What to consider
One of the first things to consider before trusting a host is are you aware of what company and tool it belongs too? For example, if your company installed a new live chat tool from Zendesk, you’d expect to see a Zendesk host show up in your untrusted hosts.
Basic host checks
Hackers can be very clever in naming the hosts used in attacks. At the very minimum, the following should be checked and considered:
- Is the domain is spelled correctly? A common trick is to send data to a host with subtly different spelling. E.g. google-analyitics.com which has an extra “i” in it.
- Who is the domain registrant? View details on whois.com to see who registered the domain name for this host. Is it an individual or a legitimate company?
- When was the domain registered? Was it registered within the last few weeks?
- Do you know why data is being sent to the host?
- Do you know what data is being sent to the host?
What if a trusted host gets hacked?
If a trusted host gets hacked, it’s likely that the hacker will exfiltrate the stolen data through another host. This host will then show up in the Untrusted Host list as a new host. Following the basic host checks above, it should be apparent that the new host is malicious. It’s unlikely that the hacker would send the stolen data back to the original (trusted) host, as it would require greater privileges to access the stored data and create more noise, increasing the chance of detection. Ultimately it is down to the third party provider that you are paying for a service to be secure and ensure they have not been compromised in this way.