I’m going to give you a sneak peek of a very cool skunkworks project going on over at Mayhemic Labs.
One thing that a lot of people have commented on (and particularly the good folks over at F-Secure) is that phishers register domains using words like “Chase”, “ebay”, etc. This makes it easier to foil their victims (such as having a URL like “chase-banking-center.com).
Of course, a great idea is to have the domain registrars simply refuse to register domains with these names (or at least trigger a review of a suspicious domain before allowing it to register). However, that’s not always easy to get done.
But what if new suspicious domain registrations were automatically tracked in a format that allows everyone to see what’s going on?
That’s just what Ben Jackson did over at Mayhemic Labs: He developed a “Domain Tracker System” to track domain registrations by using DomainTools’ Domain Mark reports.
Called the Crow’s Nest, it aggregates submissions of domain mark reports containing keywords that would be likely used in a phishing domain. The system processes these reports and adds them into a database. The submitter (or other volunteers) can then flag domains that look suspicious. These domains are then monitored for activity. Every 6 hours registration and DNS records are checked to see if the domain is hosted and or still registered. If the site is hosted, the user can then check the site and see if something phishy is going on, and if so, notify the parties affected.
For now, this site is only being used by security researchers. There’s also lots of people who helped him in this, and when it goes public, I’m sure he’ll thank those that don’t mind being publlicly acknowledged.
Expect this site to be public in a few weeks. And then those Phishers will feel a whole lot of hurt.
Alex Eckelberry