The Need for Email Address Verification in Light of Subpoena-Themed Phishing Attacks

By WhoisXML API
WhoisXML API

At the most basic level, the Internet consists of interconnected networks that communicate using standard protocols such as the Border Gateway Protocol (BGP) and the Domain Name System (DNS). As such, it is built on trust or an honor system — trust that routing requests received from another network are valid, and the traffic sent in response to requests is legitimate.

Far from this system of trust that the Internet runs on is the reality that end-users face, however. Too many threat actors lurk behind requests and traffic, all of whom are looking for weaknesses that they can use as points of entry into target networks.

Phishing, for instance, works by abusing the trust that users place on reputable organizations. And so threat actors pretend to be employees or officials of these organizations, leading users to visit fake websites. The goal is to inject malware into their computers or extort money.

Phishing cases highlight the need for email verification, which can be accomplished by using tools such as Email Verification API and Reverse MX API.

Anyone Can Pretend to Be Part of the Government

Government agencies, surprisingly, are not safe from impersonation. Even the .gov top-level domain (TLD) reserved for government agencies can easily be used, as Brian Krebs revealed. Kreb's informant claimed to have successfully registered exeterri[.]gov by falsifying the documents required by the U.S. General Services Administration — the agency that oversees the registration process of all .gov domains. The goal was to impersonate a Rhode Island town's website, which uses the .us TLD.

While the informant claimed he didn't abuse the said domain and only went through the registration process as an experiment, his success tells us that any cyber attacker could quickly obtain a .gov domain and use it in phishing attacks.

Our Investigative Tools: Email Verification API, Reverse MX API, and Others

Pretending to be part of the government is not a new attack method. In 2015, a Twitter user posted a screenshot of a fake subpoena from a U.S. District Court.

Notice that the sender's email address is subpoena@www1[.]united-usa[.]org. To learn more about the email address, we ran the said address on Email Verification API. We found out that its mail exchanger (MX) record points to phishguru[.]com.

We then ran the MX record on the Reverse MX API to determine all of the domains that used the same mail server and found 20 of them.

The domain united-usa[.]org is among the results returned, along with others spanning different fields such as:

While we did not dig further into the connected domains, any of them could be easily used for phishing campaigns.

The underlying question, though, is who is behind phishguru[.]com. Are they threat actors? To find out more, we ran the domain on WHOIS Search but found that its registrant details have been redacted, so we could only see that its registrar is Instra Corporation.

We then used WHOIS History Search to see the domain's registrant details before the redaction. We found that its registrant from 2012 to 2018 is a company called Wombat Security Technologies.

The company develops security training software for end-users, and PhishGuru is one of its products. PhishGuru, according to a quick web search, trains employees to spot phishing attacks using mock attempts. The suspicious-looking domains may thus be part of their training resources.

* * *

Not all phishing emails are part of a simulation training, however. The vast majority are part of actual attacks. Around 1.5 million new phishing domains are created every month, in fact, so you'll never know whether you should trust a domain or not unless you thoroughly check its background.

Investigations into potential phishing attacks are made possible with the help of domain verification and research tools such as Email Verification API, Reverse MX API, WHOIS Search, and WHOIS History Search.

Related topics: Cybercrime, Cybersecurity, DNS, Email

Comments