This article discusses the use of Validin’s domain and IP crawling data to discover crypto-themed phishing websites. It outlines the techniques of DNS and host connection pivots to identify related phishing pages and infrastructure. The findings reveal a network of phishing sites and highlight the importance of continuous monitoring for effective threat detection. Affected: phishing websites, crypto-themed sectors
Keypoints :
- Validin utilizes extensive domain and IP crawling data to uncover related phishing websites.
- Two types of pivots are employed: DNS pivots and Host Connection pivots.
- Initial pivots included identifying two phishing domains targeting cryptocurrency wallets.
- Passive DNS analysis revealed numerous subdomains related to a common IP address.
- The investigation disclosed a timeline of crypto-themed subdomains hosted on the same platform.
- Host connection analysis found domains linking to a known phishing website.
- The tool facilitates easy pivoting from title tags and HTML links to discover additional phishing domains.
- Continuous monitoring enables rapid detection of malicious infrastructure.
MITRE Techniques :
- TA0042: Resource Development – Procedure: Utilizing Validin to identify resources connected to phishing operations through domain analysis.
- TA0007: Discovery – Procedure: Applying DNS resolution history to discover associated domain names linked to known phishing sites.
- TA0011: Command and Control – Procedure: Utilizing host connection response types to identify active phishing domains with linked HTML content.
Indicator of Compromise :
- [Domain] metmsklogn.azurewebsites[.]net
- [Domain] trzeriostrt.azurewebsites[.]net
- [IP Address] 20.119.8[.]29
- [Domain] trzorsuite[.]com
- [Domain] walletus.start-trezorio[.]com
Full Story: https://www.validin.com/blog/unmasking-crypto-phishing-websites-with-validin/