Fool me once, shame on not using DNS protection

"Fool me once, shame on you; fool me twice, shame on me" is an old adage that doesn't quite work in the age of security threats as the attacker really only needs to fool you once to win. How can you mitigate this tried and true deception technique? 

I recently sat on a panel discussing deception techniques attackers use to get to you or your organization. I always feel like we are all one click away from being compromised, hence the name of the blog. Being fooled (via deception) is not only one of the most used tactics, but we are about to see an entirely different level of play as adversaries increasingly use generative AI. We will have to deal with the ‘likeness’ of a person and new versions of deception where all of our human senses are called into question. But before we scare ourselves and go fetal in the corner, let's at the very least talk about what we can do when faced with being ‘one click away’ from compromise. 

We as humans are built to make quick, sometimes compromising decisions when emotions are high or the situation requires immediate action. Attackers know this and the only reason they still practice it is because it remains effective for them. 

At DNSFilter, we have a global view of what these attackers are doing to fool you into interacting with their malicious website or clicking the link that is part of their multistep process to your compromise. Here is what I’ll examine in this blog:

• US Politics
• Crowdstrike/Microsoft IT outage
• Fake charities, capitalizing on good intentions

Let’s look at these one by one to see how attackers try to fool you.

With an effective protective DNS solution like DNSFilter, the likelihood of you being fooled ‘once’ is very low as we monitor over 100 billion DNS requests per day (that’s nearly 2 million queries every second). We are doing our part to make the Internet a safer place for us to work, live, and play.

Emotionally Charged US Political Issues

Hot topics like Biden’s resignation as the 2024 democratic candidate and the assassination attempt on Trump are both things that make one want to click a link and possibly download or ‘sign up’ for something. It results in disclosing sensitive information, which is exactly what hackers want. These events have driven an increase in ‘newly created domains.’ 

A new domain at DNSFilter is a domain name that is less than 30 days old; our “very” new domains category are domains registered in the last 24 hours.

These domains include all malicious traffic (botnet, cryptomining, phishing & deception, malware, new domains) to domains that include "Trump" and "Biden" in the domain name.

Just over the weekend as Biden made the decision to withdraw his candidacy for president, DNSFilter blocked over 6,000 domains that were a mix of phishing & deception and new domains. Majority of them were to a domain that has been active since at least 2022 but is currently parked. Some of the domains spotted dealt with asking the question “is Biden still running?”

Example of a recent domain asking Biden to step down. Opinions expressed in this image are those of the website owner, and not of DNSFilter.

As you can see, in this example, there is an option to “take action.” These types of call to action buttons are incredibly risky. They could sign up, providing their email address directly to a hacker, that could thus be used in a myriad of phishing attacks. The links could also take them to places to “donate” to the campaign, that are in fact direct donations to threat actors. 

Other common schemes that occur within the political landscape are merchandising scams. For instance, one pro Trump “shop” site used clearly AI-generated imagery to produce quick apparel at high markups and pose as an “official” merchandise store.

Example of Trump apparel site that poses as an "official" store and uses AI imagery.

The opportunities for exploitation of this type are vast.

The bright side here is that everyone in the world is on the lookout for fake information related to political campaigns. There seems to be a growing conversation around this and hopefully talking about this means people will be more skeptical of things out in the wild and they rely on only trusted sources. The not so bright side is that this is only happening because they have been fooled at least once which I can only hope was not at a high cost lesson.

Crowdstrike Related Scams

After the CrowdStrike and Microsoft outage that occurred July 19, DNSFilter has seen a massive increase in the number of domains that include some form of “crowdstrike” in the domain name. You can read our blog highlighting the newly seen domains that we have blocked since the incident occurred.

Between July 19 and July 22, we have blocked over 189,000 requests to domains with “crowdstrike” in the name that are categorized as new domains, phishing & deception, or malware—sometimes multiple categories at the same time. Traffic was low on Friday, presumably because these threat actors were registering and setting up these domains, but traffic has steadily risen between July 20 and July 23, with an average of 63,000 block requests to these domains on our network between July 20 - July 22.

Another important thing to note is that prior to July 19 on our network when looking at the entire month of July, there was quite literally no traffic to domains that contained “crowdstrike” in domain name and fell into any of these categories:

• Botnet
• Cryptomining
• Phishing
• Malware
• New Domains

These domains include all malicious traffic (botnet, cryptomining, phishing & deception, malware, new domains) to domains that include “Crowdstrike” in the domain name.

While the nature of these domains is sometimes benign (simply a compilation of information around the outage), others are more sinister. One recurring trend we noticed is the setup of a fake helpdesk (as referenced in domains containing “help-desk”, “fix”, or “recovery”).

Example of a newly registered Crowdstrike domain with a suspicious option for "advanced support" from their "experts".

The example above pulls from actual news sources, provides the instructions on how to fix the outage in an attempt to appear legitimate, while also including an email address for advanced support from their “experts.” This type of hybrid “news” and “helpdesk” scheme can be seen across the newly registered CrowdStrike domains since July 19.

Before we move to the third and last example, I want to point out how quickly these adversaries move to prey on your emotions and urgency. They know that if you find yourself in a pickle, you are going to type into a search engine to find a solution. Unfortunately that solution might be their success at your compromise.

Charity and Donation Scams

This one really gets under my skin because this hurts good people trying to be good to others. I can’t imagine a more emotionally charged situation than the sudden and unexpected loss of a loved one—human, pets, etc. The problem here is that some of these are real and in need of your attention, others are set up just to scam you.

This image shows a fake “donation” page.

We see a variety of these scams across our network. The one above uses the term “donate” in its domain name, and what exactly you are supporting is left unclear. Since we first saw this site on our network, the domain has been taken down. These types of scams can steal either email or actual payment details, depending on the nature of the scam.

The average number of blocked traffic to malicious threats with “charity” or “donation” or “donate” terms in the domain name has been on the rise since the beginning of the year. As you can see, July is on pace to have the second-highest blocked traffic of the year on our network for these types of schemes. This rise is likely aided by global events that drive both hackers to create these types of scams and good people who want to help in hard times.

These domains include all malicious traffic (botnet, cryptomining, phishing & deception, malware, new domains) to domains that include variations of “donate” or “charity” in the domain name.

My request here is to be diligent and if you care deeply, put in the time to verify before you donate. Good people in the world are counting on other more fortunate good people to help, just don’t let the scammers fool you.

Conclusion

A more conscientious Internet user will be safer and harder to fool, but no matter your level of cybersecurity awareness, the scammers out there want you to remain clueless. Ten years ago I would have said that you can just go to battle with human skills. But that was when the adversary was operating at human-scale—and that is simply not the case today. 

Adversaries are now armed with machine-scale techniques requiring you to have machine-scale defenses. This blog post speaks pragmatically about current events and examples, but let me warn you that we are about to go to the next level battlefield where the people in your life—your wife, your partner, your husband—will leave you a voicemail asking you to call them back because they forgot the password to your shared bank account and they are locked out.

Or imagine seeing a video of yourself appealing to your community to vote for a candidate that you would never support. Yes, I’m saying that we can no longer trust our human senses anymore. There’s a saying: Believe none of what you hear, and half of what you see. Even that isn’t enough anymore. We will have to evolve as a species to additional forms of verification and validation. It is not the first time in human history this has happened, and certainly not the last.

Using protective DNS solutions like DNSFilter you have the ability to block these risky, newly registered domains when our customers choose to block our “new domains” category. Our vision at DNSFilter is to secure digital environments for everyone, this is just one way we achieve that vision.