home.social

#passivedns — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #passivedns, aggregated by home.social.

  1. 🎯 Threat Intelligence
    ===================

    Executive summary: Team Cymru analyzed carding infrastructure active between July and December 2025 and identified 28 unique IP addresses and 85 domains hosting carding markets or forums. These hosts primarily served login pages or forum landing pages, and many sat in offshore ASNs. Common top-level domains included .su, .cc and .ru.

    Methodology:
    • Internet-wide port scanning of ports 80 and 443 combined with passive DNS collection.
    • Regular Expression (Regex) searches across HTTP and HTTPS title banners for keywords such as CVV, Dumps, Carding, and Shop.
    • Indexing of X509 certificate Subject Common Names to cluster related infrastructure.
    • NetFlow telemetry used to link IP addresses into related infrastructure groups prior to obfuscation.

    Key findings:
    • Counts: 28 unique IPs and 85 domains identified as hosting carding market/forum entry points.
    • Hosting: Multiple ASNs were offshore infrastructure providers, suggesting use of resilient hosting to evade takedowns.
    • TLD usage: Predominant use of .su, .cc, and .ru as registration choices.
    • Operational role: The identified IPs predominantly served authentication or landing functions (login/forum landing pages), making them high-value targets for evidence collection.

    Technical analysis:
    • Clustering via X509 Subject CN reuse allowed attribution of different domains to shared operational infrastructure.
    • Title-banner Regex scanning provided high-fidelity indicators by catching explicit market/forum labeling in HTTP/S responses.
    • NetFlow correlation supplied behavioral linkage between IPs and broader infrastructure, useful for subpoena or takedown evidence.

    Detection and operational utility:
    • Internet-wide telemetry enabled identification of origin servers before they were proxied or hidden behind anonymization layers.
    • A Scout query was shared with Team Cymru customers for ongoing tracking of the uncovered infrastructure.

    Limitations and caveats:
    • No specific IoCs (hashes/C2 endpoints) were published in the summary beyond counts and TLDs.
    • Attribution beyond infrastructure linking was not provided in the report excerpt.

    🔹 carding #passiveDNS #netflow #magecart #threatintel

    🔗 Source: team-cymru.com/post/analysing-

  2. Is this website legit? 👉 macaissedepargnehautsdefrancem

    At first glance, the domain name looks suspicious. But when we checked Passive DNS data, it turns out the domain has existed for over two years and has been seen before. Was it taken over, or has it always been active?

    Interestingly, there’s no login form on the page, which might suggest it’s not part of a phishing campaign.

    So… could it actually be legit? Again PassiveDNS helps a lot but sometime creativity in domain creation makes everything uncertain.

    🔗 LookyLoo lookyloo.circl.lu/tree/79f3d4f

    #phishing #passivedns #threatintel #cybersecurity

  3. Is this website legit? 👉 macaissedepargnehautsdefrancem

    At first glance, the domain name looks suspicious. But when we checked Passive DNS data, it turns out the domain has existed for over two years and has been seen before. Was it taken over, or has it always been active?

    Interestingly, there’s no login form on the page, which might suggest it’s not part of a phishing campaign.

    So… could it actually be legit? Again PassiveDNS helps a lot but sometime creativity in domain creation makes everything uncertain.

    🔗 LookyLoo lookyloo.circl.lu/tree/79f3d4f

    #phishing #passivedns #threatintel #cybersecurity

  4. Is this website legit? 👉 macaissedepargnehautsdefrancem

    At first glance, the domain name looks suspicious. But when we checked Passive DNS data, it turns out the domain has existed for over two years and has been seen before. Was it taken over, or has it always been active?

    Interestingly, there’s no login form on the page, which might suggest it’s not part of a phishing campaign.

    So… could it actually be legit? Again PassiveDNS helps a lot but sometime creativity in domain creation makes everything uncertain.

    🔗 LookyLoo lookyloo.circl.lu/tree/79f3d4f

    #phishing #passivedns #threatintel #cybersecurity

  5. Is this website legit? 👉 macaissedepargnehautsdefrancem

    At first glance, the domain name looks suspicious. But when we checked Passive DNS data, it turns out the domain has existed for over two years and has been seen before. Was it taken over, or has it always been active?

    Interestingly, there’s no login form on the page, which might suggest it’s not part of a phishing campaign.

    So… could it actually be legit? Again PassiveDNS helps a lot but sometime creativity in domain creation makes everything uncertain.

    🔗 LookyLoo lookyloo.circl.lu/tree/79f3d4f

    #phishing #passivedns #threatintel #cybersecurity

  6. Is this website legit? 👉 macaissedepargnehautsdefrancem

    At first glance, the domain name looks suspicious. But when we checked Passive DNS data, it turns out the domain has existed for over two years and has been seen before. Was it taken over, or has it always been active?

    Interestingly, there’s no login form on the page, which might suggest it’s not part of a phishing campaign.

    So… could it actually be legit? Again PassiveDNS helps a lot but sometime creativity in domain creation makes everything uncertain.

    🔗 LookyLoo lookyloo.circl.lu/tree/79f3d4f

    #phishing #passivedns #threatintel #cybersecurity

  7. #Quad9 published their latest cyber threat report for the second half of 2024. Great and concise write-up. A nice illustration on what threats you can derive purely based on #passiveDNS insights:

    Trends H2 2024

    #DNS #threatintel #infosec

  8. #Quad9 published their latest cyber threat report for the second half of 2024. Great and concise write-up. A nice illustration on what threats you can derive purely based on #passiveDNS insights:

    Trends H2 2024

    #DNS #threatintel #infosec

  9. #Quad9 published their latest cyber threat report for the second half of 2024. Great and concise write-up. A nice illustration on what threats you can derive purely based on #passiveDNS insights:

    Trends H2 2024

    #DNS #threatintel #infosec

  10. #Quad9 published their latest cyber threat report for the second half of 2024. Great and concise write-up. A nice illustration on what threats you can derive purely based on #passiveDNS insights:

    Trends H2 2024

    #DNS #threatintel #infosec

  11. #Quad9 published their latest cyber threat report for the second half of 2024. Great and concise write-up. A nice illustration on what threats you can derive purely based on #passiveDNS insights:

    Trends H2 2024

    #DNS #threatintel #infosec

  12. #infosec people, how would an old internal DNS name from my network be something an external host is querying for? i.e. an AWS IP is apparently querying for unifi.int.mydomain.example.org

    Updates: yes, leaked a lot via Certificate Transparency, still one internal domain I don't have much of an idea of. Have emailed SecurityTrails, if I'm lucky they'll tell me.

    #DNS #PassiveDNS

  13. #infosec people, how would an old internal DNS name from my network be something an external host is querying for? i.e. an AWS IP is apparently querying for unifi.int.mydomain.example.org

    Updates: yes, leaked a lot via Certificate Transparency, still one internal domain I don't have much of an idea of. Have emailed SecurityTrails, if I'm lucky they'll tell me.

    #DNS #PassiveDNS

  14. #infosec people, how would an old internal DNS name from my network be something an external host is querying for? i.e. an AWS IP is apparently querying for unifi.int.mydomain.example.org

    Updates: yes, leaked a lot via Certificate Transparency, still one internal domain I don't have much of an idea of. Have emailed SecurityTrails, if I'm lucky they'll tell me.

    #DNS #PassiveDNS

  15. #infosec people, how would an old internal DNS name from my network be something an external host is querying for? i.e. an AWS IP is apparently querying for unifi.int.mydomain.example.org

    Updates: yes, leaked a lot via Certificate Transparency, still one internal domain I don't have much of an idea of. Have emailed SecurityTrails, if I'm lucky they'll tell me.

    #DNS #PassiveDNS

  16. #infosec people, how would an old internal DNS name from my network be something an external host is querying for? i.e. an AWS IP is apparently querying for unifi.int.mydomain.example.org

    Updates: yes, leaked a lot via Certificate Transparency, still one internal domain I don't have much of an idea of. Have emailed SecurityTrails, if I'm lucky they'll tell me.

    #DNS #PassiveDNS

  17. Recently I was digging in the outliers of DNS resolving from the certificate transparency and there is a hostname which is often hardcoded test.microsoftpki.net but which is giving a NXDOMAIN. Checking the Passive DNS, the domain itself exists and seems to be registered on Microsoft infrastructure

    Any clue of the software or service at Microsoft generating certificate with an invalid domain for testing?

    #passivedns #dns #certificatetransparency

  18. Recently I was digging in the outliers of DNS resolving from the certificate transparency and there is a hostname which is often hardcoded test.microsoftpki.net but which is giving a NXDOMAIN. Checking the Passive DNS, the domain itself exists and seems to be registered on Microsoft infrastructure

    Any clue of the software or service at Microsoft generating certificate with an invalid domain for testing?

    #passivedns #dns #certificatetransparency

  19. Recently I was digging in the outliers of DNS resolving from the certificate transparency and there is a hostname which is often hardcoded test.microsoftpki.net but which is giving a NXDOMAIN. Checking the Passive DNS, the domain itself exists and seems to be registered on Microsoft infrastructure

    Any clue of the software or service at Microsoft generating certificate with an invalid domain for testing?

    #passivedns #dns #certificatetransparency

  20. Recently I was digging in the outliers of DNS resolving from the certificate transparency and there is a hostname which is often hardcoded test.microsoftpki.net but which is giving a NXDOMAIN. Checking the Passive DNS, the domain itself exists and seems to be registered on Microsoft infrastructure

    Any clue of the software or service at Microsoft generating certificate with an invalid domain for testing?

    #passivedns #dns #certificatetransparency

  21. Recently I was digging in the outliers of DNS resolving from the certificate transparency and there is a hostname which is often hardcoded test.microsoftpki.net but which is giving a NXDOMAIN. Checking the Passive DNS, the domain itself exists and seems to be registered on Microsoft infrastructure

    Any clue of the software or service at Microsoft generating certificate with an invalid domain for testing?

    #passivedns #dns #certificatetransparency

  22. With OpenAI temporarily halting ChatGPT Plus Subscriptions, we foresee threat actors creating an influx of phishing websites with typo-squatting domain names.

    Here are a few from our historical passive dns dataset,

    #openai #chatgpt #threatintelligence #passivedns

  23. With OpenAI temporarily halting ChatGPT Plus Subscriptions, we foresee threat actors creating an influx of phishing websites with typo-squatting domain names.

    Here are a few from our historical passive dns dataset,

    #openai #chatgpt #threatintelligence #passivedns

  24. With OpenAI temporarily halting ChatGPT Plus Subscriptions, we foresee threat actors creating an influx of phishing websites with typo-squatting domain names.

    Here are a few from our historical passive dns dataset,

    #openai #chatgpt #threatintelligence #passivedns

  25. A new version of the @circl_lu Passive DNS service has been released. The API is backward compatible and version 2.0 includes new functionalities. It has been activated today with new sources.

    circl.lu/services/passive-dns/

    #passivedns #ThreatIntelligence #threatintel

  26. A new version of the @circl_lu Passive DNS service has been released. The API is backward compatible and version 2.0 includes new functionalities. It has been activated today with new sources.

    circl.lu/services/passive-dns/

    #passivedns #ThreatIntelligence #threatintel

  27. A new version of the @circl_lu Passive DNS service has been released. The API is backward compatible and version 2.0 includes new functionalities. It has been activated today with new sources.

    circl.lu/services/passive-dns/

    #passivedns #ThreatIntelligence #threatintel

  28. A new version of the @circl_lu Passive DNS service has been released. The API is backward compatible and version 2.0 includes new functionalities. It has been activated today with new sources.

    circl.lu/services/passive-dns/

    #passivedns #ThreatIntelligence #threatintel

  29. A new version of the @circl_lu Passive DNS service has been released. The API is backward compatible and version 2.0 includes new functionalities. It has been activated today with new sources.

    circl.lu/services/passive-dns/

    #passivedns #ThreatIntelligence #threatintel

  30. I finally updated the old @circl Passive DNS API to version 2.0. The idea is to have a backward compatible API with the standard Common Output Format which was designed years ago. The switch will take over next month in November. If you have an existing access, nothing will change (beside new features and fresher intelligence).

    The key features of the new API include support for pagination, making it suitable for handling large data sets, and the ability to filter data based on DNS RR types. This ensures that legacy tools can continue to function seamlessly, while new ones can take advantage of pagination to access larger sets of passive DNS data.

    Notably, the back-end infrastructure has also undergone significant changes, providing users with enhanced insights.

    The streaming API for contributors will be available at a later stage via CocktailParty.

    #passivedns #infosec #stream #threatintel #threatintelligence

    Thanks to @gallypette for the collaboration and contribution in the new back-end infrastructure.

    Feedback and ideas are more than welcome.

    🔗 Draft documentation for version 2.0

  31. I finally updated the old @circl Passive DNS API to version 2.0. The idea is to have a backward compatible API with the standard Common Output Format which was designed years ago. The switch will take over next month in November. If you have an existing access, nothing will change (beside new features and fresher intelligence).

    The key features of the new API include support for pagination, making it suitable for handling large data sets, and the ability to filter data based on DNS RR types. This ensures that legacy tools can continue to function seamlessly, while new ones can take advantage of pagination to access larger sets of passive DNS data.

    Notably, the back-end infrastructure has also undergone significant changes, providing users with enhanced insights.

    The streaming API for contributors will be available at a later stage via CocktailParty.

    #passivedns #infosec #stream #threatintel #threatintelligence

    Thanks to @gallypette for the collaboration and contribution in the new back-end infrastructure.

    Feedback and ideas are more than welcome.

    🔗 Draft documentation for version 2.0

  32. I finally updated the old @circl Passive DNS API to version 2.0. The idea is to have a backward compatible API with the standard Common Output Format which was designed years ago. The switch will take over next month in November. If you have an existing access, nothing will change (beside new features and fresher intelligence).

    The key features of the new API include support for pagination, making it suitable for handling large data sets, and the ability to filter data based on DNS RR types. This ensures that legacy tools can continue to function seamlessly, while new ones can take advantage of pagination to access larger sets of passive DNS data.

    Notably, the back-end infrastructure has also undergone significant changes, providing users with enhanced insights.

    The streaming API for contributors will be available at a later stage via CocktailParty.

    #passivedns #infosec #stream #threatintel #threatintelligence

    Thanks to @gallypette for the collaboration and contribution in the new back-end infrastructure.

    Feedback and ideas are more than welcome.

    🔗 Draft documentation for version 2.0

  33. I finally updated the old @circl Passive DNS API to version 2.0. The idea is to have a backward compatible API with the standard Common Output Format which was designed years ago. The switch will take over next month in November. If you have an existing access, nothing will change (beside new features and fresher intelligence).

    The key features of the new API include support for pagination, making it suitable for handling large data sets, and the ability to filter data based on DNS RR types. This ensures that legacy tools can continue to function seamlessly, while new ones can take advantage of pagination to access larger sets of passive DNS data.

    Notably, the back-end infrastructure has also undergone significant changes, providing users with enhanced insights.

    The streaming API for contributors will be available at a later stage via CocktailParty.

    #passivedns #infosec #stream #threatintel #threatintelligence

    Thanks to @gallypette for the collaboration and contribution in the new back-end infrastructure.

    Feedback and ideas are more than welcome.

    🔗 Draft documentation for version 2.0

  34. I finally updated the old @circl Passive DNS API to version 2.0. The idea is to have a backward compatible API with the standard Common Output Format which was designed years ago. The switch will take over next month in November. If you have an existing access, nothing will change (beside new features and fresher intelligence).

    The key features of the new API include support for pagination, making it suitable for handling large data sets, and the ability to filter data based on DNS RR types. This ensures that legacy tools can continue to function seamlessly, while new ones can take advantage of pagination to access larger sets of passive DNS data.

    Notably, the back-end infrastructure has also undergone significant changes, providing users with enhanced insights.

    The streaming API for contributors will be available at a later stage via CocktailParty.

    #passivedns #infosec #stream #threatintel #threatintelligence

    Thanks to @gallypette for the collaboration and contribution in the new back-end infrastructure.

    Feedback and ideas are more than welcome.

    🔗 Draft documentation for version 2.0

  35. Coucou le fédiverse,

    J'aimerais savoir quels ont été les adresses IP utilisées par la messagerie d'une ville pour savoir quels fournisseurs de service mail ils ont utilisé.

    J'ai entendu parler des services d'historique DNS #passivedns seulement il faut montrer "pattes blanches" dixit @bortzmeyer

    Vu que je suis un vilain pirate qui n'a pas vocation à renouveler cette d'analyse, peut-être auriez vous les historiques pour :

    MX ville-tours.fr
    A smtp.tours-metropole.fr

    bortzmeyer.org/passivedns-cn.h

  36. Coucou le fédiverse,

    J'aimerais savoir quels ont été les adresses IP utilisées par la messagerie d'une ville pour savoir quels fournisseurs de service mail ils ont utilisé.

    J'ai entendu parler des services d'historique DNS #passivedns seulement il faut montrer "pattes blanches" dixit @bortzmeyer

    Vu que je suis un vilain pirate qui n'a pas vocation à renouveler cette d'analyse, peut-être auriez vous les historiques pour :

    MX ville-tours.fr
    A smtp.tours-metropole.fr

    bortzmeyer.org/passivedns-cn.h