<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p>If you work in security research, you probably know Duck DNS. The free dynamic DNS hosting provider lets anyone point traffic from one of their subdomains to an IP of choice. At ThreatSTOP, we see these subdomains on a daily basis headlining various threat intelligence blacklists. In other words - <span style="font-weight: bold;">they're everywhere, and they're bad.</span></p> <p style="font-weight: normal;"><img src="https://www.threatstop.com/hubfs/duckdns.png" alt="duckdns" width="1226" loading="lazy" style="width: 1226px;"><span style="font-size: 12px;"><em>Image: Duck DNS</em></span></p> <p><!--more-->During a completely different project, one of our threat researchers noticed a bunch of newly registered domains that look like Duck DNS subdomains under the legitimate duckdns[.]org. Only they're not. Threat actors are squatting the free DDNS provider's domain in every way possible, and are constantly registering new domains under them (like ebpmmurscs.duck<span style="font-weight: bold;">s</span>dns[.]org). These typosquats include:</p> <ul> <li>ducksdns[.]org</li> <li>duckddns[.]org</li> <li>ducknds[.]org</li> <li>duck-dns[.]org</li> <li>ducksns[.]org</li> <li>duckcns[.]org</li> <li>dockdns[.]org</li> <li>dukdns[.]org</li> <li>ducdns[.]org</li> <li>duc.kdns[.]org</li> <li>duckns[.]org</li> <li>duck.dns[.]org</li> </ul> <p>While some of these are easier to recognize as strange (dockdns for example), a concerning Alexa statistic shows that many of the domains such as <span style="background-color: transparent; font-size: 1em;">ducksdns[.]org and&nbsp;</span>duckns[.]org are in the top 1 Million domains worldwide.<span> A simple Google search though, shows that there is no legitimate website to visit on the domain.</span></p> <p>Taking a closer look at the domains' infrastructure revealed that a bunch of the typosquats are hosted on three distinct IPs (170.178.168[.]203, 103.224.182[.]242, 70.32.1[.]32), and use name servers by above[.]com. While the latter is a legitimate service for domain registering and parking, we have seen quite a few instances of their infrastructure being abused for malicious activity.</p> <p><img src="https://www.threatstop.com/hubfs/duckdns_squats.png" alt="duckdns typosquats" width="1958" loading="lazy" style="width: 1958px;"><span style="font-size: 12px;"></span><span style="font-size: 12px;"></span></p> <p><span style="font-size: 12px;"><em>Image: VirusTotal</em></span></p> <p>In addition to these three super malicious IPs, four others receive honorable mention:</p> <ul> <li>81.171.22[.]7 - hosts <span>duckns[.]org</span></li> <li><span>23.82.12[.]31 - hosts ducksdns[.]org</span></li> <li><span>192.185.167[.]252 - hosts duck.dns[.]org</span></li> <li><span>199.59.242[.]153 - hosts ducksns[.]org</span></li> </ul> <p>&nbsp;</p> <p>Monitoring newly registered domains is overlooked more often than not, yet it is&nbsp;<span style="font-weight: bold;">one of the most effective ways to immediately protect yourself from new malware and attacks.&nbsp;</span><span style="font-weight: normal;"><span>ThreatSTOP utilizes Farsight's Newly Observed Domains (NOD) to create tiered, automated targets (blocklists), protecting users from new attacks and threat infrastructure. For a comprehensive solution, our team also analyzes new domain data to enrich the threat intelligence aggregated in our system.</span></span><span style="font-weight: normal;"><span></span></span></p> <p>&nbsp;</p> <p style="font-weight: bold;">Not a ThreatSTOP customer yet? Want to see ThreatSTOP instantly eliminate attacks on your network?</p> <p style="font-weight: bold;"></p></span>
