Mappingcriminalinfrastructuresfrom“patientzero”usingWhois

DavidPiscitelloInterisle ConsultingGroup

Massivedatabreaches– e.g.,Target,Sony–weretheresultofasuccessfulphishing

attack

Whoishelpsinvestigatorslearnwhat’sbelowthesurfaceofbreachesorothercyberattacks

PatientzeroThefirstpatientinan

outbreakwhoisnoticedbyhealthauthoritiestypicallytriggersa

responseorinvestigation

Frompatientzeroinvestigatorsgatherinformationtomapthe

progressionofadiseaseoutbreak

•Whoispatientzero?•Whatarehissymptoms?•Wherewashefound?•Wheredidhetravelfromandto?•Whendidhetravel?•Whatthreatdoeshisconditionpose?

Indexdomainsarethe“patientzeros”ofcyberinvestigations

•Whoisthedomainholder?§Notifythebreachvictim§ Pursuethecyberattacker

•Whereandwhenwerethedomainsregistered?•Whatotherdomainshavesimilarregistrationdata?

Attacksofteninvolveaconspiracyofdomains…useindexdomaintoidentifythatconspiracy

HowdofirstrespondersuseWhois?

CriminalAbuseofDomainNames:BulkRegistrationandContactInformationAccess

http://www.interisle.net/sub/CriminalDomainAbuse.pdf

CASESTUDYCRIMINALDOMAINS

IN.TOKYO

• Abuseactivityin.TOKYOfromDecember12,2018throughDecember25,2018

• 8,715.TOKYOcriminalabusedomainnames

RegistrarIANAID

CriminalAbuse

DomainsIdentified

Percent

GMOInternet,Inc.d/b/aOnamae.com

49 8,713 100.0

NameCheap,Inc.

1068 2 0.0

Nearlyallofthesewereregisteredusingasingleregistrar

WHYTHISREGISTRAR?- VERYCHEAPDOMAINREGISTRATIONS- CUSTOMERSCANREGISTERINVOLUME- CUSTOMERSCANGENERATERANDOMLOOKINGDOMAINS 8

1¥=€0.0083

Customerscanuploadafileofnames

Websitewillcreaterandomnames

CHEAPDOMAINNAMESCONTRIBUTETOACRIMINALMARKETPLACEINWHICHSMALLINVESTMENTSCANYIELD

EXTRAORDINARYRETURNS

9

1000s OFDOMAINNAMESCANBEACQUIREDFORPENNIESPER

DOMAINFROMREGISTRARSLIKEGMOINTERNET

MAILINGLISTSCANBE

PURCHASEDINTHEDARKWEBOR

ONLINE

RANSOMWARECANBEPURCHASEDASASERVICEFOR€35

PHISHING KITSCANBEDOWNLOADEDFORFREEFROM

SOCIALMEDIASITES

ONLINETUTORIALSAREAVAILABLEFROMYOUTUBE

ASSUMINGARANSOMWARE

EXTORTIONFEEOF$200-500USD,ARANSOMWARE

ATTACKISPROFITABLEWITHAHANDFULOF

VICTIMS

EVENASINGLERANSOMWAREORPHISHINGCAMPAIGNISALUCRATIVEENTERPRISE

IDENTIFYINGCRIMINALACTORS:SEARCHANDPIVOT

• .TOKYOsamplespansa“post-GDPR”timeperiod

• UsehistoricalandrecentWhoisrecords• Use{registrantname,registrantorganization,registrantemail} to

• SEARCH historicalWhoisdatabases• PIVOT tootherdatabasesorsocialmedia

• toidentifythecriminalactors

• OnlysomeWhoisrecordscontaincontactdata• Assumethatcriminalssubmitinaccurateorfraudulentlycomposeddata

10

WHATDOESSEARCH-AND-PIVOTREVEALS?• Theharmfulcontentorattackmessages• Wherecriminalactorshostinfrastructure,e.g.

• Malwareorransomwareexecutables

• Phishingorfinancialfraudwebpages

• Politicalinfluencecampaignmaterial

• Mailserversthatsendphishinglures

• DNSserversthatsupportDDoSattacks

• Otherdomainholdersthatmaybepartofacriminalenterprise

• OtherTop-leveldomainsinwhichthecriminalactorhasregisterednames

11

WHATSEARCH-AND-PIVOTFROM“PATIENTZERO”REVEALED

• ThesuspectappearstohaveusedGMO’sbulkregistrationtoolstogeneratethousandsofrandom-lookingdomainsnamesinmattersofminutes.• GMOoffered.TOKYOdomainsregistrationsatverylowcost.

• ThesuspectprovidedaregistrantaddressinJapan.• Thesuspectstargeted.TOKYObutnotexclusively..INFO,.CLUB,.ONLINE,.XYZ,.BIZ,.SPACE,and.WORKwerealsotargeted.

• ThesuspecthostedJapanesephishingormalwareatthreehostingproviders:• InterQ GMOInternet,Inc.,IDCFrontier,Inc.,SakuraInternet,Inc.

LET’SREVIEW:

JAPANESESPAMMERSTARGETEDJAPANESEUSERSUSINGAJAPANESEREGISTRARANDJAPANESEHOSTINGOPERATORS

13

COMPLETEWHOISRECORDSAREESSENTIAL

IFFIRSTRESPONDERSANDLAWENFORCEMENT

ARETOIDENTIFYVICTIMSANDCRIMINALACTORS

BUT…DUETOANOVERLYBROADINTERPRETATIONOF

THEEUGDPR

PUBLICWHOISISNOWDARK

EU’SGDPRISINTENDEDTOPROTECTPERSONALPRIVACY

WhoisimplementationprotectsInternetcriminalsordarkorganizations

ADVERSEEFFECTSOFICANNWHOISPOLICY

“Onesizefitsall”

RegistriesareredactingmoredatathanisrequiredbyGDPR

Solutionassumesalldataprotectionlawswillalignwith

GDPR

Legitimatedisclosureofnon-publicWhoisisstillnotdefined

Nopolicyfortimelyorpredictableaccess Noaccreditationframeworks

Blanketredaction

Inhibitssearchestocorrelatedomainsoractorstoattacks

NodiscriminationbetweenEUdatasubjectsandlegalpersons

16

EFFECTOFICANNPOLICYONACCESSTO

HISTORICALCOMPLETEWHOIS

RECORDS

Facts&Figures:WhoisPolicyChangesImpairBlocklistingDefenses

http://lnnk.in/@whoisimpedesblocklisting

• WHENPRIVACYREGULATIONBLOCKSCRIMINALINVESTIGATIONCITIZENSAREEXPOSEDTOHARMANDLOSS

• DATAPROTECTIONREGULATIONSMUSTACCOMMODATEFIRSTRESPONDERANDLAWENFORCEMENTACCESSTOCRITICALINFORMATION

18

PRIVACYPROTECTIONANDPUBLICSAFETY:ADELICATE

BALANCINGACT

CreativeCommons

• Slide2,3:LassaFeverinvestigation,MikeBlythhttps://www.flickr.com/photos/blyth/

• Slide3:EnzooticPlagueinvestigation,CDCGlobal,https://www.flickr.com/photos/cdcglobal/

• Slide4:WorldMap,Sharereproductions,https://www.flickr.com/photos/shaireproductions/

• Slide10:ComputerHackers,https://www.flickr.com/photos/121483302@N02/

• AllotherimagesfromPixabay Images