Brilliant!

I’m going to give you a sneak peek of a very cool skunkworks project going on over at Mayhemic Labs

One thing that a lot of people have commented on (and particularly the good folks over at F-Secure) is that phishers register domains using words like “Chase”, “ebay”, etc.  This makes it easier to foil their victims (such as having a URL like “chase-banking-center.com). 

Of course, a great idea is to have the domain registrars simply refuse to register domains with these names (or at least trigger a review of a suspicious domain before allowing it to register).  However, that’s not always easy to get done. 

But what if new suspicious domain registrations were automatically tracked in a format that allows everyone to see what’s going on?

That’s just what Ben Jackson did over at Mayhemic Labs: He developed a “Domain Tracker System” to track domain registrations by using DomainTools’ Domain Mark reports

Called the Crow’s Nest,  it aggregates submissions of domain mark reports containing keywords that would be likely used in a phishing domain. The system processes these reports and adds them into a database. The submitter (or other volunteers) can then flag domains that look suspicious. These domains are then monitored for activity. Every 6 hours registration and DNS records are checked to see if the domain is hosted and or still registered. If the site is hosted, the user can then check the site and see if something phishy is going on, and if so, notify the parties affected.

Phishtrack_2131231231

Phishtrack_2131231232

For now, this site is only being used by security researchers. There’s also lots of people who helped him in this, and when it goes public, I’m sure he’ll thank those that don’t mind being publlicly acknowledged.  

Expect this site to be public in a few weeks.  And then those Phishers will feel a whole lot of hurt.  

Alex Eckelberry 

Advertisements
Standard

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s