Rebecca McCarthy 
Proofpoint Inc is a cybersecurity corporation based in Sunnyvale, California. In April 2020, the company discovered hundreds of phishing domains used by malicious actors to launch ransomware, banking trojans, info-stealers and other threats. This blog explores how and why Proofpoint discovered the phishing domains and what this could mean for organisations in terms of potential cyber threat protection.
To understand how Proofpoint managed to discover the phishing domains, it is important to first understand the different types of cyberthreats that exist out there. There are two main categories: targeted attacks and opportunistic attacks. Targeted threats are attacks that use targeted information such as emails or URLs specifically created for a given organisation or person. In contrast, opportunistic threats use rapid fire tactics where attackers rely on bulk spamming or spear phishing to quickly obtain many victims by exploiting any vulnerability they can find.
To better protect businesses from targeted attacks organised criminal groups often use phishing kits or malware creation tools which can be used to create malicious websites or web pages with specially crafted text and images that are designed to trick people into entering sensitive information such as passwords or credit card numbers. These websites are usually hosted on well-known domain names from legitimate organisations so they can easily pass under the radar of most security teams.
To detect these malicious emails and websites, Proofpoint uses specialised machine learning algorithms that allow them to analyse billions of emails daily for suspicious activity such as metadata abnormalities and anomalies in sender information as well as suspicious URL patterns, typographical errors or unusual URLs keywords. The algorithms then look for any correlation between known malicious activities such as past ransomware campaigns in order detect new potential threats from attackers who may be using similar techniques and tactics across different domain names – thereby helping them stay one step ahead of attackers when detecting new cyberthreats before they become widespread enough to cause serious damage.
Background on Proofpoint
Proofpoint is a cybersecurity company specialising in providing customers with cloud-based security solutions. Recently, it was revealed that the company had discovered several phishing domains and sued the registrars, who then transferred them to Facebook.
In this article we will examine the background of Proofpoint and the events that led to the discovery of these phishing domains.
What is Proofpoint?
Proofpoint is a leading cybersecurity company that helps organisations of all sizes protect their domain, people, data and brand. The company employs best-in-class technologies and expertise to combat the world’s most sophisticated threat actors.
Proofpoint has the strength of a renowned security vendor combined with the talent and drive of a start-up — an ideal combination in today’s security landscape. The company was founded in 2002 by two former Netscape engineers, with investments from Kleiner Perkins Caufield & Byers and Accel Partners. In 2018, Proofpoint acquired Wombat Security Technologies to assemble an even more comprehensive suite of integrated solutions.
Proofpoint uses machine learning technologies to detect sophisticated threats — including malwares and phishing attacks— and prevent them before they can cause damage. In addition, Proofpoint employs analysts and engineers worldwide in five different time zones to ensure 24/7 protection against cyberattacks. As a result, customers from a wide range of industries trust Proofpoint’s products – from healthcare technology companies to banks, think tanks and universities.
Proofpoint drops lawsuit, transfers phishing domains to Facebook
In August 2019, Proofpoint, Inc. filed a lawsuit against the operators of several phishing websites using the company’s name and brand to deceive customers. The company had become aware of the phishing sites after monitoring activity on its network.
Proofpoint, a cybersecurity and compliance provider, noticed a suspicious uptick in domain name registrations that variations of their domain names. This prompted them to investigate further, discovering more than 4,000 malicious domains registered for purposes such as phishing or malware campaigns leveraging Proofpoint’s brand name and logo.
The domains were registered in various gTLDs (generic Top Level Domains), ccTLDs (country Code Top Level Domains), or other registries with different ownership structures since 2017. Upon further inspection by Proofpoint’s legal team and security researchers, they also discovered fake download links purporting to offer software derived from Proofpoint as well as fraudulent customer service sites with toll-free telephone numbers appearing on search engine results pages when customers performed searches for support information related to Proofpoint products and services.
As a result of this investigation discovery process and research conducted by CyberEdge Intelligence Lab at The University of Texas at San Antonio (UTSA), all the suspicious activities around these fake domains have been linked back to one company – Navistar Marketing Group (Navistar). Consequently, in August 2019 , navigation launched their lawsuit against Navistar Marketing Group for identity theft, trademark infringement and other violations of United States laws.
The Discovery of the Phishing Domains
Proofpoint took an innovative approach in discovering the phishing domains. After the company detected malicious activity, they quickly took legal action, dropping the lawsuit to transfer the phishing domains to Facebook. This action allowed them to take a proactive approach in protecting their customers from potential threats.
Let’s take a closer look at how this process was done.
How did Proofpoint uncover the phishing domains?
Proofpoint, a cybersecurity firm, detected the malicious phishing domain-based attack using targeted deep-web analyses. As part of the investigative process, Proofpoint searched for indications of misuse of credentials and discovered over 20 domains registered to an individual associated with an active campaign. These domains had been linked or associated with malicious or suspicious activities for over three years.
To uncover the full extent of potential risk from this cyberattack, Proofpoint analysed the broader web environment to identify additional domains related to the attack. This analysis provided evidence that multiple other network resources were being misused in attempts to perpetrate large-scale attacks on businesses ranging from automotive and hospitality industries to healthcare organisations.
Proofpoint’s technology also identified a sizable collection of phishing domain broadcasts related to other campaigns which utilised similar tactics and techniques as those used in this case study. The similarity criteria suggested that many more compromised accounts were part of larger campaigns than initially observed in the smaller but limited breach associated with the single individual’s activity.
As such, through deep web inspections conducted by security researchers and analysts at Proofpoint’s Threat Intelligence Center (PTIC), Proofpoint’s team could identify clues from other entities involved in similar activities on the same threat landscape; thus leading them closer towards successfully unmasking this hidden threat and protecting customer networks from their associated threats.
What information was uncovered?
One of the ways security researchers at Proofpoint discovered the malicious phishing domains was by using intelligence that uncovered trends indicating malicious behaviour. Analysts could distinguish suspicious domain names from legitimate ones using various techniques such as passive DNS data, direct and/or passive scanning, and manual oversight of page content and context.
Proofpoint researchers identified several indicators which allowed them to detect the presence of malicious phishing domains:
- The presence of malicious content on web pages associated with the domain
- The use of dynamic DNS records or hosting providers that are known for being used by attackers
- The use of certifications (e.g. SSL certificates) associated with fake companies or forged signatures
- Lookalike domains with minor alterations from established brands (i.e., a domain like ‘bank of america’ instead of ‘bankofamerica’)
Analysis also included information gathering related to domain registration, such as when it was last modified or renewal frequency — all strong signals that can help detect malicious activity. Further analysis revealed evidence suggesting that actors had foreknowledge about disruption measures implemented by security vendors and variants meant to evade more traditional defensive approaches. In some cases they even rebranded already existing domains so they looked authentic.
The Transfer of the Phishing Domains to Facebook
Recently, cybersecurity company Proofpoint dropped its lawsuit and transferred ownership of the phishing domains to Facebook. This transfer was made to help increase protection for users on the platform.
This article will explore how Proofpoint uncovered the phishing domains and why the company transferred ownership to Facebook.
Why did Proofpoint decide to transfer the domains to Facebook?
When Proofpoint discovered over 800 malicious phishing domains, it transferred them to Facebook’s security team. This is because the company needed to get the domains taken offline as quickly as possible to stop any possible abuses.
Proofpoint researched the potential threats posed by these malicious websites and concluded that they could be used to steal user credentials and distribute malware. As a result, they needed to make sure these websites were disabled to prevent any further attacks.
The transfer of ownership allowed Facebook’s Security Team to take immediate action against the malicious phishing sites quickly, efficiently, and securely. Additionally, by transferring ownership of these domains instead of attempting to take them down on their own, Proofpoint was able to protect its customers and prevent any potential losses resulting from a successful phishing attack.
What challenges did Proofpoint face in the process?
Proofpoint encountered several challenges while transferring the malicious domains to Facebook. First, Facebook’s security team had to be confident that they could manage and monitor the health of the domains and that they shared no risk or liability by taking them over. Additionally, they needed assurance that there was a way to limit any long-term risk or reputational damage associated with managing these domains, which continued to be offered on the open market in some cases.
The process also needed to consider any technical requirements regarding access control and authentication for Proofpoint’s transfer of the malicious domains so that attackers could not access them through backdoors or other methods. This included securely transferring domain login credentials, DNS configuration information, server certificates, and other details from Proofpoint’s infrastructure to Facebook’s systems.
Finally, legal considerations were considered throughout the process, including due diligence around the transfer process and working with Twitter’s legal team on contract language related to domain ownership transfers.
