One of the most intense natural disasters in American history occurred last week. Hurricane Harvey challenged the state of Texas, while Florida braced for Irma. As with all natural disasters in this country Americans are known to bond during times of crisis and help each other during times of need. Personally, I witnessed these behaviors during the 1989 quake in San Francisco.

You may wish to donate or get involved with hurricane Harvey relief to help the afflicted. That’s great, but as we all know, we should be wary of who we connect with online. Scammers are using Hurricane Harvey and Irma relief efforts as con games and, even more despicably, as phishbait. The FTC warned last week that there are many active relief scams in progress and noted that there always seems to be a spike in registration of bogus domains.

If you doubt a charity you are not familiar with, you are wise to think before you give. We recommend you do some common sense vetting and donate through a charities you can verify. Even better, check out the Wise Giving Alliance from the Better Business Bureau, a tool to verify legitimate charities.

In this article, we focus on a group of shameless miscreants that are profiting from the misfortune of others during times of crisis and natural disasters. We illuminate the intensity of malicious domains which were created in the days before and after disasters like Hurricane Harvey and Irma. Finally, we address what we can learn during these difficult times.

The intensity of malicious domains creation during and several days after Hurricane Harvey is appalling. On August 30th alone, several hundred domains were created with the term “harvey” in them. While not all of the registrants had malicious intent, I’m betting at least a small percentage of them did. Their goal was to extort money, data, or both from innocent victims who happened to be in harm’s way, as well as from good Samaritans whose compassion for the victims made them vulnerable.

On searches of “Harvey” and “Irma” related domains, between August 28th and September 8th, thousands of such domains were created. That does not even take into account homoglyphs which will be further outlined in this article. The domain names fall into four broad categories:

• Legal / Insurance such as Attorney, Lawyer, Claims.
• Rebuilding such as Roofing, Construction.
• Storm tracking such as WILLHURRICANEIRMAHIT.US
• New or fraudulent charities using terms such as Relief, Project, Victims, Help.

The legal / insurance terms are registered a year or more in advance for every hurricane name listed. You can see a full list of future hurricane names here, listed by the National Hurricane Center. By pivoting on the name servers or registrant data, we can see the same actors register all those domains far ahead of time.

This infographic shows words that appear in domains registered in Aug and Sept so far that related to hurricane, harvey or irma.

When crises strike, one needs the best tools plus a well-trained team that knows how to maximize your use of this exceptional data. Utilizing DNS techniques that can help your company avoid onboarding fraudulent fundraisers and profiteering opportunists is vital to protecting your company reputation and the reputation of your outbound IP address ranges.

Here’s a deep dive tip that few companies have discovered, but all can apply: As one part of the recursive “domain name resolution” process, the TLD registry zone file connects each domain name to authoritative name server hosts, and each authoritative name server host to an IP address. Starting with one known malicious domain name—or one of your customer domains you are vetting—you can find other domains the same actor is using, hosting on the same IPs, or registered in the past. Even the TLD registry zone glue records provides clues and the ability to cluster malicious or legit domains registered by the same company. ZoneCruncher and other tools make this technique easy to implement for any size Compliance or Investigations unit.

Using the right tools, your trained staff can spot multiple malicious hosts using the same IP or CIDR block. The lesson here is that ESPs and other organizations with a large number of customer tenants should be on high alert to the risks of onboarding clients prior to, during, and right after natural disasters.

Zetalytics Global Passive DNS has visibility on all active registered domain names in the world. For anyone wanting to glance into the recently registered “hurricane” related domain names, a list is provided free here.

Here are a few domains on our radar, that you might find interesting for Irma:

The enhanced view of global DNS activity gives NOC, SOC and intel teams the ability to proactively tweak algorithms to flag terms related to the disaster.

Malicious Look-a-Like Domains Target Florida During Irma:

I heard concerning news from the Veteran Powered Cyber Notifiers project today. They are seeing a rash of new “look-a-like” domains seeking to take advantage of the Floridians attention to the impending hurricane.

Real websites for first responders, insurance companies, construction, medical and other vital organizations in the Florida and Texas areas—are being targeted by these malicious spoofed domain registrations.

Conclusions and Resources:

By reviewing DNS data over years of historical data, we see the patterns of actors—good and bad—who register domains to take advantage of disasters. Tools like ZoneCruncher enable us to pivot on email addresses in whois records, find clusters of related domains sharing a name server, and discover the history of types of domains hosted on each IP address used by scammers and good guys.

Using a hostname age checker, we were able to quickly sort and separate the new—probably fraudulent charity appeals—from old possibly legit domains that simply contain words related to disasters and storm names. Sharing this knowledge and data with the community means multiplying the positive effects of what we can do together, including the Veteran Powered Cyber Notify project that identifies trends in malicious domain registrations. Here again is that link to the list of domains, should you be curious or in a position to take some positive action.

Side note: We’re having a lively discussion on our private “slack channel” about this and other hot topics including the Equifax breach. Email me if you want an invite to listen in or participate [email protected].