It is a known fact, that scammers and hackers are hiding their true identity and wrongdoing via available online services, which were once created to protect against cybercrime, like Cloudflare.

During the research of organizations operating in the fraud industry correlating websites that they spawn under various domains and company information can crucially help in mapping out their infrastructure and help in understanding the scale of the operation they’re involved in.

Most of these websites try to conceal their IPs by using Cloudflare`s reverse proxy service, in an attempt to hide the location, hosting provider, and other relevant information that would help in tracking them down.

Due to the way Cloudflare operates, when you make an account you’re assigned two random name servers from their pool example: jake.ns.cloudflare.com and buck.ns.cloudflare.com these name servers will stay the same for each website you add to your Cloudflare account, this provides help in correlating websites back to the same account and can provide aid when researching organizations that have multiple websites under their ownership.

One way to do so is using Rapid7’s Project Sonar dataset “This dataset contains the responses to DNS requests for all forward DNS names known by Rapid7’s Project Sonar. Until early November 2017, all of these were for the ‘ANY’ record with a fallback A and AAAA request if necessary. 

After that, the ANY study represents only the responses to ANY requests, and dedicated studies were created for the A, AAAA, CNAME, and TXT record lookups with appropriately named files. The file is a  GZIP compressed file containing the name, type, value, and timestamp of any returned records for a given name in JSON format.”

Daniel S., Head RedTeam at Artefaktum introduces a way smarter way to solve this issue by following bash script, which is simple yet effective at finding Cloudflare protected websites sharing the same name servers: