Hi there! Today we are going to talk about phishing.

In most assessments or red team engagements, phishing is your ultimate weapon to reach a protected corporate network. But you have to be well-prepared to use it at 100%, and sometimes this preparation could be a real headache.

In this article, we will take a look at the domain search and discover another possible way to make this process more comfortable.

 

Why do we need a domain name?

That is simple. To send some phishing emails, we need a domain standing right after ‘@’ in your email address. This domain should satisfy a set of requirements depending on your target and scenario.

For example:

  1. If you are mimicking some government or private organization, your phishing domain name should seem like the original one.
  2. If there are some email security solutions deployed in the target organization, your phishing domain should not be viewed as potentially malicious by them.

There are only a bit of possible considerations about the phishing domain names, allowing you to bypass two main security boundaries - target user awareness and email security.

 

How to form a phishing domain name?

The traditional way to form the phishing domain name is to take the original domain name and add some symbol to it in the hope everybody will not pay attention to this detail. It doesn’t sound promising, but once we got about 25% of active users compromised with such a basic technique.

Registering a new domain name is a bad practice - the new domains usually have no history, which means they are not identified as good or bad by the Internet ecosystem.

The modern email security solution pays attention to this history, implementing the domain categorization. Domain category participates the proprietary heuristic algorithms among such things as email text, anti-spam rules, whitelists, and others. That is why, in some cases, a well-chosen phishing domain can fix the issues of weaker parts of the phishing campaign.

Nowadays, every organization has several domains for their activities. And the largest ones have so many domain names, so they can’t control them all. Some of them are expired, and we could register them for our purposes!

 

Finding available domain names with expireddomains.net

The first time, I meet the expireddomains.net project in early 2020. Let’s say we are going to phish some organization. We know their primary domain and can use expireddomains.net search to find something suitable for our needs.

ExpiredDomains.net Search

You can mention several fields for each found domain. It includes the count of characters in offered domain names, back-links count, and a lot of other SEO info that may be useful even for malicious use.

But why should we take a look at it? As I said before, domain history matters. It may take some time, but then you will find a real treasure - the domain name, categorized as financial services or other trusted topic.

Fortinet Category

Very good, let’s check another categorizer! Palo Alto Category

In my case, I found a domain name that is categorized as ‘Business’ by Fortinet and as ‘Financial Services’ by Palo Alto. These vendors are primary sellers of ‘Smart’ security devices, so there is no doubt that this domain name will serve well.

So, now we found the desired domain name, but could we purchase it? The logic says such domain name will be very costly to afford, but…

GoDaddy price

… but it costs only $6. Nuff said.

 

Conclusion

As you see, browsing expired domains allows you to get trusted domain names for your red team operations. This is a more reliable way to supply your phishing campaign than using a newly registered name, because of its ‘ready-to-go’ history and reputation.

No need to waste time with a new domain, no need to communicate with vendors to categorize your domain before the attack. Just search, pay, and have fun!

 

Good Luck!

The end