Yes, please see below for an overview of the ways you can use DRS search tools.
Table of Contents
- How to Verify the Legitimacy of a Domain
- How to Uncover Artifacts Connected to Publicly Available IoCs
- How to Identify Live Counterfeiting Sites
1. How to Verify the Legitimacy of a Domain
To check the legitimacy of the domain, such as appleid666666[.]com, you can compare its WHOIS record with that of the known company’s official domain—apple[.]com. Here’s how.
1. Go to WHOIS Search.2. Type the copycat domain name into the search field and click Search to retrieve the domain’s WHOIS record.
2.1. Scroll down to check the domain’s age.
2.2. Scroll down further to check the domain’s current registrant contact details.
3. Type the legitimate domain name of the company and click Search to retrieve its WHOIS record.
3.1. Just like before, scroll down to check the domain’s age.
3.2. Scroll down further to check the domain’s current registrant contact details.
4. Comparing the bits of information gathered so far for the two domains, you can take note of the following:
- Major difference in domain age: Most brands like Apple have held their business domain for years. Copycat domains, on the other hand, are often registered much more recently.
- Registrant contact detail redaction: The presumably copycat domain has redacted registrant contact details. The legitimate domain’s, however, has the business details of Apple, Inc.
2. How to Uncover Artifacts Connected to Publicly Available IoCs
By scrutinizing WHOIS details, you can find more domains connected to a publicized IoC linked to Roaming Mantis, such as xpddg[.]com.
1. Go to WHOIS History Search. Most domains have redacted current WHOIS records, but WHOIS History Search can reveal their past—and still public—ownership details.
2. Type the IoC into the search field and click Search. You can also download the whole report by clicking Download PDF.
3. Open a historical WHOIS record by clicking a specific date.4. Look for unredacted registrant information from among the available historical WHOIS records.
5. When you find one with the details you’re looking for, click the record and choose Build current Reverse WHOIS report.
This will give you a list of domains currently registered using the specific WHOIS record detail.
6. Alternatively, you can also select Build historic Reverse WHOIS report.
That way, you will retrieve domains that contained that particular email address in their previous WHOIS records.
7. [BONUS Pro Tip]: You can use Reverse WHOIS Search if you already have a registrant detail like an email address for which you’d like to find associated domains.
Via Reverse IP/DNS
Using the same Roaming Mantis IoC as a starting point— xpddg[.]com—you can:1. Go to Reverse DNS Search. By default, you will land on the Obtain connected domains tab.
2. Type the IoC into the search field and click Search.
3. The tool will return a list of domains hosted on the same IP address as the IoC.
What if the IoC you have is an IP address? You can retrieve connected domains using another Roaming Mantis IoC—142[.]0[.]136[.]50. From there:1. Go to Reverse DNS Search and click Search by IP address.
2. Type the malicious IP address into the search field and click Search.
3. You will see a list of domains and subdomains resolving to the IP address.
Following similar steps, you can also use Reverse DNS Search to find domains connected to a given mail or name server.
3. How to Identify Live Counterfeiting Sites
The search for counterfeiting and phishing domains begins by uncovering the imitators’ playground for targeted brands, such as Prada. To do that, you can:1. Open Domains and Subdomains Discovery and search for domains containing “prada” that were added since 1 March 2022.
The tool returned 963 domains.
2. You can then narrow down the results to live and active cybersquatting domains through trial and error. Click the arrow next to a cybersquatting domain and select Build WHOIS report. We did this for several domains until prada-italia[.]it was found to have a website screenshot preview and additional site information.
2.1. At the top of the WHOIS report, the screenshot for prada-italia[.]it indicates it is a live website that hosts content (at the time of this writing).
2.2. Scroll down and check the domain’s metadata to learn more. Here, you may notice that the domain has associated information from the website contacts and categories boxes.
3. How does this domain information compare with that for Prada’s official domain? To check, go to WHOIS Search and type prada[.]com into the search field. You can then:
3.1. Check the website screenshot.
3.2. Scroll down to see the website contacts and categories.4. Compare the website screenshots, contact information, and categories of the cybersquatting and the official Prada domains. It’s interesting to note how similar these are, possibly indicating that the imitator did a good job at mimicking the business.
5. Following the steps specified in 1. How to Verify the Legitimacy of a Domain, you can compare the WHOIS records of prada-italia[.]it and prada[.]com and notice that their domain ages and registrant information differ—the latter being a much older domain with public WHOIS record information and the company name mentioned.
6. [BONUS Pro Tip]: In addition to the WHOIS details specified in 1. How to Verify the Legitimacy of a Domain, WHOIS records can reveal the cybersquatting domain’s backend infrastructure and registrar details in case you want to file a complaint. Here is what we found for prada-italia[.]it.
Your turn to have fun with the Domain Research Suite (DRS)! You can access the tools mentioned in this post here.