Okay, everybody. Thanks for joining the webinar today. Why don’t we go ahead and get started? I see we’ve got most of our attendees have already joined if a few more people join at the end feel free to just put a question in the chat, if you, if you have one.

So I’d like to introduce myself. I’m David Schropfer. I’m the Executive Vice President in charge of operations here at DomainSkate, and we’re also joined by our CEO. David Mitnick, you want to say Hello, David.

hey, everybody! Thanks for joining.

So I’m going to start today with with a very quick PowerPoint presentation. And then we’re going to go into a little more detail about exactly how you stop. Stop a phishing attack before that phishing attack begins.

Okay, so everybody should be able to see my screen now.

So what are the steps for a scammer to actually begin a phishing attack? What? What, exactly do they have to do? And how can we get in front of what the phishing attack is? So there are 2 types of phishing attacks that we’re talking about a fake website and a fake email campaign. Yes, there are lots of other variations of those 2 general types of attacks. But that’s fundamentally what we’re here to talk about today.

So

let’s take the fake website first. What does the Scammer actually have to do before that fake website goes up and goes live first and foremost, they need to inventory multiple domain names. Now, why do they want to do that? Because the first thing that’s going to happen as soon as the legitimate company who’s being who’s being mimicked with the fake website. The first thing they’re going to try to do is blacklist or take down that fake website.

but they can’t take down the website itself per se. They can only take down the domain where it’s being hosted. So the Scammer needs to have a number of lookalike domains already inventoried already to go so they can instantly move that website code

from one domain to another to another to another. And basically just try to stay ahead of the legitimate, legitimate website as long as they can, until finally they run out of places to hide, and they go attack some other company.

So this is the most important piece, and staying on top of this is extremely difficult to do, but we can give you some ideas on how to do that

Next, before anything can functionally happen, when you register a domain. All of the records, of course, are blank at the moment that that domain is registered. Now, to save money and to save time and effort, what the Scammers will do is upload no records until they’re ready to actually use it.

So to set up for any website, any website you’ve ever visited in your life has what’s called an a record attached to it. That’s a number that’s associated with the registrar, and every domain needs a registrar to manage the basic records of the of a domain. The Scammer would have to set up that a record to point to the website. Now, if that a record doesn’t exist, the website doesn’t exist, and that’s an extremely important point.

So next, they’re going to steal the website code if they haven’t already. And stealing a website isn’t as hard as it sounds, and you know, a long time ago it used to be incredibly easy. You copy and paste the HTML code, and you’re done now. It’s more complex with library files and CSS. Scripts and or Javascript and DNS files, etc. But over time the Scammer can overcome those issues, and what they’ll do is they’ll build a fake website. And then, typically like, take an e-commerce reps website as an example, they’ll just put every item at 40% off or 70% off, or some outrageous number, and then basically ship absolutely nothing. It’s it’s a classic scam, or just an example of a classic scam. So, at this point. They’re stealing the fake. They’re stealing the real code. They’re building the fake website. And then when all of that is completely put together, the A record the multiple domains, the fake website, then, and only then, can they actually launch that website and start doing bad things, or that start stealing money from the customers who think they’re going to a legitimate company.

And a fake email campaign is exactly the same. We’ve all received those emails that look exactly like a company that we’re used to doing business with, typically a bank. an insurance company, maybe a financial advisor, somebody who handles money because, you know scammers go to where the money is logically. So. Same process, more or less, they have to inventory multiple domain names for the same reason they have to set up what’s called an MX record. Again. You can’t send an email under a domain without an MX record set up with a registrar.

Then they have to find a legitimate email from that company. And again, it’s it’s still using similar type of code as a website, either HTML or something similar to that to get the graphics and the language and the font type and everything else exactly the way the company wants it, they steal that they build a fake email. And then they can launch the phishing campaign more nuances to it than a website, a website. You’re advertising a phishing campaign. You’ve got a list of email addresses that you want to send that to.

So the trick to exactly what we’re talking about, which is finding and taking down that fake website before it gets to the end before that phishing attack is launched is right here. We’re looking for the A record associated with a given with a given domain name or an MX record associated with a given email attack.

So, David, I’m going to turn it over to you for a moment to give us some examples of of what this looks like, generally speaking, and I think you have one already queued up. Correct?

Sure, yeah. And I’m just going to as a quick. Add on to what you’re saying, David, because with these arrows here pointing to the A record, the Mx record that’s absolutely dead on the other thing, too, is

is having, you know, like inventorying the multiple domain names that you noted. Under the fake website.

That also gives us a very, very strong investigative very strong place to investigate in terms of finding these things, you know, in terms of associating. What are they being associated with. Usually when a scammers inventory and multiple domain names, they’re going to inventory multiple. They’re going to inventory domain names that they think are going to confuse people. So they’re going to use brand names. They’re going to use things that are known, things that are trusted. So and with that we’ll we’ll jump into this next piece.

Okay?

So from what you were saying.

I’m just making sure you can see my screen.

Yes. Okay, great. So the question is, you know, in terms of finding you know, finding these threats before they become, you know, bigger attacks.

The critical part is is being vigilant, is watching.

And so here, here’s the we. What we have here is the the Domains case system. This is the main. This is the main dashboard. This is where our our clients come to find. You know what you know, that they can look at what anything new that’s come through the pipeline. They can look at things that they’re watching, that are really important to them, or even things that they’re acting on, that. You know, things that they’re actually actively pursuing in terms of threats.

So we’re going to just click on watch here in terms of things that we’re watching because we’re wondering, you know, like, how do we find in terms of picking out these things? What are the things that we need to be worried about? Well, if you go into our system. It’s actually, very, very simple.

We can go in

and actually, and you can click on one of these vectors.

We’re going to click on a next record, and we’re going to see what is, you know which ones which domains that we have found that are mimicking our.

the the trademark owner’s name.

That also have annex records. Okay, the next thing that we’ll do is we’ll we’ll look at

and mark anything that’s been labeled as a threat. So every domain that comes to our system is labeled pot as as a potential threat or as a

as you know.

I guess, safe.

So here we have. We have

we have 2 records, 2 domains that are labeled that have Mx records, and they’re been labeled in our system as either potentially as phishing or malware.

Now.

this is this is really really important, because we we have now matched up

the record, the name with the threat, and we can sort of know what’s going on. The other thing, too, is we’ll just click on. We’ll click in here onto this one, which is Henry spelled with 2 rs.

This is for Henry shine. and we can just take a quick look here, this is our latest.

This is the latest information that we have on this domain. Now, this is January third, 31, 2024. This is the lot. We we check these every single day. But the last time that we noticed the change, whether it was from the on the website or whether it’s with the Mx record or whatever it might be. But something is going on here, because, as you can see, right, the domain was created in November seventh, 2023 was updated on the nineteenth.

It expires okay, 2024,

and we have our IP address and Dns record here. so

there’s

we’re right now. It’s not resolving to anything but

the fact that it is not resolving to anything.

and the fact that it has an Mx record, and we’ve marked it as a potential threat means that this is something that needs to be watched very, very carefully, if not immediately taken down.

and in our system we that we can of course, take it. We can, of course, take

take the first steps towards taking it down by just simply marking it in the system as as a takedown. But these are these are the things that you would wanna look at now if we look at the history here

because this thing has been in in our system for a little bit little while we look at June eighteenth, 2023. Okay, there was a site up here. right? So it’s it was and then we have all the data here. We know that the page title

and there’s not a ton of there’s not a ton of who is can be really tough sometimes. But we have the IP address. We have the Dns record, and we have the Mx record.

You can see

that this IP address

1 7 2.1 8

the same as what we were dealing with before.

So now, at some point this domain expired, it got re picked. It, got picked up again. I think this is but also part of the whole. What David was talking about earlier about how multiple domain names have to be.

can be have to be have to be used in order to run these attacks properly.

This is the perfect example. So just going back for 1 s here, if we go back in.

go into watch. Click on Mx record pitching malware. One of the things that we can also notice is that

there’s another that there’s another domain here, right? So doesn’t necessarily mean that they’re that they’re that they’re linked. But we can find that there’s another th. There’s potentially another threat here.

So hendershines.com. We’ll click on this.

That’s a second.

we can see the data. Interestingly enough, this domain on the other end, the domain that we just looked at. We’re both registered in Iceland. They do have different IP addresses.

and we can just take a look at the history here. So there’s nothing we’re not capturing anything on this screen. It doesn’t matter.

It doesn’t matter, though, if there doesn’t need to be a website that’s up and running that you can visually see in order to run an effective campaign as long as the Semx record is up, even if it’s kind of lying low.

In terms of, you know, activity, visible activity that you would go to.

You know the days of having a registrant give their you know. Correct? Who is information and provide, you know, detailed it. It’s just not going to happen. So we have to find other ways, other vectors to find. And in this case the Mx record is really critical.

And David, while you’re on that page, if you could scroll back down to the Mx Record sure

section.

so the importantly using a system like this.

the the system itself will also send an alert when something changes right the moment this domain was registered, whenever that originally was, whether it was January twelfth, 2024, which is obviously very recent, which you can see up here.

Or if it was, in fact, originally registered long before that, and somebody else was either under somebody else or under the Scammer.

The point is, the record was blank until the Scammer actively started, adding, in some of those other records like the IP. Address and the Dns records, and of course the Mx records

one of the key features of the DomainSkate system is that we will notify you as a client when one of these records changes. That’s critical, because, you know, again, on day one, it’s blank. And then at some point, those Mx records had to go up.

So before the phishing attack can begin, those Mx records have to be created and an email goes, goes goes out on the same day

that those Mx records go up which gives notice to the client. He’s something maybe going on here. Let’s take a look. So in that way, you’re able to focus your attention. Only where there’s change happening.

Yeah. And and and yeah, that’s that’s exactly correct. And the first piece is, you know, the system finds that the moment that it’s registered that the domain is registered, whether or not there’s an Mx. Record, an a record, or whatever might be going on there, the system, the system detects it and puts it in and says, Hey, this is something that you should take a look at

once that once it’s in, once we because the name is critical. The domain is critical in terms of, you know, confusing and running the scam confusing users.

it’s it’s a matter of sitting and looking and saying, Okay, is there going to be any other activity here, you know.

and as soon as something changes, whether it’s any of the administrative information like you said or the dns information. That’s when we know that this is something that we have to take seriously. The other thing that we can do in the system

is we can go back

and we can cross-reference things. So if we want to take, if we take an IP address, or if we take an Mx record

and we put it into the system, we can see what else is showing up for that name.

That is also using that same X record.

So all of a sudden, now we have 1, 2, 3, 4, 5. It’s not to say that they’re all necessarily related. But there’s a strong possibility that some of these are being held by the same by the same registrant. Even if it’s not necessarily visible.

we would do the same thing with the IP address. Dns records just making sure that everything is, you know, trying to find those points of similarity.

particularly when we don’t necessarily have it exactly with who is

perfect.

And, David, I think this is a good time to answer the first question which is, can I find domains without without a platform?

And I can take that answer if you like.

Sure. I think that’s that’s pretty straightforward.

it’s it’s very, very difficult to do that. So if you are.

if you’re looking for that top level. If you’re looking for that list of domains that are similar, that is, you know, as David pointed out, that’s the hard part that’s one of the hardest parts. Without a platform that will go out and look for you for similar domains. You’re basically going to who is you can go to. Who is.org? You can go to any registrar and basically search the name.

Search the name that you’re looking for, whatever that might be. So in this case, if you look for Henry, shine.com, or in this case Henry shine with with an extra r in the name.

You would find that that domain was taken, and then you wouldn’t know that you would need to keep an eye on that. But building that list manually is exceptionally hard to do. And, David, I wonder if you could take a minute to talk about the AI element that we use to build these lists that lookalike or create or find these lookalike domains for our clients.

Yeah, well, you know, AI is is kind of a double edged sword in in our, in our area of our area of work. Because AI is making things, you know, much more difficult in terms of the quality and types of scans that we’re seeing the days of having this types in

email messages or, you know, phishing messages. And these are gone.

you know AI can now create things, and very, very fast, and allow scammers to run things just in in a a scale that we haven’t really seen before in terms of what we’re doing. We’re we’re using it to help protect our clients. just like they’re using it to trying to exploit them. So you know, A AI has become a very important

critical piece of finding the domains in particular for our for our system. So so yeah, so that’s that’s that’s been super important.

The other thing that I also wanted to say is that in our system is that as soon as if you do find it, you can take it down, you can.

We start? We start the activity towards taking it down instantly. As soon as you click on this little icon. Right here things go in process.

Things can start to happen so we can start to take immediate action in order to protect your brand.

Perfect. Thank you.

And I’m just going to show it a quick example of that.

If you were trying to do this this piece manually, without AI without a platform. You would go to something like either. Who is.com or like I, said Godaddy, and here’s an example where you would kind of have to come up with these

with these domain names or these variations of the legitimate domain. Name

on your own. Unlike, if you’re not using a tool and check them one at a time in a format like this, either who is, or one of the who is a websites or a registrar of a registrar of your choice.

Yeah, all right, let’s bring up.

I’m sorry, David. Go ahead. Did you wanna add something? No, no, no. But go ahead, please.

So let’s bring up the next question, what does a fake domain look like?

Okay, I think they meant Fink website. But we can give a couple of examples of that.

a couple examples of that as well. So this is. This is a company called Twelfth Tribe. They use. They are a high-end fashion company.

Sell clothing, jewelry, etc.

I’m sorry to say again.

I’m so. Are you sharing your screen? Because I’m only seeing my screen right now.

Okay. How about stop sharing your screen and and I’ll give it another shot on this end.

Okay, you see my screen. Now, David.

Yep.

Okay. So this is the legitimate website again, very professionally done. A very high end.

Clothing and jewelry. This is the fake website, twelfthtribeshop.com. At first glance it looks very similar. Similar toolbar, same exact logo. All of the clothing is different, but it’s probably from an older version of the site. And if you click on any one of these elements, you’re going to see that it’s of course, on sale, right? And that’s the biggest part. So everything here is half off. Excuse me half off. or even less and you can see what they’ve done. They’ve got all the photos, all the photos that are listed on the actual site are all listed here, and they’re selling it for half off, which is obviously a very attractive price, right? But you’re not getting a good deal, because if you were to actually try to purchase this item, the Scammer would happily take your credit card and maybe create some fraud with a credit card. They would happily charge your account for at least this amount. $18 and 30 cents, but they’re going to ship nothing. Why? Because they’re in some foreign country, and and they’re not going to worry about taking anything down.

Here’s another one a little less sophisticated. They just put an extra s in the and the name of the product. But it’s still again, as you can see, same format, same exact clothing. This is, you know, they use all the same photos from the photo library.

And

Of course everything is 40% off. And if you just wanted to

check, I’m just going to grab the name of this particular item. I’m going to go back to the legitimate website

and just do a quick search for this exact item. And there it is

same photos.

obviously full price, but same exact photos, same description, same everything as the fraudulent website.

So some are more sophisticated than others. But

this is what they look like folks. It’s it’s really not hard for the Scammer to truly take all of your inventory, all of your photos, all of your assets and turn it into something that is

absolute. 100% fraud.

Yeah. But III think the critical thing here, you know, looking at those sites is

is finding them in their

and they’re infant safe.

you know, before they obviously those sites are up and running right now. There’s and and and that’s unfortunate, but is, you know, finding them once they’re registered.

knowing that. Okay, this is something that’s similar. This could be used. And then what are the levels? So you know, the first level being, it’s registered Second Level being, are there any records? Is there anything associated with it? Is there a live site on there you have to capture all of that information. And here, actually, for you know, like, you know, for that, for that website in terms of a fake website.

you know the, you know, sending money and not getting anything in return. It damages the brand. It makes users very, very annoyed. All of a sudden people start complaining. It’s it’s it’s it’s tough but I but I think being vigilant from an early stage is really critical?

Exactly. That’s a great point.

Okay?

time for the last question, which is, are there other services that offer the ability to

monitor monitor domain?

And the answer is, Yes, A lot of the there are services out there. That will. If you give them the domains that you want to monitor. They can send you alerts if anything changes, some are very pricey, some are not. If you’d like a proposal from DomainSkate for your brand, you can contact me directly at dws@DomainSkate.com again. That’s dws@DomainSkate.com.

and we’d be happy to get you a proposal for your brand for multiple brands. Some companies I, some of the attendees on this call, I think, have worked for companies who have managed multiple different brand names for similar products, so we can do more than one brand at the same time without without any issue.

So feel free to reach out if you’d like a proposal. And I think that’s about all the time we have.

Thank you. So everybody. Thank you for joining.

Thank you. All right.