Anti-phishing: how to determine whether a subdomain is legit.

Today I received an email from AT&T informing me of a large balance due, along with a link to view and pay the bill:

After clicking on the “View my bill” link, I come to a page that does not look like a typical AT&T landing page:

In addition to having no brand consistency with the rest of the AT&T site, three things strike me as odd:

• Awkward copy: “If this won’t work, call 800.288.2020 for help” (if this won't work, or doesn’t work? And if this is 2FA, why wouldn’t it 'work'?);
• No navigation, header or footer on the page, i.e. nothing to indicate this page is part of the larger AT&T site;
• A weird subdomain in the URL field: “cprodmasx.att.com”. Never seen that one before; most big corporation subdomains are intuitive: business.att.com; wireless.att.com; forums.att.com, etc.

So, what to do at this point?

Well, I know that if the subdomain is legit, i.e. actually registered to AT&T and not some guy named Vadzim in Belarus, then I probably have nothing to worry about.

But how do you tell whether a subdomain is legit? One way is through DNS enumeration, a fancy term for locating all the DNS servers, and corresponding records, of an organization. This is public information maintained by the central WhoIs registry and you’ve probably seen it if you’ve ever tried to register a domain that was already taken.

Kali Linux makes this super simple through a tool called DNSRecon, which you can access through the command line. Typing the simple command “dnsrecon -d att.com” (the "-d" stands for "domain") returns all subdomains for att.com.

This returns a long list of 94 records in which “cprodmasx” may be hidden:

Of course, no one wants to sift through a list of 94 records to find one specific subdomain. So we can modify that query and use the 'grep' command to grab the specific text string of interest, in this case "cprodmasx":

And voila! within 10 seconds we have a positive match for text string, which is indeed part of a subdomain, and we also get its IP address:

This whole process took less than a minute, significantly less time than had we searched through the full list of 94 records manually. Had the command not found the string “cprodmasx” within the att.com DNS info, it would have returned nothing.

The fact that it returned the specific subdomain we were looking for, along with its IP address, means the subdomain is legit.

This is good news. The bad news is that I have a legitimately large AT&T bill I still need to pay.

Note: If you don’t have Kali Linux on your computer — and chances are, unless you’re a programmer, network security analyst, or Internet-obsessed nerd like me, you probably don’t — there are a number of Web-hosted services, like Censys and ImmuniWeb, that make subdomain lookups easy.

The advantage of knowing how to do it yourself, of course, is that you don’t have to rely on the trustworthiness of a 3rd party to determine the legitimacy of other, 1st-party data.