CTEM-DOM-3: Phishing Indicator Domain
Documentation has not been completed. This page is a placeholder for future documentation.
Overview
Phishing indicator domains are domains that exhibit characteristics suggesting they are intended for phishing activities, even if their current content does not confirm malicious use. These domains often mimic legitimate domains or use deceptive elements to lure users into divulging sensitive information. They are a significant threat to organizations and their customers.
Characteristics of Phishing Indicator Domains
- Deceptive Subdomains: Domains such as
secure.dundermifflin-login.com
that imply a secure connection to a legitimate service. - Credential Harvesting Patterns: Domains that suggest authentication pages or account recovery portals, such as
account-recovery-dundermifflin.com
. - Urgency or Security Keywords: Inclusion of terms like "login," "secure," or "verify" (e.g.,
verify-dundermifflin.com
). - Association with Email Records: Domains configured with MX records indicating they might be used to send phishing emails.
- Redirect Behavior: Domains that redirect to a legitimate site but only after capturing sensitive input (e.g., usernames and passwords).
Common Methods of Discovery
- Domain Keyword Monitoring: Scanning for newly registered domains containing keywords such as "secure," "login," or "verify."
- Threat Intelligence Feeds: Leveraging shared intelligence on domains flagged for phishing-related activity.
- Passive DNS Analysis: Identifying suspicious domains based on their DNS configurations, such as associated email records.
- Behavioral Analysis: Observing the behavior of domains to detect redirection patterns or hosted forms.
Risk and Impact
Phishing indicator domains present significant risks:
- Credential Theft: These domains are commonly used to steal usernames, passwords, and other sensitive information.
- Fraudulent Transactions: Attackers may use the captured data to commit fraud or unauthorized transactions.
- Customer Mistrust: Misleading domains erode trust in the legitimate organization’s brand.
- Security Breaches: Phishing attacks facilitated by these domains can lead to broader network compromises.
Examples
Using dundermifflin.com
as the legitimate domain:
- Deceptive Subdomain:
secure.dundermifflin-login.com
- Credential Harvesting Domain:
account-recovery-dundermifflin.com
- Urgency Keyword Domain:
verify-dundermifflin.com
- Email Phishing Domain:
dundermifflin-authentication.com
(configured with MX records to send emails)
Key Considerations for Threat Exposure Management
- Proactive Monitoring: Implement keyword-based domain monitoring to identify potential phishing domains early.
- Incident Response Plan: Develop a clear protocol for responding to phishing domains, including notifying users and initiating takedown requests.
- Employee and Customer Training: Educate employees and customers on recognizing phishing domains and reporting suspicious activity.
- Layered Security Measures: Employ anti-phishing technologies, such as email filtering and web content filtering, to block access to phishing domains.
- Legal and Registrar Collaboration: Work with domain registrars and legal teams to take down phishing indicator domains quickly.
By actively monitoring and addressing phishing indicator domains, organizations can reduce the likelihood of successful phishing attacks, protect sensitive information, and maintain the trust of their users.