Home / Blogs

Domain Related Crime: The 4 Steps of Effective Investigations

Jonathan Zhang

There is no rest for the wicked. If you think that 2018 was the climax of cybercrime, wait until you see what happens in the next few years as cybercriminals are constantly learning new ways to strike.

Take for instance domain-related attacks now coming in a variety of forms. There's domain hijacking which involves gaining of access to domains and making changes without owners' permission. You have typosquatting where phishing is often utilized to steal valuable information. Then there's domain slamming which involves impersonation and can result in registrants incurring hefty fines.

To prepare yourself for the onslaught, here are four steps to successfully investigate domain name crime.

1. Identify the Attacker

Identifying entities behind an attack is the first step to take in the investigation process. One way of doing this is by looking into the domain data left behind by the suspect. For instance, if a certain website can be linked to the said attack, a WHOIS database download service can reveal valuable information about the entities behind the domain. Details such as IP address, owner's contacts, and more can be obtained here and help create criminals' profile.

Interestingly, even the fake contacts can help identify perpetrators, as these often use the same details to set up multiple domains. Therefore, close examination of WHOIS records of known malicious domains can help connect the dots and can be used as a starting point to track them down.

2. Gather Evidence

Once you have spotted the offending domain, the next thing to do is to collect evidence of malicious acts. Investigators can take screenshots of suspicious portions of the website, retrieve and save links that lead to strange URLs or bogus login pages. All these can be later used as proof when presented to the proper authorities.

For instance, software that can provide a screenshot history of the domain can assist in showcasing data that has been gathered over time. Plaintiffs can present these records to authorities to prove the length of time a fraudulent action has been taking place.

3. Discover Connections

During the investigation, specialists might end up with an amount of information that can overwhelm even the most meticulous of veterans. But piecing all of these together is crucial in order to find connections to the suspect domain. Furthermore, this can help you see the bigger picture and uncover more details of the offender's identity.

There are platforms and services such as Connected Domains API that can be used to associate domains and IP addresses to the culprit, possibly even unveiling a potential network of cybercriminals in action.

4. Oversee Network Security

After the attacker has been identified, evidence of their deeds collected, and their accomplices revealed, it's time to reorganize networks' cybersecurity. One way of doing this is by disseminating all findings to the organization and making changes to the current procedures.

This stage lets you know where your flaws are while allowing you to patch up gaps in defense protocols. This can be employed with a threat intelligence platform, for instance, to reveal vulnerabilities. It's also important that all activities are monitored closely since threat actors would most likely return after the attack. Taking advantage of a security log that analyzes SIEM data can be useful in alerting teams for signs which can be connected to the past incident.

Malicious activities involving domains are no laughing matter, especially when numerous companies have already fallen victim to these attacks. This is why organizations will have to learn how to effectively probe threats before they can cause serious problems. By following the steps outlined in the post, readers can obtain guidance on how to efficiently perform investigations regarding domain name crime.

By Jonathan Zhang, Founder and CEO of Threat Intelligence Platform
Follow CircleID on
Related topics: Cybercrime, Domain Names, Whois
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

To post comments, please login or create an account.

Related

Topics

IP Addressing

Sponsored byAvenue4 LLC

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

DNS Security

Sponsored byAfilias