The RSA spearphish attack and IP reputation
There is a very interesting blog post by Uri Rivner of RSA where he gives details of the recent attack on RSA’s SecureID system. Near the bottom of it he mentions that three domains were identified as being connected with the attack:
Good[DOT]mincesur[DOT]com | up82673[DOT]hopto[DOT]org | www[DOT]cz88[DOT]net
Since ThreatSTOP is an IP reputation system I naturally plugged the IP addresses that these domain names resolve to into our threat database.The first two came up blank (although the second one turns out to be hosted at amazon which is interesting) but the third one popped up as being a member of the “Russian Business Network” (it also turns out to be an IP address in China). Indeed it has been one for some time, having first popped up on that list in December last year.
Had RSA run ThreatSTOPon its firewalls and included the RBN feed then whatever part of the attack used this particular domain would have been blocked and logged. Had RSA decided to use ThreatSTOP as a feed for its SIM/SEM or similar then this IP address would have been flagged immediately. Either way the likelihood is that the attack would have been detected a lot sooner and probably far less damage would have been done.
It is also interesting to note that all three domain names have short lived TTLs (typical for domains using dynamic DNS services), however some additional research indicates that while the other two names have sometimes moved, this one has consistently resolved to the same IP address for some months. Hence I feel quite confident in my claim above that had RSA been a ThreatSTOP subscriber they would have detected this attack a lot sooner.