#passivedns — Public Fediverse posts

🎯 Threat Intelligence
===================

Executive summary: Team Cymru analyzed carding infrastructure active between July and December 2025 and identified 28 unique IP addresses and 85 domains hosting carding markets or forums. These hosts primarily served login pages or forum landing pages, and many sat in offshore ASNs. Common top-level domains included .su, .cc and .ru.

Methodology:
• Internet-wide port scanning of ports 80 and 443 combined with passive DNS collection.
• Regular Expression (Regex) searches across HTTP and HTTPS title banners for keywords such as CVV, Dumps, Carding, and Shop.
• Indexing of X509 certificate Subject Common Names to cluster related infrastructure.
• NetFlow telemetry used to link IP addresses into related infrastructure groups prior to obfuscation.

Key findings:
• Counts: 28 unique IPs and 85 domains identified as hosting carding market/forum entry points.
• Hosting: Multiple ASNs were offshore infrastructure providers, suggesting use of resilient hosting to evade takedowns.
• TLD usage: Predominant use of .su, .cc, and .ru as registration choices.
• Operational role: The identified IPs predominantly served authentication or landing functions (login/forum landing pages), making them high-value targets for evidence collection.

Technical analysis:
• Clustering via X509 Subject CN reuse allowed attribution of different domains to shared operational infrastructure.
• Title-banner Regex scanning provided high-fidelity indicators by catching explicit market/forum labeling in HTTP/S responses.
• NetFlow correlation supplied behavioral linkage between IPs and broader infrastructure, useful for subpoena or takedown evidence.

Detection and operational utility:
• Internet-wide telemetry enabled identification of origin servers before they were proxied or hidden behind anonymization layers.
• A Scout query was shared with Team Cymru customers for ongoing tracking of the uncovered infrastructure.

Limitations and caveats:
• No specific IoCs (hashes/C2 endpoints) were published in the summary beyond counts and TLDs.
• Attribution beyond infrastructure linking was not provided in the report excerpt.

🔹 carding #passiveDNS #netflow #magecart #threatintel

🔗 Source: https://www.team-cymru.com/post/analysing-carding-infrastructure

Increasing Awareness of DNS Hijacking: A Growing Cyber Threat – Source: www.techrepublic.com https://ciso2ciso.com/increasing-awareness-of-dns-hijacking-a-growing-cyber-threat-source-www-techrepublic-com/ #DigitalHealthandWellness #rssfeedpostgeneratorecho #SecurityonTechRepublic #maninthemiddleattack #SecurityTechRepublic #CyberSecurityNews #dnscachepoisoning #paloaltonetwork #Cyberattackers #datamanagement #International #CyberThreats #DNShijacking #0CISO2CISO #passivedns #Security #unit42

Recently I was digging in the outliers of DNS resolving from the certificate transparency and there is a hostname which is often hardcoded test.microsoftpki.net but which is giving a NXDOMAIN. Checking the Passive DNS, the domain itself exists and seems to be registered on Microsoft infrastructure

Any clue of the software or service at Microsoft generating certificate with an invalid domain for testing?

#passivedns #dns #certificatetransparency