topic Re: Tons of receptivity.io in Cortex XDR Discussions

Tons of receptivity.io

Zewwy — Mon, 22 Apr 2024 20:31:37 GMT

I recently see a lot of my end machine shitting this domain: receptivity.io

Started (I dunno even know, a week ago?) My logs can no longer go far enough back to figure it out.

Cause I dunno, MS edge new tab? To hopefully remove the log entries I changed our new page to open our corporate homepage instead. PAN URL Checker states its a parked domain. Palo Alto Networks URL filtering - Test A Site

If it is parked why are so many of my machines trying to reach it?

Re: Tons of receptivity.io

nsinghvirk — Fri, 26 Apr 2024 15:00:32 GMT

Hello @Zewwy

Thanks for reaching out on LiveCommunity!

In order to analyse network activity you can take help from "network_story" present in XQL query builder. You can filter out traffic specific to this domain with field like dns_query. Additionally if you are ingesting your firewall logs into XDR then you can easily query network traffic and correlate the events to find the root cause.

Re: Tons of receptivity.io

Zewwy — Wed, 29 May 2024 14:42:14 GMT

While I fully understand the reasoning behind your response, it in reality is not helpful. (*EDIT/UPDATE* I just noticed this thread has been created/ or moved in the Cortex XDR topic area, I do not remember picking this). Everything in your response assumes XDR is already in place, in your example '"network_story" present in XQL query builder' is only available in Cortex. See: Create an XQL Query • Cortex XDR Pro Administrator Guide • Reader • Palo Alto Networks documentation portal

Then you simply follow up with stating using an XDR to build a timeline. Again, technically correct answers, but they are vague and lack any actual helpful insights when the assumptions are not fulfilled.

What we did end up doing was using IPinfo, and other online tools to do diagnostics on the domains IPs, and with their Passive DNS options we were able to determine what sites/services are using the said domain. In this case, it was a local new agency, hence why it keeps poping up all the time, also with DNS sec by Palo Alto Network relies on URL categorizations, which in the case the domain as seen by Palo Alto Networks is "Parked Domain".

I can't find any front facing public websites to denote what this domain provides a service for, which to me raises red flags. Does anyone out there provide other real help information about this domain, who are they, what do they do? The best I could find was a whois which showed the domain registered in 2021 via GoDaddy, and all other info is redacted "for privacy".

Anyone else with any other insight, I would greatly appreciated it.

Re: Tons of receptivity.io

Zewwy — Wed, 05 Jun 2024 14:31:48 GMT

I'm starting to get extremely frustrated at this problem. I did all the analytical work and NO ONE is helping!

1) This pops up in our firewall flooding our threat log. Why cause parked domains is part of your DNS security to be sinkholed. The domain in question is receptivity.io

2) Either using XDR queries on end machines, or Passive DNS on the destination IP addresses. Both indicated that it's due to user's navigating to CBC (Canadian Broadcasting Corporation) website (cbc.ca). You can verify this by opening your web browser and opening the dev tools (f12), navigate to cbc.ca, then in the HTML code search for "receptivity.io" and you will find it.

3) I've reached out to my local SE, and he didn't know what the domain was, and used ChatGPT which told him it's for "eptivity.io is a platform that provides marketing automation solutions. It helps businesses streamline their marketing efforts by automating tasks such as email marketing, lead generation, and customer segmentation. The platform aims to improve customer engagement and increase conversion rates through personalized and targeted marketing campaigns".

If this is case then, how is it possible this domain has no public facing website to sell said service?

I asked my SE if ChatGPT at any citation to source the information and I have not got a reply back.
4) I've attempted to reach out to CBC to ask if this service is legit, and if so, how are they using it, and how did they discover the service to use in the first place if there's no public facing website.

5) There appears to be a public website for Receptiviti.com, which appears to be completely unrelated.

6) I put in a request to PAN URL categorization to get it recatgorized, and if it's legit I'd assume the tech team that handles that has some better tools and techniques to do proper categorizations. But they simply reported back that they are leaving it as parked.
"

URL: receptivity[.]io

Previous category: parked

You suggested: malware

New category: parked

The new categorization is available starting with URL DB version: 20240603.20358"

Why can I not get ANY help on this?

Re: Tons of receptivity.io

nsinghvirk — Thu, 06 Jun 2024 09:52:59 GMT

Hello @Zewwy

This forum is for XDR product related discussions. Analysis of a domain and its reputation is out of scope for this forum.

Please raise a support case to help you with the investigation.

Re: Tons of receptivity.io

Zewwy — Tue, 18 Jun 2024 14:13:39 GMT

Thanks Nsinghvirk,

I was hoping as a community that there would be an appropriate thread topic to which discuss these matters, if this was not the one after initial creation, I was second hoping there would be forum moderators that could move the thread to a more appropriate area to get correct attention and help a Original Poster is seeking.

If this is not a community driven forum, then ask me to leave, and I will gladly leave this forum site forever.

Having said that, we did further investigation on the domain and source, and contact the Canadian Cyber Security and they provided us with the following additional details about the domain in question:

I received the following answer relating to your enquiry from our Cyber Incident team:

This api call is viewed by checking the CBC.ca page source:

The company responsible for this api is Contxtful Technologies Inc: https://documentation.contxtful.com/space/DOCS2020/1040646377/Contxtful's+Data+Approach
The gist of it is that it collects mobile sensor data to use it for machine learning of user interactivity with ads. Basically, a fancy collector of data to target ads better.
The amount of pings on their firewall must be due to it being related to ads and data collection.
This api call has also been seen at other news article websites as well."

I have forwarded this information on to the PAN category team, but every time I make a request to change the category to web-advertisements they come back stating it will remained parked.

My questions now are:

1) How can I get this thread moved to a new topic area?
2) How can I get the PAN URL category team to actually change the type based on these findings?

Re: Tons of receptivity.io

Zewwy — Mon, 19 Aug 2024 15:02:42 GMT

After 2 months, PAN finally decided to change the category. Yay... Thanks PAN.

Re: Tons of receptivity.io

Zewwy — Mon, 19 Aug 2024 15:20:13 GMT

Now I have the root domain showing up in my logs as parked and thus in my threat logs.

I asked them to recategorize that one as well, and instantly sad no. Time to have another 2 month battle with PAN support. Thanks PAN I love you guys, very helpful and the stress you cause me should be a crime against humanity.