Posted on February 5th, 2019
Business email compromise (BEC) caused by phishing attacks are nothing new but they’re still quite effective and require only minimal effort by adversaries. One example is the Anthem Blue Cross breach of 2015. After locating “scam email campaigns targeting current and former Anthem members,” the company sent out a public statement to consumers and press to warn them, relying on consumers to both recognize and thwart these phishing attacks.
There is a positive side to BEC-based phishing attacks, you can get ahead of your attackers and defend your organization before phishing campaigns are even launched. The secret is to find the pre-attack infrastructure. MITRE, as part of their ATT&CK technique mapping framework, wrote up a great, thorough piece on this topic, but the tl:dr is that in order to launch phishing campaigns and other attacks that rely on impersonating your brand, adversaries must first create (and put online) infrastructure to run these attacks — see MITRE pre-ATT&CK technique 1338 for additional information. To help you find shady, fake certificates, Censys makes certificate transparency logs available and searchable. With that data, you can better understand adversary behavior and methodology.
Typically, those would be fraudulent domains that look like your legitimate brand domain. In the Anthem case, you could think of it like an attacker phishing Anthem customers using a link that looks legitimate but is either typed incorrectly or includes a mispelling or errant dash in the domain name (this is called “link hijacking” or “typo squatting”). In this example, you’d see “anth3mbluecross.com” or “anthem-bluecross,” which at a glance might look official or legitimate and combined with compelling language — “New benefits for Anthem customers click here!” — cons people into clicking the link and passing along data inadvertently to an attacker.
Finding adversary infrastructure and pre-attacks
There are a lot of different ways to find attacker infrastructure that may be used to launch attacks against you, but one of the quickest and first efforts should be searching for domain name permutations. The open source tool DNS Twist is great for automating domain name permutations, providing you with a list of potentially fraudulent domains that could be used against your brand.
With this list handy, you can start running queries in Censys to find these instances and start taking them down or blocking them before any attacks are launched.
In this example, we searched for potentially fraudulent domains similar to binance.com, a popular cryptocurrency exchange site. These are the search results from that query. This query returns a number of results, but a small enough set that could be manually reviewed.
With open source tools and Censys, you can get a head start on potential attacks and block them before they’re a problem. While these fraudulent domain searches aren’t a complete solution for fighting phishing, they’ll help you issue takedown requests and block accounts that you likely weren’t aware of prior to running these scans. The more you know, the better.