by email with buybabyformula[.]us in Maltego using DomainTools transforms
If there wasn’t an infant formula shortage would consumers still purchase through an affiliate website associated with mystupidgoverment[.[com (no longer active) and a plethora of other questionable domains?
Perhaps. Perhaps Not.
While not every avenue of thought necessarily leads to a comic book type villain, there is typically someone, somewhere, doing what they can to take advantage of a situation or a current event.
Timing is everything.
But as I end typing out this blog with fantastic music in the background and my thoughts turn to happier vibes, it turns out my current in-the-right-place-at-the-right-time question is: If The Rolling Stones were a new band today, would their music alone be enough to propel them into the same dizzying heights of success?
I certainly hope so.
DomainTools – https://www.domaintools.com
Google Trends – https://trends.google.com/trends/
European Comission – https://ec.europa.eu/info/law/law-topic/data-protection_en
California State Legislature – https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375
Maltego Transform Hub, DomainTools Iris – https://www.maltego.com/transform-hub/domaintools-iris/
Maltego Transform Hub, DomainTools Enterprise – https://www.maltego.com/transform-hub/domaintools-enterprise/
ICANN – https://www.icann.org/
Washington Post – https://www.washingtonpost.com/wp-dyn/articles/A7251-2005Mar4.html