image of breaking badness
Breaking Badness
Breaking Badness

141. Scam a-Lama Ding Dong

Coming up this week on Breaking Badness. Today we discuss: Can’t Have Your Cake and Scam It Too, Who’s The Boss?, and Two Truths and a Lie.


Here are a few highlights from each article we discussed:

Can’t Have Your Cake and Scam It Too

  • On cybercrime forums, user complaints about being duped may accidentally expose criminals’ real identities.
  • You can find all manner of illicit goods on these forums
    • If you think of cybercrime as running on a timeline from the earliest stage of preparation for an incursion, right through the actions that actually breach some protected organization, down to the ill-gotten gains themselves, whether that’s money, data, etc – you can purchase, on these forums, any of those
    • You can purchase 0days in order to compromise some kind of system to initiate a breach. Or you can buy phishing kits. You can buy tooling to help you with any stage of an attack. Or you can cut out all that messy stuff and just buy bank account credentials or stolen software. And of course, you can also find all kinds of advice, some of it no doubt good, on how to get better at defrauding people
  • These forums also include arbitration rooms users can go if they didn’t receive the product or service they thought they would receive
    • It may seem like scammers would always scam other scammers (because as we like to say, there’s no honor among thieves), but it’s important to remember that one of the axioms of the modern illicit online economy is that it’s basically the upside-down of the legit economy, with all of its trappings
    • They have tech support, customer service, red tape, etc.
    • This means that criminal enterprises have an interest in keeping customers satisfied just like legit ones do
    • In the big picture, everyone involved in the underground economy has a stake in its functioning
    • Having said that, the authors of the research point out that these arbitration rooms certainly do not guarantee that the injured party will find the redress they are seeking
  • What kinds of scams are these scammers pulling on other scammers?
    • To once again invoke this idea that the underground economy is just a dark mirror of the aboveground one, you see the same kinds of things: buyers don’t receive the promised goods after forking over the cash
      • Either they receive nothing at all, or in some of the examples that were cited here, they received things like exploit code that didn’t work as promised
    • And sometimes it was the seller who got scammed, like the one that sold a Windows kernel exploit for $130K but didn’t receive funds—what they did receive was a story about how the buyer was testing the code and would pay once they had proved it worked
    • I think my favorite one had to do with this game that I personally had never heard of called Axie Infinity
      • Criminal A wanted a fake copy of it with the intent of stealing legitimate users’ crypto funds, so they bought the fake game—but, sad trombone, the fake copy contained a backdoor which then stole the stolen cryptocurrency. Such a bummer!
  • While it seems the good news is criminals scamming other criminals, the better news is that this can help defenders
    • It seems when folks get ripped off and want to recover their ill-gotten goods, they get a bit emotional perhaps, and their OpSec kind of goes out the window
    • It turns out that they’ve been leaking personal information as they go through these arbitration processes and so forth
      • We’re talking about things like cryptocurrency addresses, email addresses, victims’ names, malware source code, that kind of thing
    • Because we here are so familiar with the idea of pivoting investigations, it’s not hard to imagine that an investigator can pivot on these data points to profile the aggrieved criminals and figure out more about them, including their identities, and/or to find out more about who and what they are connected to
      • So that’s useful for law enforcement and security researchers. But this info is also providing insights into how various of these schemes work, which is useful to defenders of various kinds
  • DomainTools recently hosted its 2023 predictions webinar wherein one prediction was a looming recession could lead to more cybercrime
    • We’re thinking that could lead to more criminals getting scammed themselves 
    • As we march inevitably toward the heat death of the universe, by which I mean entropy, by which I mean the gradual decay of ordered states into disordered states, there’s likely to be more chaos in the underground
    • Desperation breeds crime, and there’s no reason to believe that this doesn’t equally apply to the criminal world itself
    • What will be perhaps more interesting to watch is whether some kind of underground economy “law enforcement” is organized to fight this stuff. Maybe it already exists, we don’t know. That’d be a good area to dig into

Who’s The Boss?

  • Our second article covers the idea of who owns the internet, research Jan Shaumann shared at ICANN and most recently on his blog
  • It’s fun when we have guests talk about research that seems to really excite them and your submission on what you wanted to discuss today felt like our episode with Kelly Molloy who picked a New Yorker article on Natural Language Processing – so what excites Sean about this research?
    • To begin, our friends at SpamHaus brought this to our attention 
    • It was presented at the ICANN DNS Symposium this past November (there’s an accompanying video to check out as well)
    • But we’re a DNS shop and DNS makes the Internet work for the world. Knowing how this works in theory is different from how it is powered in practice. It’s important to talk about
  • Schaumann mentioned in his blog post that the Internet is “held together with duct tape and WD40, but what does he mean by that?
    • It’s not really duct tape. Well, maybe it is, kinda. 
    • The concern is the theory vs. practice sentiment. As it turns out only a few orgs/companies control a lot of what is being returned from DNS queries across the internet. This power consolidation is concerning: what if one of these companies goes offline or out of business? What about their geographic location etc.
  • Shaumann shared that he needed to request access to some of the generic top level domain (gTLD) zones and was granted some, but was denied others, what’s the process like for gaining access? Why couldn’t he acquire everything he needed?
    • For a simplified answer, Zone Files are the definitive listing of what domains are appearing for a TLD. It’s the literal phone book listing the relationship between IP addresses and domains
      • On a side note, we’re not sure how much longer we can use the phone book listing metaphor when explaining this, as Gen Z has never seen one – perhaps contact list? 
    • For all gTLDs, ICANN requires access. For each ccTLDSs, (those run by countries) it’s up to the country. They don’t have to make the zone files available if they don’t want to
    • So for this research, Schaumann was limited by only the zone files he could publicly access 
    • And for the record, DomainTools does our own proprietary processing for ccTLDs
  • One of the initial findings of this research was that the different name server records were nicely diversified, but they were registered under one domain
    • Both findings were described as “not surprising,” but why is that?
      • For everyone to understand, a name server is on the Internet and you can make a request and say “hey, here’s this domain, please tell me the IP address so I can look it up.”
      • DNS runs this hierarchy of name servers – you talk to your local server and if it doesn’t know it moves up the chain to these root name servers
      • When you look at how different organizations manage DNS, they don’t use their own private name servers, they use service providers to manage their DNS records
        • AWS offers route 53. Azure offers it too. GoDaddy. Or another registrar for your domain offers those services. OR squarespace, wix, and wordpress. As for dedicated DNS managed services. Ionos & NSone and others are popular. Cloudflare is king here and manages a lot of peoples’ DNS
        • You have all these individual domains, but their name servers are hosted on a smaller fraction of name servers out there
      • What are the implications from a defender’s perspective?
        • If you have one name server that’s got thousands of domains linked against it and you try to figure out domains being hosted on the same server (GoDaddy or Wix), you might not have the confidence that they’re related to each other
        • If you had a smaller name server you run yourself or one with a few dozen domains, you might have more confidence that there’s some relationship 
  • How exactly did Schaumann break down how he went about his research?
    • In a nutshell, he went and grabbed zone file data from all gTLDs and looked for who was providing the nameserver records for the domains in that zone
    • He then looked at the domains providing those records, the companies who owned those domains, and the ASNs which provided hosting for those domains.  Hint – the owners and the hosting are different in many cases 
    • He then repeated the analysis for a subset of domains, the Tranco top 1 Million, and then top 100, 1k, 10k, to see what is happening
  • So, who controls the Internet?
    • A few companies have a large influence over DNS
      • At the top, Verisign – operating 2 of the DNS root authorities (of which there are only 13)
      • Verisign also controls a critical domain, gltd-servers.net and that name server domain is home to 80% of all gTLD NS records because it’s all .com and .net players
        • If you took out Verisign for any reason, the Internet is going to have a very bad day. 
      • There are a few other companies that have control (i.e. the usual suspects). With 43% of all NS records in all gTLDs and 44% of those in the Top 1M in a combined 14 domains, any one of those could exert significant control over large chunks of the internet. But amongst those companies, a few stand out:
        • GoDaddy – owner of the aptly named domaincontrol.com domain is responsible for 20% of all NS records in all gTLDs alone
        • CloudFlare – responsible for 20% of NS records in the top one million domains, Cloudflare also provides the IP space home to a total 40% of those NS records. If CloudFlare has a hiccup, that’s 40% of the Internet that could go offline
          • Some defenders would say that’s 40% of illicit material going offline, but we’re not talking about quality, we’re talking about quantity
  • These findings should not come as a surprise, but should we continue this exercise regularly?
    • Sean would and try to get more zone files – more ccTLDs
    • DomainTools does have some access to those, and that would be interesting to try in the next year

Two Truths and a Lie

Introducing our newest segment on Breaking Badness. We are going to play a game you are all likely familiar with called two truths and a lie, with a fun twist. Each week, one us with come prepared with three article titles, two of which are real, and one is, you guessed it, A LIE.

You’ll have to tune in to find out!

Current Scoreboard


This Week’s Hoodie/Goodie Scale

Can’t Have Your Cake and Scam It Too

[Tim]: 0/10 Goodies
[Sean]: 4/10 Gingerbread Goodies

Who’s The Boss?

[Tim]: 4/10 Hoodies
[Sean]: 5/10 Hoodies


That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!