{"id":4620,"date":"2024-07-24T15:14:36","date_gmt":"2024-07-24T20:14:36","guid":{"rendered":"https:\/\/www.dnsfilter.com\/blog\/shame-not-using-dns-protection"},"modified":"2024-07-24T15:14:36","modified_gmt":"2024-07-24T20:14:36","slug":"fool-me-once-shame-on-not-using-dns-protection","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/07\/24\/fool-me-once-shame-on-not-using-dns-protection\/","title":{"rendered":"Fool me once, shame on not using DNS protection"},"content":{"rendered":"<p><strong><em><br \/>&#8220;Fool me once, shame on you; fool me twice, shame on me&#8221; is an old adage that doesn&#8217;t quite work in the age of security threats as the attacker really only needs to fool you once to win. How can you mitigate this tried and true deception technique?&nbsp;<\/em><\/strong><\/p>\n<p><!--more--><\/p>\n<p>I recently <a href=\"https:\/\/www.informationweek.com\/cyber-resilience\/facing-cyberthreats-and-misinfo-in-a-tense-political-climate\" rel=\"noopener\" target=\"_blank\"><span>sat on a panel discussing deception techniques attackers<\/span><\/a> use to get to you or your organization. I always feel like we are all one click away from being compromised, hence the name of the blog. Being fooled (via deception) is not only one of the most used tactics, but we are about to see an entirely different level of play as adversaries increasingly use generative AI. We will have to deal with the \u2018likeness\u2019 of a person and new versions of deception where all of our human senses are called into question. But before we scare ourselves and go fetal in the corner, let&#8217;s at the very least talk about what we can do when faced with being \u2018one click away\u2019 from compromise.&nbsp;<\/p>\n<p>We as humans are built to make quick, sometimes compromising decisions when emotions are high or the situation requires immediate action. Attackers know this and the only reason they still practice it is because it remains effective for them.&nbsp;<\/p>\n<p>At DNSFilter, we have a global view of what these attackers are doing to fool you into interacting with their malicious website or clicking the link that is part of their multistep process to your compromise. Here is what I\u2019ll examine in this blog:<\/p>\n<ul>\n<li>US Politics<\/li>\n<li>Crowdstrike\/Microsoft IT outage<\/li>\n<li>Fake charities, capitalizing on good intentions<\/li>\n<\/ul>\n<p>Let\u2019s look at these one by one to see how attackers try to fool you.<\/p>\n<p>With an effective protective DNS solution like DNSFilter, the likelihood of you being fooled \u2018once\u2019 is very low as we monitor over 100 billion DNS requests per day (that\u2019s nearly 2 million queries every second). We are doing our part to make the Internet a safer place for us to work, live, and play.<\/p>\n<h2>Emotionally Charged US Political Issues<\/h2>\n<p>Hot topics like Biden\u2019s resignation as the 2024 democratic candidate and the assassination attempt on Trump are both things that make one want to click a link and possibly download or \u2018sign up\u2019 for something. It results in disclosing sensitive information, which is exactly what hackers want. These events have driven an increase in \u2018newly created domains.\u2019&nbsp;<\/p>\n<p>A new domain at DNSFilter is a domain name that is less than 30 days old; our \u201cvery\u201d new domains category are domains registered in the last 24 hours.<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection.png?resize=640%2C396&#038;ssl=1\" width=\"640\" height=\"396\" loading=\"lazy\" alt=\"Blocked Requests to Political Threat Domains\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection.jpg 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection.png 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection.png 1800w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection.png 2400w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection.png 3000w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection.png 3600w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\"><span><em>These domains include all malicious traffic (botnet, cryptomining, phishing &amp; deception, malware, new domains) to domains that include &#8220;Trump&#8221; and &#8220;Biden&#8221; in the domain name.<\/em><\/span><\/p>\n<p>Just over the weekend as Biden made the decision to withdraw his candidacy for president, DNSFilter blocked over 6,000 domains that were a mix of phishing &amp; deception and new domains. Majority of them were to a domain that has been active since at least 2022 but is currently parked. Some of the domains spotted dealt with asking the question \u201cis Biden still running?\u201d<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-1.png?resize=300%2C701&#038;ssl=1\" width=\"300\" height=\"701\" loading=\"lazy\" alt=\"Screenshot of a recent domain asking Biden to step down.\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-7.png 150w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-1.png 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-8.png 450w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-9.png 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-10.png 750w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-11.png 900w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\"><\/p>\n<p><em>Example of a recent domain asking Biden to step down. Opinions expressed in this image are those of the website owner, and not of DNSFilter.<\/em><\/p>\n<p>As you can see, in this example, there is an option to \u201ctake action.\u201d These types of call to action buttons are incredibly risky. They could sign up, providing their email address directly to a hacker, that could thus be used in a myriad of phishing attacks. The links could also take them to places to \u201cdonate\u201d to the campaign, that are in fact direct donations to threat actors.&nbsp;<\/p>\n<p>Other common schemes that occur within the political landscape are merchandising scams. For instance, one pro Trump \u201cshop\u201d site used clearly AI-generated imagery to produce quick apparel at high markups and pose as an \u201cofficial\u201d merchandise store.<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-2.png?resize=512%2C410&#038;ssl=1\" width=\"512\" height=\"410\" loading=\"lazy\" alt=\"unnamed (7)\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-1.jpg 256w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-2.png 512w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-12.png 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-13.png 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-14.png 1280w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-15.png 1536w\" sizes=\"auto, (max-width: 512px) 100vw, 512px\"><span><em>Example of Trump apparel site that poses as an &#8220;official&#8221; store and uses AI<\/em> <em>imagery<\/em>.<\/span><\/p>\n<p>The opportunities for exploitation of this type are vast.<\/p>\n<p>The bright side here is that everyone in the world is on the lookout for fake information related to political campaigns. There seems to be a growing conversation around this and hopefully talking about this means people will be more skeptical of things out in the wild and they rely on only trusted sources. The not so bright side is that this is only happening because they have been fooled at least once which I can only hope was not at a high cost lesson.<\/p>\n<h2>Crowdstrike Related Scams<\/h2>\n<p>After the CrowdStrike and Microsoft outage that occurred July 19, DNSFilter has seen a massive increase in the number of domains that include some form of \u201ccrowdstrike\u201d in the domain name. <a href=\"https:\/\/www.dnsfilter.com\/blog\/crowdstrike-lookalike-domains\"><span>You can read our blog<\/span><\/a> highlighting the newly seen domains that we have blocked since the incident occurred.<\/p>\n<p>Between July 19 and July 22, we have blocked over 189,000 requests to domains with \u201ccrowdstrike\u201d in the name that are categorized as new domains, phishing &amp; deception, or malware\u2014sometimes multiple categories at the same time. Traffic was low on Friday, presumably because these threat actors were registering and setting up these domains, but traffic has steadily risen between July 20 and July 23, with an average of 63,000 block requests to these domains on our network between July 20 &#8211; July 22.<\/p>\n<p>Another important thing to note is that prior to July 19 on our network when looking at the entire month of July, there was quite literally <em>no<\/em> traffic to domains that contained \u201ccrowdstrike\u201d in domain name and fell into any of these categories:<\/p>\n<ul>\n<li aria-level=\"1\">Botnet<\/li>\n<li aria-level=\"1\">Cryptomining<\/li>\n<li aria-level=\"1\">Phishing<\/li>\n<li aria-level=\"1\">Malware<\/li>\n<li aria-level=\"1\">New Domains<\/li>\n<\/ul>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-3.png?resize=600%2C371&#038;ssl=1\" width=\"600\" height=\"371\" loading=\"lazy\" alt=\"Blocked Requests to Fake CrowdStrike Domains\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-16.png 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-3.png 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-17.png 900w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-18.png 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-19.png 1500w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-20.png 1800w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\"><\/p>\n<p><em>These domains include all malicious traffic (botnet, cryptomining, phishing &amp; deception, malware, new domains) to domains that include \u201cCrowdstrike\u201d in the domain name.<\/em><\/p>\n<p>While the nature of these domains is sometimes benign (simply a compilation of information around the outage), others are more sinister. One recurring trend we noticed is the setup of a fake helpdesk (as referenced in domains containing \u201chelp-desk\u201d, \u201cfix\u201d, or \u201crecovery\u201d).<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-4.png?resize=342%2C800&#038;ssl=1\" width=\"342\" height=\"800\" loading=\"lazy\" alt=\"unnamed (8)\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-21.png 171w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-4.png 342w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-22.png 513w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-23.png 684w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-24.png 855w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-25.png 1026w\" sizes=\"auto, (max-width: 342px) 100vw, 342px\"><\/p>\n<p><em>Example of a newly registered Crowdstrike domain with a suspicious option for &#8220;advanced support&#8221; from their &#8220;experts&#8221;.<\/em><\/p>\n<p>The example above pulls from actual news sources, provides the instructions on how to fix the outage in an attempt to appear legitimate, while also including an email address for advanced support from their \u201cexperts.\u201d This type of hybrid \u201cnews\u201d and \u201chelpdesk\u201d scheme can be seen across the newly registered CrowdStrike domains since July 19.<\/p>\n<p>Before we move to the third and last example, I want to point out how quickly these adversaries move to prey on your emotions and urgency. They know that if you find yourself in a pickle, you are going to type into a search engine to find a solution. Unfortunately that solution might be their success at your compromise.<\/p>\n<h2>Charity and Donation Scams<\/h2>\n<p>This one really gets under my skin because this hurts good people trying to be good to others. I can\u2019t imagine a more emotionally charged situation than the sudden and unexpected loss of a loved one\u2014human, pets, etc. The problem here is that some of these are real and in need of your attention, others are set up just to scam you.<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-5.png?resize=640%2C480&#038;ssl=1\" width=\"640\" height=\"480\" loading=\"lazy\" alt=\"unnamed (9)\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-26.png 800w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-5.png 1600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-27.png 2400w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-28.png 3200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-29.png 4000w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-30.png 4800w\" sizes=\"auto, (max-width: 1600px) 100vw, 1600px\"><span><em>This image shows a fake \u201cdonation\u201d page.<\/em><\/span><\/p>\n<p>We see a variety of these scams across our network. The one above uses the term \u201cdonate\u201d in its domain name, and what exactly you are supporting is left unclear. Since we first saw this site on our network, the domain has been taken down. These types of scams can steal either email or actual payment details, depending on the nature of the scam.<\/p>\n<p>The average number of blocked traffic to malicious threats with \u201ccharity\u201d or \u201cdonation\u201d or \u201cdonate\u201d terms in the domain name has been on the rise since the beginning of the year. As you can see, July is on pace to have the second-highest blocked traffic of the year on our network for these types of schemes. This rise is likely aided by global events that drive both hackers to create these types of scams and good people who want to help in hard times.<\/p>\n<p><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-6.png?resize=600%2C371&#038;ssl=1\" width=\"600\" height=\"371\" loading=\"lazy\" alt=\"Average Daily Blocked Requests to Charity Threat Domains\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-31.png 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-6.png 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-32.png 900w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-33.png 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-34.png 1500w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/fool-me-once-shame-on-not-using-dns-protection-35.png 1800w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\"><\/p>\n<p><em>These domains include all malicious traffic (botnet, cryptomining, phishing &amp; deception, malware, new domains) to domains that include variations of \u201cdonate\u201d or \u201ccharity\u201d in the domain name.<\/em><\/p>\n<p>My request here is to be diligent and if you care deeply, put in the time to verify before you donate. Good people in the world are counting on other more fortunate good people to help, just don\u2019t let the scammers fool you.<\/p>\n<h2>Conclusion<\/h2>\n<p>A more conscientious Internet user will be safer and harder to fool, but no matter your level of cybersecurity awareness, the scammers out there want you to remain clueless. Ten years ago I would have said that you can just go to battle with human skills. But that was when the adversary was operating at human-scale\u2014and that is simply not the case today.&nbsp;<\/p>\n<p>Adversaries are now armed with machine-scale techniques requiring you to have machine-scale defenses. This blog post speaks pragmatically about current events and examples, but let me warn you that we are about to go to the next level battlefield where the people in your life\u2014your wife, your partner, your husband\u2014will leave you a voicemail asking you to call them back because they forgot the password to your shared bank account and they are locked out.<\/p>\n<p>Or imagine seeing a video of yourself appealing to your community to vote for a candidate that you would never support. Yes, I\u2019m saying that we can no longer trust our human senses anymore. There\u2019s a saying: Believe none of what you hear, and half of what you see. Even <em>that<\/em> isn\u2019t enough anymore. We will have to evolve as a species to additional forms of verification and validation. It is not the first time in human history this has happened, and certainly not the last.<\/p>\n<p><a href=\"https:\/\/www.dnsfilter.com\/free-trial\" rel=\"noopener\" target=\"_blank\">Using protective DNS solutions like DNSFilter<\/a> you have the ability to block these risky, newly registered domains when our customers choose to block our \u201cnew domains\u201d category. Our vision at DNSFilter is to secure digital environments for everyone, this is just one way we achieve that vision.<\/p>\n<p><a href=\"https:\/\/www.dnsfilter.com\/blog\/shame-not-using-dns-protection\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;Fool me once, shame on you; fool me twice, shame<\/p>\n","protected":false},"author":8,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[222,449,61],"tags":[230,451,68],"class_list":["post-4620","post","type-post","status-publish","format-standard","hentry","category-featured","category-it-challenges","category-protective-dns","tag-featured","tag-it-challenges","tag-protective-dns"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"DNSFilter","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/dnsfilter\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/featured\/\" rel=\"category tag\">Featured<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/it-challenges\/\" rel=\"category tag\">IT Challenges<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/protective-dns\/\" rel=\"category tag\">Protective DNS<\/a>","tag_info":"Protective DNS","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4620","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=4620"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4620\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=4620"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=4620"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=4620"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}