Home / Industry

Attack Surface Discovery: A Review of FINRA-lookalike Domain and Linked IoCs

NPOs and NGOs are no stranger to cyber attacks targeting their members. A few examples of recent phishing campaign subjects include:

Mercy Corps and the International Federation of Red Cross and Red Crescent Societies in 2020: Along with various aid groups, suffered from rising cyber attack volumes capitalizing on the COVID-19 pandemic.

Political and NGOs in South and East Asia from 2014 to 2020: Perpetrated by targeted attack group Bronze President and used a combination of specially crafted and publicly available tools to monitor target organizations' activities to discredit them or steal their intellectual property.

United Nations Children's Fund (UNICEF) in October 2019: Used fake domains such as session-services[.]com and service-ssl-check[.]com.

More recently, phishers used a Financial Industry Regulatory Authority (FINRA) look-alike domain in an attempt to breach several of its members' networks. Tasked to oversee 624,000 brokers in the U.S., attacking FINRA's clientele could yield a hefty sum should phishing email recipients fall for the ruse.

How FINRA Members Can Avoid Getting Phished

Publicly available information on the phishing scam identified the domain invest-finra[.]org as an indicator of compromise (IoC). Using a bevy of WHOIS, Domain Name System (DNS), and IP intelligence tools, we listed telltale signs of typosquatting domain use (even if its WHOIS record has been redacted) that FINRA members could take note of to avoid getting phished.

WHOIS Lookup: Used to spot differences that could point to malicious activity by comparing the WHOIS records of the official FINRA domain (finra[.]org) with that of the phishing domain (see Table 1).

Table 1: Differences between Official and Look-Alike FINRA Domains
WHOIS Record DetailLegitimate FINRA Domain(finra[.]org)Phishing Domain(invest-finra[.]org]Sign of Potential Malicious Activity?
Domain age~13.5 years36 days (at the time of writing)More than 70%of newly registered domains (NRDs) are malicious, suspicious, or not fit for work.
RegistrarGoDaddy.com, LLCGandi SASOrganizations typically use the same registrar for all their domains.
Registrant contact informationPublicly available; the country is the U.S.Redacted; the country is FranceFINRA only supports brokers in the U.S. and is affiliated with the said country's government. So why would it use France as its registrant country or a French WHOIS redaction service?

Reverse WHOIS Search: Used to find domains that contain "finra." Some of these may not be publicly attributable to the organization. If that is the case, further scrutiny may be required should other domains that have not yet been disclosed and not under FINRA's control figure in other attacks.

A lookup for all domain names containing the string "finra" yielded a list of 439 domains. Of these, only 365 are possibly owned and maintained by the organization because they shared the legitimate FINRA domain's registrant organization name and country. Around 16% or 71 domain names do not share the said data points or could not be publicly attributed to FINRA. Among the non-publicly attributable domain names, finra-apple[.]com proved malicious.

DNS Lookup API: Used to determine IP addresses related to the fake FINRA domain. Our search revealed the IP address 217[.]70[.]184[.]38, which proved malicious when subjected to a search on VirusTotal.

Reverse IP/DNS Lookup: Used to identify domain names that resolved to the same IP address as invest-finra[.]org. We uncovered several domain names, some of which were dubbed "suspicious" by VirusTotal (e.g., 0011100[.]xyz and 001952[.]xyz) and others "malicious" (e.g., 020408[.]xyz and 0a0074066c49886a39b5a3072582f5d6[.]net).

The Attack Surface Discovery Lowdown

By utilizing various WHOIS, DNS, and IP intelligence sources, we were able to proceed with an attack surface discovery analysis and obtain more IoCs apart from the one that has been publicly reported. These include:

  • 71 domain names, one of which has proven malicious
  • An IP address that was also dubbed "malicious"
  • At least 300 domains that resolved to the same IP address as invest-finra[.]org, some of which were cited as "suspicious" and others "malicious"

Companies that liaise with FINRA could protect their systems and networks better from phishing and more sinister attacks by including additional IoCs like the following ones to their blacklists:

  • finra-apple[.]com
  • 217[.]70[.]184[.]38
  • 0011100[.]xyz
  • 001952[.]xyz
  • 020408[.]xyz
  • 0a0074066c49886a39b5a3072582f5d6[.]net

As this short study showed, consulting as many available threat intelligence sources helps organizations maintain a more secure network by identifying as much of their potential attack surface as possible.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider – Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.  Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

Domain Management

Sponsored byMarkMonitor

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byAppdetex