Recently we added the ScamAdviser feed to our DNS Abuse Monitoring system. Based on the input and experience from our customers, I thought it would be helpful to cover a few items.
ScamAdviser is a reputation-based feed that differs from the Google Safety Browsing feed. If Google marks a domain name as malicious, it is no longer accessible as many browsers will now warn internet users not to visit the website.
ScamAdviser will inform you if the reputation of the domain name is poor. Of course, a lousy score depends on many factors, and ScamAdviser uses plenty. But a poor score does not equal a malicious domain name; it indicates that a domain name might be malicious and warrants an investigation.
Results
For the last few weeks, we have been analyzing the feed and came up with many dodgy websites engaged in all kinds of scams.The feed is tier-based, and in our first analysis, we used tiers 1-25.After completing our analysis, we decided to exclude the results from tiers 6-25 and started our second analysis on tiers 1-5, which are now included in our Realtime Register Abuse Monitoring System.
For ScamAdviser, we rank as follows.
- Critical = 1
- High = 2 – 5
- Medium = 5 – 15
- Low = 15 – 25
As mentioned earlier, for now, we excluded medium and low.
What did we find?
- Investment scams
- Crypto wallet drainers
- Romance scams
- Fake medical clinic
- SMM credential phishing
- Utility/service scams
- Firewood scams, due to wood shortage in Europe.
- Puppy/pet scams
- Travel scams
- Affiliate scams
- Pharmacy scams
Deep dive into Pulsedive.
To scan the domain names, we primarily used Pulsedive.com, Urlscan.io, and CyberGordon.com. For secondary intelligence, we used a proof of concept to get higher confidence in our investigations, which we internally call Shadow Tracer, which I will explain later, let’s jump to some results.
Crypto exchanges
At first glance, it looks like we are dealing with a crypto exchange. However, a quick image search reveals more websites with the same layout but with different companies. When we look in the company register, the company is nowhere to be found. The website claims to have 11000 happy customers and has been operational for 769 days, but the domain name was registered a few days ago.
Dogs are cute!
Dogs and puppies are cute, and scammers from Cameroon know that all too well. A reverse image search quickly uncovered 80 other puppy scam websites. An examination of the dog photos rapidly revealed they are stock photos and in no way related to the dogs for sale.
All bets are off
Chinese betting websites are illegal in China, but I would classify this as benign. But if you are a hosting company operating from China, this info might be precious.
False positives
We looked and turned this website up and down, but we could not discover any evidence that this website was malicious and involved in a scam. The registrant info looks accurate and correct.
Winter is coming
This webshop looks innocent enough. However, winter is coming, and Europe is cut off from Russian gas. Heating houses is costly, and scammers set up fake webshops to sell non-existent firewood at discounted prices, which is already strange as there is a mass shortage of firewood.
The company did not exist, the registrant's Gmail address was created 6 hours before the domain name registration. While the street address was valid, it was a hotel. Currently, the Dutch police received 500 reports from people who got scammed.
The list goes on.
Now I could list a few dozen more examples, but the bottom line is cybercriminals are masters of deception, providing accurate data from leaked databases. They will use whatever lure is hot and trending. It requires deep dives and going down rabbit holes to ensure that a domain name is not used for malicious activities.
Investment scams have a high impact on the victims; we received emails and calls from desperate people who lost over 250.000 USD. Sure, you will get notifications that will be a dead end and yield no result. But such situations are an opportunity! You can inform your customer that the domain name scores poorly on ScamAdviser. Here is your opportunity to upsell products like SiteLock, EV SSL certificates, etc.
Shadow Tracer.
We still have to develop an actual product name for this project. I created a proof of concept a few months ago; while it was manually operated, it gave us such leverage to combat malicious domain names we were able to nuke 2000 domain names in 6 weeks. Under normal circumstances, we would not have been in a position to suspend these domain names so quickly. In most cases, we could suspend the domain name before it appeared on a block list.
Our development team is currently coding the idea so we can deploy Shadow Tracer on our platform and use it in an automated fashion. Still, there is a considerable gap from manual operation to a platform-wide automatic solution. But if it works, we can prevent malicious domain name registrations from going live. I suspect Shadow Tracer can detect around 80-90% of all malicious domain registrations.
Investigations.
If you are one of our customers and struggle with investigations, feel free to reach out to us, and if required, we can set up a demo on how to investigate DNS Abuse and share some tips and tricks.
Discuss
If you work for a registry or registrar and wonder if a ScamAdviser license could help you to combat DNS Abuse, feel free to reach out to me to share experiences and make sure you get to contact the right people at Scamadviser.com.