Forum Discussion
Communication with suspicious random domain name (Preview)
Hey ragnar667
FYI, the SOA (start of authority) on the DNS record for zbrjtstrclnm.com points to zoneadmin.tonic.com.
Tonic.com is a pay-per-click style advertising company and the domain is likely related to their traffic.
Thanks
- To continue this journey, I concur with Tun33elrt as I got a similar result, but used a different process.
1. My random site is 6867bb.shcxjdwfblvm.com
2. Wheregoes.com shows a 307 temporary redirection to unsold-cars-93562.com
3. I tried the mxToolbox SOA tool, but it doesn't show zoneadmin.tonic.com
4. Entering "unsold-cars-93562.com" at bgp.he.net, I eventually got the zoneadmin.tonic.com mname record
Hope this helps We received a Sentinel alert for this URL: 6c3140.bwtjgtbsgvqqwg.com
When searching through our proxy logs, the full URL ended up being:
hxxp://6c3140.bwtjgtbsgvqqwg.com/?subid1=21477459&subid2=3573470005&subid3=1243549---delimjuwe---sevenwestmedia-perthnow&subid4=taboola-GiB2UOqOvlnWOKVbRBPFc7raGEbeQ83ZYqNnmIQY_wDR-yCWt1sokI-hip-FupLnAQ&network=taboola&site=sevenwestmedia-perthnow&adtitle=Unsold+Womans+Shoes+Almost+Being+Given+Away&click_id=GiB2UOqOvlnWOKVbRBPFc7raGEbeQ83ZYqNnmIQY_wDR-yCWt1sokI-hip-FupLnAQ&dpco=1&tblci=GiB2UOqOvlnWOKVbRBPFc7raGEbeQ83ZYqNnmIQY_wDR-yCWt1sokI-hip-FupLnAQ
Looking at some of the keywords, Perthnow is a local news website operated by a tabloid newspaper. Taboola is a public advertising company. Therefore, I believe these alerts are less about DNS assistance, and more web based advertising as highlighted by Tun33elrtRichardH01 I think the advertisers are using randomized domain names for the same reason the malware was: to make it harder to block the traffic.
