Searches for Imposter Domains to log to Perch
The goal of this project is to add OSINT domain imposter threat intelligence to Perch notifications. A domain imposter is an internet domain name (ie. google.com) that has been registered with the purpose of tricking people into thinking that it is another, more reputable domain. For example, go0gle.com or goog1e.com
This project makes use of two other projects: dnstwist and urlcrazy. These apps use fuzzing and other techniques to identify domain names that bad actors would be likely to register in order to impersonate the original company. We utilize docker to run each of them to gain the greatest possible intel.
This script is intended to run on Perch sensor machines, but really any Linux will do. This will install docker and run two containers during the collection job, but they are not persistent. It will be up to you to ingest the logs if running on a different system. Non-RH derivatives will need some tweaking as well. The scripts auto-update from this repo weekly via a cron job. Simply:
sudo yum -y install git
git clone https://github.com/tfournet/imp_hunter
cd imp_hunter
sudo sh setup.shModify /opt/imp_hunter/etc/domains.txt to include all of the organization's registered domain names.
Modify /opt/imp_hunter/etc/domains-ignore.txt to exclude domains from detection and alerting. You may want to do this for alternate domains you may already own, or other false positives.
- Automatic updates via cron
- Decide whether it would be better to store known state in a lightweight DB on the sensor and only log changes?
- Create and Document Perch Event Notifications for found events
- Publish ENs to Perch Marketplace
- Tweak logging format
- Eliminate duplications between detection projects
- Create any necessary file or folder if it doesn't exist
Why do I care about imposter domains?
Imposters can be used to communicate with your users/clients/vendors/partners and trick them into a financial transaction, code execution, or other things. Although technically those people would be the victims, this can negatively impact you and your relationship with your partners.
What do I do about imposter domains?
Good question! It may be possible to report them to the abuse address at their registrar. You also may want to warn users, clients, or vendors about the imposter. In some situations, even filing trademark claims against someone may be necessary. This is obviously an important concern to me, so I'd love to hear more ideas. This is a tough battle.
Is any of this supported by Perch?
Nope. As of this writing, this is a proof-of-concept project by a motivated user. Perch does not support, condone, or (I hope) condemn using this. Ideally they take the idea and wrap it into the core functionality of their product and make this project obsolete.
It doesn't work like I want it to!
Okay, raise an Issue here, or better yet, hit me (@zaf) up in the Perch Squawkbox on Slack