Beyond the Perimeter: How Attackers Use Domains, Phishing & AI and How to Fight Back
Domain Deception: Unmasking the Cybercriminal’s
Favorite Weapon
In the ever-evolving landscape of cyber warfare, some weapons remain timeless, yet devastatingly effective. This is a special RSAC 2025 edition of the Breaking Badness Cybersecurity Podcast, where we pull back the curtain on one of the most critical, and often underestimated, components of an attacker’s arsenal: domains. They are the silent infrastructure behind sophisticated phishing schemes, massive data exfiltration operations, and even nation-state attacks. If you’re not watching the domain layer, you’re missing a huge part of the attack.
This isn’t just about a random web address; it’s about the frontline of cyber defense. Join host Kali Fencl as she navigates this complex terrain with a panel of unparalleled experts: Joe Slowik, Robert Duncan, John Fokker and Vivek Ramachandran. They’re here to break down how threat actors are weaponizing domains and what you can do to stay ahead.
The Long Game: Aged Domains and Evolving Nation-State Tactics with Joe Slowik
Think a brand-new domain is the only red flag? Think again. Joe Slowik, Security Researcher, kicks things off by highlighting how attackers are playing the long game. He points to the SolarWinds incident, where a domain mimicking AWS existed for nearly a decade before being used in the attack. This strategy of using “aged” or “seasoned” domains allows adversaries to gain trust and slip past traditional defenses that flag newly created domains as suspicious.
Joe notes that while some high-end adversaries stick to traditional TLDs (top level domains) to maintain a low profile, others might favor newer or specific TLDs, sometimes out of sheer laziness or habit. Interestingly, there’s a growing trend among sophisticated state-sponsored campaigns: using stolen or compromised infrastructure, like someone’s home router or a small business’s firewall, instead of registering their own domains. This muddies the waters for researchers but underscores the need for deep visibility into network traffic.
A particularly chilling threat Joe flags is Volt Typhoon, a PRC-linked group meticulously targeting U.S. critical infrastructure. Their goal? To “sow chaos in the United States through cyber operations” during a potential conflict. The defense, Joe argues, lies not just in reactive tools but in architecting more resilient and defensible networks, and even revisiting manual operational capabilities.
Where to find Joe: Connect on LinkedIn
AI in the Underworld: Crafting Phishing Kits and Frustrating Foes with
Robert Duncan
The robots aren’t just coming; they’re already here, and cybercriminals are putting them to work. Robert Duncan from Netcraft sheds light on how generative AI is becoming a force multiplier for attackers. His team investigated a Y Combinator-backed platform being misused to clone legitimate websites for credential theft or malware deployment. Rob himself whipped up a PayPal phishing site in just 10 minutes. He also points to clear evidence of the “Darcula” smishing toolkit using AI to rapidly create and deploy new phishing kits.
So, how do we fight back against this AI-enhanced onslaught? Robert emphasizes the “multiplayer whack-a-mole” approach to takedowns. It’s about collaboration and persistence to make life difficult for threat actors. And it works – Netcraft has seen criminals openly complaining on forums about their disruptive efforts.
The battleground is also shifting. Robert notes a move away from the open Internet (domains and IPs) towards attacks on private channels like SMS and RCS, where threat hunting is significantly harder. To counter this, Netcraft is exploring honeypot-style technologies to infiltrate these conversations. He also touches upon the disturbing efficiency of “pig butchering” scams and how Netcraft uses AI personas to engage scammers, uncover mule accounts, and collaborate with financial institutions to disrupt their cash flow.
Where to find Rob: Find him on LinkedIn.
On the Frontlines with Law Enforcement: Edge Threats and the Blurring
Lines of Cybercrime with John Fokker
John Fokker, Head of Threat Intelligence at Trellix, brings a unique perspective from his background in law enforcement, fighting organized crime and advanced cyber threats. His mission at Trellix remains the same: “give bad people a bad day.”
John highlights a concerning trend: the once-clear lines between nation-state actors and cybercriminal gangs are becoming increasingly blurred. Nation-states are leveraging criminal groups as proxies, adding layers of deniability to their operations.
A critical vulnerability John points to is edge devices – routers, firewalls, and VPN boxes. These often don’t have security agents installed, making them prime targets for actors like some Chinese groups and Russia-linked Cl0p, who meticulously find and exploit vulnerabilities in these devices to gain entry into networks.
When it comes to attribution, John advises caution. While everyone wants to point a finger, the priority for security operations should be on operational intelligence: understanding the tools and techniques used to better defend networks, rather than just naming a culprit. The Trellix threat report dives deep into this, covering Chinese actors, major “Blockbuster” events, and the innovative (and alarming) ways criminals are using generative AI, including voice cloning services advertised on their forums.
Where to find John: Connect on LinkedIn
The Browser Battlefield: Extensions as Backdoors and the Cloud
Conundrum with Vivek Ramachandran
Our final expert, Vivek Ramachandran, founder of SquareX, zooms in on a piece of technology most of us use every second of our workday: the web browser. He argues that the browser has become the new endpoint, the primary initial access vector for attackers. Why? Because most work happens there, yet these browsers are often consumer-grade with flimsy security controls.
Vivek warns about the rise of browser-native attacks that might not even download a file to your endpoint, thus bypassing traditional EDR solutions. A key culprit? Malicious browser extensions. Think of them as untrusted executables running with alarming permissions. Attackers cleverly offer extensions (e.g., promising free access to a new ChatGPT version) that are actually backdoors into enterprise systems. Even legitimate-seeming extensions like Grammarly, by their nature, can read and send all data from your browser pages.
The Chrome Store, unfortunately, doesn’t offer robust security vetting for these extensions. Attackers can even game the rating systems to make their malicious creations appear trustworthy. Vivek also explains how nation-states are evolving, using seemingly innocuous configuration files (like RDP files in the Midnight Blizzard attack) to execute commands via trusted processes. Furthermore, sophisticated attackers are finding ways to smuggle malware past cloud security gateways (SSEs/SWGs) by using complex protocols that mask file transfers as benign binary streams. The answer, Vivek suggests, lies in browser-native security solutions that provide deep visibility and control over what’s happening within the browser itself.
Where to find Vivek: Connect on Linkedin
The Big Takeaways: Navigating the Domain Minefield
This episode paints a clear picture:
- Domains are foundational: They’re the bedrock of countless cyber attacks.
- Attackers are agile: From aged domains and AI-generated phishing sites to malicious browser extensions and compromised edge devices, threat actors are constantly
- innovating.
- The browser is the new frontline: As work moves to the cloud, the browser becomes the key gateway – and vulnerability.
- Defense requires depth and collaboration: Visibility, proactive disruption, intelligence sharing, and robust browser security are no longer optional.
- The threat landscape is dynamic, but so are our defenses. By understanding how domains are weaponized, we can better fortify our digital fortresses.
Watch on YouTube
That’s about all we have for this week, you can find us on Mastodon and Twitter/X @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!
