Allure Security has noted an increase in scammers utilizing dynamic DNS (DDNS) services. Their goal? Claim subdomains that they use to publish fraudulent websites impersonating well-known brands. In the examples we’ve seen, the phishing sites include brand logos, messaging, and log-in fields.
Some DDNS providers allow users to create their free subdomain on a public DNS server (e.g., fakesite.[DDNSprovider].net). This ten points to the IP address of their choice. Our AI-powered detection engine has recently flagged an increasing number of phishing websites that use subdomains created using dynamic DNS providers. These include Duck DNS and ChangeIP.
Why do Dynamic DNS services exist?
Remotely accessing devices on your home network can be a hassle. The IP address for your home network changes regularly – in some cases, daily. This is one of DDNS services’ legitimate use cases. And is necessary to facilitate remote access to devices on a home network. A DDNS service makes it easy to automatically map a non dynamic domain name to a regularly changing IP address like one for a camera on your home network.
DNS (Domain Name System) – sometimes referred to as “the phonebook of the Internet” – maps domain names to the IP addresses of servers on the Internet. If you type in “https://alluresecurity.com” for example, DNS is the protocol that sends you to the correct IP address for our web server. This is so that you can load our website.
Your router, the front door of your home network, has an IP address typically consisting of a string of at least 12 digits. Generally, a consumer’s Internet service provider regularly changes the IP address of their customers’ routers.
Let’s say you want to connect to a camera remotely at your home to see your pet in its kennel. You might need the IP address of that camera to access it. Memorizing a single string of 12 or more digits is difficult, but its even harder when that number changes every day or week.
A hostname or URL such as maryspup.duckdns.org simplifies things. A DDNS service automatically updates the URL mapping to the IP address. And your pet is easily visible since our pet camera is accessible via your subdomain.
DDNS SERVICES
How Frausters Abuse DDNS Services
Some Dynamic DNS (DDNS) providers, such as DuckDNS, ChangeIP, and No-IP, allow users to create custom subdomains for domains owned by the provider. Additionally, many DDNS vendors offer free levels of service. This means that DDNS services can provide a fraudster with a free domain name, which they can then point to any machine hosting a website around the world, as long as it has an IP address.
Below we list examples of phishing sites that abused DDNS services, with subdomains redacted:
- [subdomain].duckdns.org/login.php (Duck DNS)
- [subdomain].lflinkup.org/ (Change IP)
- [subdomain].ns02.us/verify-uplink/Login/ (Change IP)
- [subdomain].serveuser.com/secure/ (Change IP)
- [subdomain].dns2.us/ (Change IP)
- [subdomain].dynamic-dns.net/ (Change IP)
DDNS can also help a scammer avoid detection for a longer period of time to extend a scam’s lifespan. If an organization’s online brand protection solution does not include subdomains in its data source, the scam may go undetected until a customer reports it.
You can’t find a deceptively named subdomain quite as easily as you can find a newly registered domain name. A newly registered domain name spreads across the DNS infrastructure by design. And it’s public knowledge making the humongous number of domain names registered each day easily visible.
On the other hand, learning of a subdomain’s existence is less obvious. Allure Security uses three primary sources to locate:
- Passive DNS data is generated when someone attempts to visit a subdomain. This results in logged DNS queries.
- Certificate transparency logs include information about certificates issued by Certificate Authorities. Just like legitimate domain owners, fraudsters will also request certificates for scam websites. You can monitor certificate transparency logs using tools such as Crt.sh or Meta’s Certificate Transparency Monitoring.
- Referrer logs tell you from what website a visitor arrived on your website. The last step in a scam is usually to direct them to the official website in hopes the victim doesn’t realized they’ve been scammed.
Using DDNS and a subdomain also adds complexity to the take-down process. A registrar won’t decommission an entire domain to address any one problematic subdomain. In the interest of privacy, many registrars will also refrain from providing you with contact information for their customers.
In that case, an impersonated brand will need to investigate to try and identify the host, which is not always straightforward. In addition, a subdomain is not always obviously using a domain provided by a dynamic DNS vendor (e.g., ChangeIP offers hundreds of domains for its free dynamic DNS services).
Each of these additional steps increases a scam’s lifespan. And when it comes to phishing, minutes count when every minute can result in more people falling victim.
RECOMMENDATIONS
What to do about online brand impersonation attacks that abuse dynamic DNS subdomains
TIPS FOR BRANDS
If an impersonation of your brand makes use of DDNS services, you will need to familiarize yourself with the DDNS providers’ terms-of-use/service and abuse policies (find abuse reporting information at the following links for Change-IP, DuckDNS, and No-IP).
In addition, consider the following:
- Ensure that looking at subdomains is part of your online brand impersonation monitoring regimen – Looking only at newly registered domains will miss the majority of attacks that use a subdomain from a DDNS provider
- Document impersonations – When you identify a brand impersonation, gather screenshots of the offending site and other evidence for your takedown request submission
- Get to know your data sources – Whether your online brand protection efforts are an in-house operation or something you hand over to a vendor, find out how you are monitoring for suspect subdomains (if at all). Are you monitoring passive DNS, certificate transparency data, DNS zone files? Do you mine your own web logs for referrers?
- Automate – Subscribing to a variety of feeds that might alert you to online brand impersonation attacks is not difficult (though you’ll quickly become overwhelmed by the volume and cost). Say you figure out how to get a feed of subdomains – there will be billions of them. How will you cull that list down to only those things that are relevant to your brand? There will still likely be too many of them for you or your team to manually eyeball. Effective online brand protection is becoming nearly impossible without automation.
- Evaluate the benefits of hiring an online brand protection expert like Allure Security – Online brand protection vendors have years of experience with playbooks for handling these sorts of issues and have built a reputation with many DDNS services to expedite takedown.
- BONUS TIP – Regularly review your DNS records – While not the topic of this article, using subdomain hijacking, attackers can take control of your subdomains and redirect them to malicious pages. This typically occurs when you’re no longer using a subdomain and you deleted the associated host, but did not remove the DNS record for that subdomain. Ensure you remove records for any subdomains you’re no longer using.
TIPS FOR CONSUMERS
- Evaluate domains from the right to the left – Start with the top-level domain (e.g., .com, .org, .net, and thousands more). The domain name is directly to the left of the dot before the second-level domain. Anything to the left of the dot before the domain name is a sub-domain and should be scrutinized. For example, you shouldn’t trust the URL https://[financial institution].dns2.us.
- Use Google to investigate any questionable URL that uses a sub-domain – You may find that other people have already identified the URL as part of a scam. Or, you can enumerate the subdomains associated with a domain by using Google’s “site:” search function. Type “site:” into the Google search bar and the domain name (e.g., example.com) immediately after the colon as such: site:example.com., which will list the subdomains associated with that domain – however, know that this can be a long list of subdomains.
- If you encounter a fraudulent website, report it to the impersonated brand’s customer service team – whether you’ve fallen victim or not, reporting the fraudulent site to the brand can help in the effort to prevent others from falling victim.