Investigating More Look-a-Like Domains
Scammers often use look-a-like domains in their phishing attacks, and so far in this blog I've looked at several websites impersonating the Guild of Guardians website. Here I'll show you how to use a tool like dnstwist to generate a list of domains names and look for ones that are potentially hosting phishing sites. This is part of scam hunting, as opposed to waiting for scams to be reported. Many companies offer this service under the name "brand monitoring", and a number of them base their techniques on the dnstwist tool.
You can find dnstwist, and instructions for installing it on the Github page:
Since I'm on a Mac I used brew install.
Running the tool is very straight forward, and to start I just ran it with the --registered argument to output any domain variations that the tool found with a .com tld.
% dnstwist --registered guildofguardians.com
The tool checked 27987 variations, and out of those it found 20 with DNS records (21 if you include the original site). You can see from the output that it's attempting a few different techniques such as omitting letters, replacing, breaking it into subdomains, transposition, etc...
14 of those 20 all point to the same IP address, which I found odd at first, but it doesn't look malicious. Turns out some enterprising individual registered all those domains and is using them as referral links. If anyone makes a typo when attempting to reach the legit Guild of Guardians site there's a chance they'll still arrive there... or at Coinbase... through a referral from muelle_761 (https://www.coinbase.com/join/muelle_761), who appears to be associated with the public wallet 0x9A773a0C1710a5afD9D25eb5b0d2DcA2239663e6.
In order to investigate these sites I didn't want to navigate to them directly. Instead I have a Kali Linux virtual machine connected to a virtual private network. I don't want to risk landing on a sophisticated phishing site and have my machine compromised.
Let's look at each one in turn:
guildof.guardians[.]com redirects to a marketplace for registering domains... going to set this one aside.
guildofgu.ardians[.]com is much more interesting. This site comes with a warning from antiphishing.org and Firefox really doesn't want me to go to this site. If you see this warning from Firefox you know you should turn back... but I'm curious...
After ignoring the warnings and throwing caution to the wind I continued to the site and found... whatever was there is gone and Epik is offering to put me in contact with the domain owner to purchase it... Well that was anti-climatic.
Next up how about giuldofguardians[.]com. Looks like it has an MX record and hosted by Namecheap.
Again, looks like whatever was there is gone now. However, the MX record is still there, and this one might be worth a revisit to see if there's anything hiding on the server.
Looks like guildofguardains[.]com is parked.
guildof-guardians[.]com is interesting, as it seems to be setup with cloudflare, and it's timing out with a 522 error.
Something must be there, and now I want to know what. However, that's going to have to wait till next time as it's already getting late. Later this week I'll finish looking at these domains and use dnstwist again with a much larger set of top level domains.
Until then, stay safe out there, and if you see anything suspicious you can always reach me @gogscamtracker on Twitter or email firstname.lastname@example.org.