1534 - Researching Lookalike Domains Using Infoblox Portal

Scenario

Your organization’s security team has identified suspicious activity targeting the domain PayPal.com, with concerns about phishing attacks and lookalike domains. As a security analyst, you are tasked with monitoring and analyzing these lookalike domains to prevent potential threats. You will enable monitoring for PayPal.com, analyze recent lookalike domain activity, and export the data for further investigation.

Estimated Completion Time

• 10 to 15 minutes

Prerequisites

• Access to the Infoblox Portal

• Knowledge of lookalike domains and threat reports

Course References

• N/A

Tasks

Task 1: Enable Monitoring for PayPal.com

Log in to the Infoblox Portal, and navigate to the Lookalike Domains section under Monitor > Reports > Security > Lookalike Domains > Common Watched Domains. Scroll down to locate PayPal.com and toggle the switch to enable monitoring for the domain.

Task 2: Analyze Lookalike Domain Data for PayPal.com

Navigate to Monitor > Reports > Security > Lookalike Domains > Activity. Set the Show filter to Last 30 Days. Search for PayPal.com and expand the result to view details like registration date, recent lookalikes, and threat class. Review the Threat Classes chart for suspicious, phishing, and malware activity.

Task 3: Export and Review Lookalike Domain Data

With the PayPal.com entry expanded, click on the Export All Lookalikes option. After exporting, open the CSV file and review key columns, including Threat Class and Explanation. Identify a few lookalike domains that fall under the Suspicious or Phishing Threat Class.

Solutions

Task 1 Solution: Enable Monitoring for PayPal.com

1. Log in to the Infoblox Cloud Services Portal.

2. Navigate to Monitor > Reports > Security > Lookalike Domains > Common Watched Domains.

3. Scroll down until you locate PayPal.com in the list.

4. Toggle the switch next to PayPal.com to enable monitoring.

5. Ensure the switch is turned to the ON position.

   

Task 2 Solution: Analyze Lookalike Domain Data for PayPal.com

1. Navigate to Monitor > Reports > Security > Lookalike Domains > Activity.

2. Set the Show filter to Last 30 Days by selecting it from the dropdown menu.

   

3. Review the following sections in the Activity page:

   • Total Lookalikes: Displays the total number of lookalike domains detected in the last 30 days.

   • Threat Classes: Shows the distribution of threat classes, such as suspicious activity, phishing, malware C2, or others.

     

4. Search for paypal.com in the search bar.

5. From the search results, expand the PayPal.com entry by clicking the arrow pointing downward.

   

6. Review the detailed information displayed, including:

   • Registration Date

   • 50 Most Recent Lookalikes

   • Category

   • Threat Class

7. Examine the Threat Classes chart to assess suspicious, phishing, and malware activity.

   

Task 3 Solution: Export and Review Lookalike Domain Data

1. With the PayPal.com entry expanded, click on Export All Lookalikes.

2. Download the CSV file and open it using a spreadsheet application.

3. Review the key columns in the file

   • Registration Date: When the lookalike domain was registered.

   • 50 Most Recent Lookalikes: Details on the most recent lookalike domains.

   • Category: Classification of the domain’s activity.

   • Threat Class: Threat types associated with the domain.

   • Explanation: Provides additional context or details about the lookalike domain.

4. Look through the Threat Class column to identify a few domains that fall under Suspicious or Phishing categories.