go to sections menu

The Security box, podcast 31: More Domain discussion, news, notes and more from blog The Technology blog and podcast

This is for the technology blog and podcast Commentary, articles, and podcasts

header picture for Ingegno theme

You are here: podcast announcements > The Security box, podcast 31: More Domain discussion, news, notes and more

Go to Homepage, contents or to navigation menu

The Security box, podcast 31: More Domain discussion, news, notes and more

Hello folks, welcome to the show notes of the Security Box. Yes, its been a couple of days, however, its better late than never I’d say. Other stuff got delayed like the playlists for my shows for my independent stuff, so it isn’t too bad.

The RSS feed has had the program up since the podcast was done, and now its time to provide the link to the podcast as well as the extensive show notes.

You’ll notice that we only have two tracks now, and the lunch time set I play if I don’t have anything else was not broadcasted. This makes the podcast less than two hours instead of the 2 and a half hours the internet radio program took. I hope that this makes the podcast better to listen to.

Don’t want to mess with RSS? Here is the 162.57mb file for you to download. Thanks so much for listening!

Welcome to the security box, podcast 31. On this podcast, we’re going to continue the discussion of domains with several different things that we couldn’t get to from last week. Also, we’ll have news, notes, questions, comments and more. I hope you enjoy the program as much as we have putting it together for you.

Domain discussion:

Part of running a domain today is security certificates. These certs are called SSL certificates or what is now known as TLS. We have to remember that SSL and TLS are pretty much interchangable, keep that in mind.

When I first started reading Phishlabs, they were indicating that Phishing sites were not much into security as the ultimate goal was to get their wares out, not necessarily wanting to be secure. Thats when we learned through newsletters that looking for the padlock or https was the sign we’re secure. This is not the case anymore. This is because several years ago, a company called Lets Encrypt came up with an automated way of issuing the domain validated certificates that would be used for this purpose. The 200,000 web sites for August and September were unique sites according to the article. It also states that SSL encryption for phishing sites overtook SSL deployment for general websites. We also have a 10 percent increase in BEC attacks that originate from free Webmail accounts such as Hotmail, Outlook, MSN, mail.ru and possibly others.

According to the web site for Lets Encrypt, it says:

Let’s Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG).

According to the article, 80 percent of Phishing sites now have some form of SSL certificate installed up from the 74 percent I last saw. We’ve been covering this trend on the tech podcast, I remember when it indicated it was in the 50 percential. This is higher than most general websites, says the article. According to it, a survey from Q-source, 66.8 percent of web sites use SSL.

“Not surprisingly, most SSL certificates used by phishers were Domain-Validated (DV), which is the weakest form of certificate validation.” said LaCour. There are three types of SSL certificates, and DV certificates can be issued quickly, through an easy verification process. Of more than fifty-three thousand SSL certificates observed by PhishLabs, 91.3 percent were Domain-Validated.

Generally, PhishLabs found that cybercriminals are using free certificates. In Q3, 40 percent of all SSL certificates used by phishers were issued by the same free certificate authority, Let’s Encrypt.

According to the article, registrars are part to blame for the increase in phishing as there is limited action. Phishing has gone up sharply since March of 2020, and my article talking about one such phishing attack got something done. I sent the blog post linked here over to Mr. Krebs, and also called my provider I use. I called them up after doing some lookup and I mainly inquired as to whether they can help. As of Friday, February 6th, 2021: the domain emailhostsecurity.com is now suspended, and I don’t know when this officially occurred. The blog post linked here has the email that was sent to me, and I believe I talked about this on either the Security box or the main tech podcast.

According to the article, it says:

An average of 500 brands were targeted by phishing each month over the course of Q3, with SaaS remaining the most frequently attacked industry, targeted 31.4 percent of the time.

Under the Business Email Compromise section of the article it says:

The report also found 16.3 percent of BEC attacks involved domains registered by the phishers, with most originating from five registrars: Namecheap, Public Domain Registry, Google, Tucows, and NameSilo.

50 countries and 64 million dollars of potential stolen funds later, criminals have been identified in one year alone.

For the full details of the report and any links read: APWG Q3 Report: Four Out of Five Criminals Prefer HTTPS and let’s discuss.

Cybercriminals register hundreds of thousands of look-alike domains every year to impersonate reputable organizations and make a profit. These domains are used for a variety of attacks including phishing emails, fraudulent websites, web traffic diversion, and malware delivery.

Look-alike domains are intentionally misleading to give customers the false impression that they’re interacting with trusted brands, leading to significant reputation damage, financial losses, and data compromise for established enterprises. The process of creating an attack is inexpensive, and if threat actors move quickly to evade detection, they can make a large return on their time and money.

Millions of internet users are targeted with look-alike domains each year. The article has a graph that shows only a sampling of at least 50,000 threats that Phishlabs has observed.

The most common use of a look-alike domain is to set up a Website with Monetized Links. This approach is not necessarily malicious, yet it accomplishes multiple objectives:

The article goes on and says:

The registrant parks a domain and capitalizes on visiting traffic by adding monetized links. The link topics are typically related to the impersonated brand’s keywords, increasing the probability that visitors will click through to the destination website.

They let a domain “age” before using it. Most scammers typically use new domains quickly, yet some will maintain them for weeks or months. Recently registered domains garner low reputation scores and are a telltale sign of malicious activity, making them targets for security teams.

I believe that is why my incident was handled, as when I looked it up, it was only 4 days old!

There is much, much more in this article that we could spend a long time quoting and discussing it. I now invite you to read: The Anatomy of a Look-alike Domain Attack for all of the complete details. If something sticks out at you, please discuss it.

We aren’t going to cover this one, but another article in this series is Look-alike Domain Mitigation: Breaking Down the Steps if you wish to take a look at it. Its a long process, and I think it needs more work.

News, Notes and more

  • Looks like there are a couple of items I heard about in February 3rds episode of the Cyberwire. Looks like Solar Wind first has more problems with their software that they have fixed, but the most important thing in this episode is that the initial breach of 2020 actually could’ve started as early as December 2019 when it has been reported that Solar Winds had one of their Microsoft 365 accounts compromised. We’re continuing to hear more, and you can search this out if you wish to learn more.
  • Looks like Facebook has changed their mind about collecting Metadata for now, according to the same episode of The Cyberwire. I’m not sure I fully buy that, but if they’re going to use meta data, let them have at it I say. Besides that, it looks like Facebook is going ape because apple will be putting a feature in to IOS that will allow us to tell apps to identify us by our tracking ID. Mr. Zuckerberg says that it is apple dominating the ecosystem and if I could read between the lines during the interview of that episode, he’s not too happy as it hurts their bottom line. The person interviewed indicated that it is about time, and it has been in the works for awhile, even though Facebook and others may say that it is because of January 6, 2021’s event that sparked this.
  • Security Now, podcast 804 has a ton of stuff that might be of interest to listen to. The very first segment talks about security certificate authorities and the latest one Camafirma, being knocked off the list by Google Chrome starting with release 90 which will be released in April 2021. According to Security Now, there are multiple issues which the company said they’d fix between 2017 and 2020, yet, they were never fixed. Please listen to the Security Now program numbered 804 for complete details on some of what was wrong. Through the years, the technology podcast as well as Security Now have mentioned and talked about other authorities misbehaving. Even Symantech, the makers of Norton, sign certs and failed at times. Its ok to make a mistake, but being a security certificate signer is a privlage, not a right.
  • A company I’m not familiar called Nox, who makes some sort of player, may have been compromised with updates that were malicious in nature only making it out to a subset of its customers. The company says there is nothing wrong, according to Security Now, so people who use this player better do their due dilligance and make sure their device from this company is not infected.
  • Sans News Bites is reporting that school districts can get some help with their cybersecurity. The blurb from the newsletter says: “IBM has announced a $3 million grant program to help US school districts protect their systems from ransomware. IBM will award $500,000 in-kind grants
    to six school districts, which will be chosen through an application process. The applications opened on February 4 and close on March 1, 2021. Teams from
    IBM’s Service Corps Program will “help [the selected schools] proactively prepare for and respond to cyberattacks.”” Lets see what happens! Sans News bites links to multiple articles, see the link to the newsletter on the blog.
  • According to The Cyberwire Daily, Feb 4, 2021: Zoombomnbing is being done by high school and college students who are board and want to “piss off the teacher.” It may not have started that way, but the Cyberwire says that most of the problems now are with the kids.

Informazioni sull'articolo

The Security box, podcast 31: More Domain discussion, news, notes and more was released on February 12, 2021 at 3:00 pm by tech in podcast announcements.
Last modified: February 12, 2021.

Comments (0)

No comments yet.

Leave a comment

You must be logged in to post a comment.

go to sections menu

navigation menu

go to sections menu