Introducing: Webhose’s New IP and Domain Filters

Posted on April 14, 2021 by Webhose

read the article

World-class brands like Apple, Microsoft, and Google spend decades building their brand. A brand is worth far more than a monetary sum. It’s a combination of different intangible characteristics: the organization’s identity, reputation, and how others perceive it. As branding pioneer Walter Landor quipped: “Products are made in a factory, but brands are created in the mind.”

The most successful brands today have dozens of domains and addresses that need to be monitored. Automatic domain and IP monitoring is essential for organizations that want to maintain a strong brand. 

Step Up Your Organization’s Domain and IP Monitoring

At Webhose, we want to do everything in our power to deliver organizations the data they need to defend themselves against cyberattacks. That’s why we’ve developed two new features that allow you to filter search results in the Cyber API by domain or IP. 

Here are just a few examples of how organizations can use both the domain and IP filter to defend against cyberthreats to their brand.

The IP Filter

Webhose’s new IP filter can search for posts according to a single IP or a range of IPs. This ensures that you are able to monitor a wide range of IP addresses mentioned in the dark web.

Identify a DOS attack in advance

Denial-of-service, or DoS attacks, are cyberattacks meant to make a service unavailable to its users. This is usually done by overwhelming a site’s server with requests from false IP addresses. (DoS attacks use one computer for their attack, whereas a Distributed Denial-of-Service (DDoS) uses many).

This type of significant downtime for a large ecommerce brand translates into a huge loss of revenue. It makes sense, then, that these brands would want to be alerted about any malicious actors plotting these types of attacks in advance. 

Here is an example of the type of paste script that Webhose’s IP filter can identify that activates a DOS attack. The mentioned IP (35.163.98.108) seems to belong to Amazon (or possibly the AWS service), according to a check on an external service (see the 3rd image below).

Paste showing connection between DDOS attack and the specific IP
Paste showing connection between DDOS attack and the specific IP
Results of a check from a a WhoIs service for more information about this address

Using the IP filter, organizations can now continually monitor mentions of specific IP addresses and receive alerts to any mentions of or spikes in malicious intentions against a particular IP address.

Defend against doxing of a high-profile individual or executive-level employee

Doxing is a well-known phenomenon in the dark web. It’s the act of publicly revealing previously private personal information about an individual or organization, usually through the internet. Doxxing is aimed at a specific individual, usually a high-profile individual (e.g. a celebrity or a known CEO) or an individual accused of certain activity (e.g. scamming another actor online or suspected in pedophilic activity). Leaked information is typically obtained through both openweb and private sources. 

But the IP address of the victim is generally obtained through illegal means. This is mainly done using two different methods:

  • The IP address is leaked as a part of a recorded request, such as a login to a bank account on a bank website (see the example below).
  • The IP address is leaked as a result of a doxxing (the act of publicly revealing previously private personal information about an individual or organization, usually through the Internet).

Here is a doxing incident from March 25th that shared details about Vinny Troya, ethical hacker and CEO of Night Lion Security. Among the leaked personal identifiable information (PII) data were leaked records of data breaches that include the individual’s IP address. Other compromised PII data in the dox was a physical address, names of family members, phone numbers, emails, passwords and more.

Post sharing details of Vinny Troia in the Cyber API

A similar use case can be seen with hackers that leak financial information, usually related to online payments. The hackers leak the browser and user agent’s information. This sometimes includes credit card or bank account information. This allows other hackers to use this card and perform actions as if they are the real actor.
This query retrieves all posts in the Cyber repository with an identified IP value and one of the keywords below that indicate leaked bank login information.

enriched.ip.value:* AND (ccnum OR useragent OR browser OR victim)

Post sharing leaked credit card information and bank login user agent logs, and other information about this user

The Domain Filter

Webhose’s domain filter can also search posts according to a specific domain. You can apply a full domain value (either a single one or in a series of up to 3 words) to this filter.

It is important to mention that this entity identifies valid links (https://linkedin.com for instance), masked domains (linkedin[.]com) and domain mentions that are not links (linkedin.com).

Discovering malicious mentions of company domains in the dark web

Company domains are often mentioned in the dark web in a malicious context. 

Here is an example of a query using the domain filter that adds keywords related to a database to find connections between the MeetMindful domain and a possible  database breach.

The query identifies when a domain is indexed in the system as a recognized domain as opposed to a mention of the brand (e.g. MeetMindful as a free text). 

Query: enriched.domain.value:(meetmindful.com) AND (leak OR accs OR database OR account OR login OR logs OR “mail pass”)

Here is an example of one of the results of this query shared in a Telegram channel:

Telegram post of Meetmindful data leak

Keep these tips in mind when using the domain filter:

  • When querying mentions that only contain the company name (and exclude the domains in the same query), remember the results don’t necessarily include risks to the domain.(For example, in the query above, a query mentioning the company name that  excludes its domain receives twice as many results.)

  • It is recommended to include terms related to threats (hacking, financial fraud and others) in the query, as the domain entity will also detect links of the queried domain shared online (e.g. Youtube links shared in a discussion), which are irrelevant for evaluating risks on domains.

  • For the most comprehensive coverage, it is recommended to combine the domain entity with other company identifiers (such as the company name) 

Monitoring hidden or masked domains

To avoid automated detection of links, many hackers and actors in the dark web often mask links they mention. These are also known as hidden domains. As shown in the example above, one of the ways to do that is with a [dot] that replaces the actual dot in the domain. Other ways are spaces, escaping characters, parentheses and brackets. 

The example above detects several common permutations of domains in the dark web. The domain filter expands the coverage of mentioned domains more than a query using the extended.external_links filter or as free text.

Another great example is the one below, where a hacker posts a database of the website Mashable.com, an American culture and technology news website, in a known hacking forum. A Mashable data breach was reported in November 2020.

Query: (database) AND enriched.domain.value:Mashable.com AND -site.domain:pastebin.com

Note that the website’s domain is not a valid link, and could not have been detected by the extended.external_links filter.

Post about Mashable data breach in Cyber API

Maintain a Strong Brand with Cyber Risk Monitoring

Since hackers keenly understand the value of a company’s brand, domains are one of the biggest targets for cyberattacks. Keep in mind that domains are publicly available, making them an easy identifier of a company. Mentions of company domains in the dark web can alert a company to possible threats to the same extent that mentions of the name of the company or its products do. Proper domain monitoring that includes comprehensive coverage of the clear, deep and dark web that can alert brands in advance of malicious activity connected to their domains. 

The same is true of IP monitoring. Brands want to monitor their Internet Protocol (IP) addresses to be alerted to any mentions of or spikes in malicious intentions against this IP address. It’s also critical for organizations to be aware of any IP addresses hackers advertise for rent, sale or access in hacking and cracking forums. Sometimes these are company-owned domains. 

Even though IP addresses are not as public as domains, they can sometimes be linked to company-owned domains or servers. With the right tools, these IP addresses can be identified and protected from unauthorized access to company brands.

To check out the IP and Domain filters through our playground login and check out our new feature here.