0

Threat Intelligence Quality

I'm looking over NextDNS as a way to protect non-VPN connected users from phishing attacks, but I'm disappointed that our latest phishing attack wasn't blocked, even with AI enabled.  

Now a few days later, it is still not blocked, but 9.9.9.9 is blocking it.

% nslookup fail.gouheawo.com.de 9.9.9.9
Server: 9.9.9.9
Address: 9.9.9.9#53

** server can't find fail.gouheawo.com.de: NXDOMAIN

 % nslookup fail.gouheawo.com.de 45.90.28.78
Server: 45.90.28.78
Address: 45.90.28.78#53

Non-authoritative answer:
Name: fail.gouheawo.com.de
Address: 172.64.80.1

Is this a fluke?  Is there a way to improve it?

9 replies

null
    • mgjk
    • 3 wk ago
    • Reported - view
     % nslookup fail.gouheawo.com.de 45.90.28.78
Server: 45.90.28.78
Address: 45.90.28.78#53

Non-authoritative answer:
Name: fail.gouheawo.com.de
Address: 172.64.80.1

 % nslookup fail.gouheawo.com.de 1.1.1.1
Server: 1.1.1.1
Address: 1.1.1.1#53

Non-authoritative answer:
Name: fail.gouheawo.com.de
Address: 172.64.80.1

 ~ % nslookup fail.gouheawo.com.de 1.1.1.2
Server: 1.1.1.2
Address: 1.1.1.2#53

Non-authoritative answer:
Name: fail.gouheawo.com.de
Address: 0.0.0.0

    It looks like cloudflare 1.1.1.2 is also blocking now. I can see the detection on https://otx.alienvault.com/indicator/hostname/fail.gouheawo.com.de

    Can I report this to nextdns?  where are the sources from?

      • Lumineer
      • 2 wk ago
      • Reported - view

       Looks like it's been Whitelisted.

      • mgjk
      • 2 wk ago
      • Reported - view

       I'm new to NextDNS, who and why would it be whitelisted?  Since the incident I've contacted Cloudflare (who's coincidentally hosting the CDN for the malware) and another provider which was hosting another redirect component.  The sites have been down for a few days now.

      • mgjk
      • 2 wk ago
      • Reported - view

      it looks like it is up again...

      If you're referring to OTX, they're tough to interpret.  The important part is that it shows on the top right which lists it is on, and in the history, some of the fake HTTP/S content which the site was generating.  The Passive DNS is also useful for alternate names.

      I'm assuming the whitelisting in OTX is for the IP range, as you can't block the IP, as you would be blocking Cloudflare.  Their site has always been a bit odd.

      Virustotal has also picked up the domain now.

    • Lumineer
    • 2 wk ago
    • Reported - view

    Heyo,

    Looks like only 3 av's class it as a not so good site.... maybe it's a false positive on your side?

    https://www.virustotal.com/gui/url/94aa3703727f18dfc3f05959308953bedc87b36211133ba9b75b166d30207c47

      • mgjk
      • 5 days ago
      • Reported - view

       these were genuinely bad sites, which were hosting phishing attacks.  I've since contacted the service providers and they took them down a few days after the incident. 

      The second browser window in the screenshot is the "otherbrotherhandyman" site which has a link to a "PDF which requires a signature", it then lead to the fake Google sign in screen below.  In this case nextdns would not block the malicious sites, but cloudflare and quadnine would.

      fail.gouheawo .com.de is still up. It has fake content, the malicious suburl response blank though.

      • Lumineer
      • 5 days ago
      • Reported - view

       Next DNS now blocks it.... 

      • mgjk
      • 4 days ago
      • Reported - view

      Thanks for following up.  I'm going to keep an eye on NextDNS and keep the comparison running with our users' phishing attacks.

    • mgjk
    • 2 days ago
    • Reported - view

    A new one came up, very similar phish, the phising attack involves the IOCs:

    siohoosou.trafrukai.com[.]ru

    tnwbrazil.com[.]br/rr/az/

     

    the Russian site only generated the Gmail login after I logged in to a test account (setting Gmail cookies) and set my user agent to Windows/Chrome.  (I'm guessing the user-agent was the real reason it started to work.)

    It appears to be hosted on Cloudflare again.

    I turned on the AI and while it blocks the old German site, the new Russian one is not detected.

    This time though nobody's blocking it, not Cloudflare, Quadnine or NextDNS

Login to reply

Content aside

  • 2 days agoLast active
  • 9Replies
  • 209Views
  • 2 Following