How to get informat...
 
Notifications
Clear all

How to get information about Private Domain ?  

  RSS
Mat Charb
(@mat-charb)
New Member

The incident was the [email protected] is phished by [email protected]

On checking email header, the source IP address is reached up to email server so unable to discover the origin for the same

Neither email login page for [email protected] nor website for www.sxxxxxxss.com is available however, the domain is registered with a registrar.

The domain privacy and protection service has been enabled for the same which shields the domain’s personal information from public display.

Can I get more information about the domain or email address from any other means as a domain registrar is not providing information?

Quote
Posted : 03/08/2020 5:05 am
Bunnysniper
(@bunnysniper)
Active Member
Posted by: @mat-charb

Can I get more information about the domain or email address from any other means as a domain registrar is not providing information?

You can query several Threat Intel sources to see, if these IOC were used in a broader campaign or specifiacally used for spear phishing. Talos and X-Force are good for this, ThreatConnect as well.

If you really want to have more details about the domain owner, you need law enforcement support. And a lot of patience. My recommendation is to put time, effort and money into email security, so these emails are never delivered to any mailbox.

 

regards,

Robin

ReplyQuote
Posted : 03/08/2020 11:28 am
watcher
(@watcher)
Active Member
Posted by: @mat-charb

...

Can I get more information about the domain or email address from any other means as a domain registrar is not providing information?

Even if you got the registration information it can't be trusted. The registered location may not match the actual location.

If you are determined to pursue it, run traceroutes from multiple locations around the world and see where they converge.

You can also put the IP address into various services to attempt to localize the email server, but in the event of conflict, the traceroute is ground truth in current time, it does not mean it's historically the same.

 

ReplyQuote
Posted : 04/08/2020 6:15 pm
Benot
(@benot)
New Member
Posted by: @bunnysniper
Posted by: @mat-charb

Can I get more information about the domain or email address from any other means as a domain registrar is not providing information?

You can query several Threat Intel sources to see, if these IOC were used in a broader campaign or specifiacally used for spear phishing. Talos and X-Force are good for this, ThreatConnect as well.

If you really want to have more details about the domain owner, you need law enforcement support. And a lot of patience. My recommendation is to put time, effort and money into email security, so these emails are never delivered to any mailbox.

 

regards,

Robin

@bunnysniper I'd be quite interested in learning more about what you are mentioning here. Let's assume you receive a phishing email. Very concretely, what would be the procedure you would follow to try to determine if this was part of a broader campaign or a specifically targeted attempt ? Do not refrain from mentioning basic stuff, it's a field I am not familiar with. 

Thanks a lot

ReplyQuote
Posted : 21/11/2020 3:39 pm
Share: