mediumTHREAT INTEL250 pts

Brand Impersonator

A threat intel feed captured 72 hours of suspicious domain registrations. Multiple brands are being impersonated. Identify the phishing infrastructure, map the campaign, and extract the operator's mistake encoded in the kit metadata.

— scenario

Incident report #2026-005

Alert triggered at 06:00 UTC by brand-protection rule TYPO-CLUSTER-DETECTED.
Feed: passive DNS registration monitor (72-hour window)
Brands affected: 3 major financial institutions

A burst of 18 domain registrations was observed over a 72-hour window. The registrations share infrastructure: same registrar, overlapping nameserver patterns, and consistent WHOIS privacy provider. One domain in the cluster was registered with WHOIS privacy disabled — the registrant's email address was accidentally exposed.

A SHA-256 hash of the operator's exposed contact email is the flag.

Analyze the attached registration feed. Identify which domains belong to the same phishing campaign. Find the one registration where WHOIS privacy was not applied. The registrant email in that record is the secret.

— challenge file

registrations.json22 KB

— write-up

The write-up walks through passive DNS correlation, WHOIS infrastructure pivoting, and how a single registrar oversight exposes an entire phishing campaign.

reveal write-up (spoilers)

Step 1 — group domains by registrar

Load registrations.json and group the entries by their registrar field. The legitimate domains in the feed are spread across 12 different registrars. One registrar — QuickReg LLC — appears 18 times. That is the entire campaign cluster.

import json
with open('registrations.json') as f:
    data = json.load(f)

from collections import Counter
c = Counter(d['registrar'] for d in data)
print(c.most_common(5))

Step 2 — verify via shared nameservers

All 18 domains in the QuickReg LLC cluster use nameservers in the ns*.phastdns.cc range. No legitimate registrations share this nameserver provider. The cluster is a confirmed single campaign targeting three brands: paypa1-secure.com, amazon-auth-verify.com, rnicrosoft-account.com (and 15 variants).

Step 3 — find the unprotected registration

Filter the cluster for records where "privacy": false:

cluster = [d for d in data if d['registrar'] == 'QuickReg LLC']
exposed = [d for d in cluster if not d['privacy']]
print(exposed)

Only one domain — paypal-secure-login.net — was registered without WHOIS privacy. The registrant email in that record is phish.operator99@proton.me.

Step 4 — compute the flag

import hashlib
email = 'phish.operator99@proton.me'
digest = hashlib.sha256(email.encode()).hexdigest()
print(f'FOIL{phish_k1t_3xp0s3d_v14_wh015}')

The flag is: FOIL{phish_k1t_3xp0s3d_v14_wh015}

Why this matters

WHOIS privacy services are opt-in at most registrars. Threat actors running bulk domain registration campaigns sometimes miss a single domain — or register it from a different account — leaving the registrant contact exposed. Brand protection teams routinely pivot from one exposed registration to the full campaign infrastructure using shared nameservers, registrar, registration timestamps, and IP ranges.