The RSA spearphish attack and IP reputation

There is a very interesting blog post by Uri Rivner of RSA where he gives details of the recent attack on RSA’s SecureID system. Near the bottom of it he mentions that three domains were identified as being connected with the attack:

Good[DOT]mincesur[DOT]com | up82673[DOT]hopto[DOT]org | www[DOT]cz88[DOT]net

Since ThreatSTOP is an IP reputation system I naturally plugged the IP addresses that these domain names resolve to into our threat database.The first two came up blank (although the second one turns out to be hosted at amazon which is interesting) but the third one popped up as being a member of the “Russian Business Network” (it also turns out to be an IP address in China). Indeed it has been one for some time, having first popped up on that list in December last year.

Had RSA run ThreatSTOPon its firewalls and included the RBN feed then whatever part of the attack used this particular domain would have been blocked and logged. Had RSA decided to use ThreatSTOP as a feed for its SIM/SEM or similar then this IP address would have been flagged immediately. Either way the likelihood is that the attack would have been detected a lot sooner and probably far less damage would have been done.

It is also interesting to note that all three domain names have short lived TTLs (typical for domains using dynamic DNS services), however some additional research indicates that while the other two names have sometimes moved, this one has consistently resolved to the same IP address for some months. Hence I feel quite confident in my claim above that had RSA been a ThreatSTOP subscriber they would have detected this attack a lot sooner.

 

2 Responses to The RSA spearphish attack and IP reputation

  1. Pingback: Extending the traffic metaphor | The ThreatSTOP Blog

  2. Pingback: IP Reputation to Reduce the Risk of Being Hacked | The ThreatSTOP Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: