WhoisXML API

WhoisXML API

A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider
Joined on February 28, 2019
Total Post Views: 5,283,292

About

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

We serve Fortune 500 companies as well as small companies, including cyber-security companies, corporations within a cyber-security division, government agencies, domain registries and registrars, brand agents, domain brokers and investors, marketing data warehouses, banks, telecoms, online payment processors, law firms, financial institutions and many more.

We are established in Los Angeles since 2010 and have been recognized (in 2017, 2018, 2019, 2021, and 2022) as one of Inc. 5000 fastest growing companies, notably in the Security and Top IT categories.

Except where otherwise noted, all postings by WhoisXML API on CircleID are licensed under a Creative Commons License.

Company Updates

New WhoisXML API White Paper Highlights Registration Trends in Top gTLDs and ccTLDs

Anyone seeking to establish an online presence appears to have limitless options for reserving Internet domain names. But the question remains: which providers do registrants prefer? more

A DNS Investigation of the GootLoader Campaign

Back in 2015, a survey found that cats drove 15% of the overall Internet traffic. That said, it is not surprising for threat actors to use cat-related content to lure victims to visit their malware-laden sites. Such was the case for GootLoader, which allowed cybercriminals to steal data and deploy post-exploitation tools and ransomware. more

Silent Night, Deadly Sites: How Christmas Cyber Threats Lurk in the DNS

For many across the globe, Christmas represents a joyous time of celebration and giving. But it can also be a time for worry, especially for those unfortunate enough to get scammed while doing their holiday shopping. more

Exploring the SideWinder APT Group’s DNS Footprint

The SideWinder advanced persistent threat (APT) group, also known as "T-APT-04" or "RattleSnake," has been active since 2012. It launched attacks against military and government entities in Asia. more

New WhoisXML API Study Highlights Business Insights from ASN and ISP Data

As unique identifiers of entities that control IP ranges, autonomous system numbers (ASNs) provide valuable data. Understanding ASN distribution and deriving insights from it can significantly enhance strategic business and market analyses. more

A DNS Deep Dive into FUNULL’s Triad Nexus

Silent Push has been monitoring the FUNULL content delivery network (CDN) for two years now. They believe the network has played host to various cybercriminal campaigns, including investment scams, fake trading app distribution, suspect gambling networks, and the Polyfill supply chain attack. more

Uncovering Potential Black Friday and Thanksgiving Threats with DNS Data

Thanksgiving is right around the corner. With it, of course, come celebrations with family and friends and the biggest Black Friday sales. All seems well and good but that's not always the case, isn't it? more

New RomCom Variant Spotted: A Comparative and Expansion Analysis of IoCs

The threat actors behind the RomCom malware, known for extorting government agencies, recently resurfaced with a new RomCom variant called "Snipbot" or "RomCom 5.0" by Palo Alto Networks Unit 42. more

Global Domain Activity Trends Seen in Q3 2024

WhoisXML API analyzed close to 22 million domains registered in Q3 2024 to uncover global domain activity trends. more

A DNS Investigation into Mamba, the Latest AitM Phishing Player

Phishing has been around for years, yet it still proves to be a major online threat. To continue profiting, cybercriminals must continuously adapt their techniques. more

A DNS Investigation of the 32 Doppelganger Websites Seized by the U.S. Government

The U.S. Office of Public Affairs issued a statement on 4 September 2024 regarding the seizure of 32 websites that are believed to be part of the so-called "Doppelganger" campaign. more

Investigating the Proliferation of Deepfake Scams

While deepfakes may sometimes be perceived as amusing, their potential for harm is significant and far-reaching. One finance worker for a multinational firm, for example, was tricked into paying out US$25 million to a deepfake scammer who pretended to be their company's chief financial officer (CFO) in a video call just this February. more

Examining the DNS Underbelly of the Voldemort Campaign

Toward the end of August 2024, a customized malware dubbed "Voldemort" based on strings found in its code was used in a cyber espionage campaign targeting various countries. more

2024 Domain Intelligence Study of 6 APT Groups Notorious for Targeting Europe

At least 40 advanced persistent threat (APT) groups have trailed their sights on several European countries over the years, and that isn't surprising, given that the continent serves as the headquarters of renowned international organizations like the European Union Agency for Law Enforcement Cooperation (Europol), INTERPOL, and the North Atlantic Treaty Organization (NATO). more

Stripping Down the BlackSuit Ransomware Network Aided by DNS Data

Nearly 1 million individuals' information was stolen and exposed when threat actors launched a BlackSuit ransomware attack on 10 April 2024. The investigation revealed that the compromised data included the victims' Social Security numbers (SSNs), birthdays, and insurance claim information. more

A DNS Deep Dive into the NetSupport RAT Campaign

Remote access trojans (RATs) can be considered the malware of choice by the world's most notorious advanced persistent threat (APT) groups. And there's a good reason for that. They are hard to detect, making them ideal for lateral movement, and also difficult to get rid of. more

Tracking the DNS Footprint of the Polyfill Supply Chain Attackers

Threat actors can often find targeting certain organizations too much of a challenge. So they need to go through what we can consider back channels -- suppliers, vendors, or service providers. more

Study by WhoisXML API Explores IDNs, Native-Language Characters, and Homograph Attacks

While the usage of internationalized domain names (IDNs) has allowed organizations the world over to enter the global market using their native-language domain names, it can also enable cyber attackers to craft look-alikes of legitimate domains they wish to spoof. more

The Extended Reach of the Extension Trojan Campaign in the DNS

The ReasonLabs Research Team uncovered a new widespread polymorphic malware campaign that forcefully installed extensions on users' systems. more

Inspecting Konfety’s Evil Twin Apps through the DNS Lens

Satori recently published a report on a massive fraud campaign they have dubbed "Konfety" (Russian word for "candy"). Sounds sweet, right? more

Hunting for U.S. Presidential Election-Related Domain Threats in the DNS

As if the attention surrounding the upcoming U.S. presidential elections is not enough, the WhoisXML API research team may have unveiled thousands of potential sources of disarray -- election-related cybersquatting domains. These domains may be a lucrative source of income for some people. Case in point? more

A Closer Look at the Meduza Stealer through a DNS Deep Dive

Fortinet recently discovered a Meduza Stealer variant that has been taking advantage of the Microsoft Windows SmartScreen vulnerability CVE-2024-21412. The Meduza stealer lets remote attackers bypass the SmartScreen security warning dialog to deliver malicious files. more

July 2024: Domain Activity Highlights

The WhoisXML API research team analyzed more than 7.3 million domains registered between 1 and 31 July 2024 in this post to identify five of the most popular registrars, top-level domain (TLD) extensions, and other global domain registration trends. more

On a DNS Threat Hunt for DISGOMOJI

Cyber espionage is not uncommon and often occurs between rivals. And though the cyber attackers' tactics and techniques remain the same, their tools do not. more

The Most Phished Brands of 2024 in the DNS Spotlight

The Zscaler ThreatLabz 2024 Phishing Report named Microsoft, OneDrive, Okta, Adobe, SharePoint, Telegram, pCloud, Facebook, DHL, WhatsApp, ANZ Banking Group, Amazon, Ebay, Instagram, Google, Sparkasse Bank, FedEx, PayU, Rakuten, and Gucci as the 20 most phished brands. more

Uncovering DNS Details on Operation Celestial Force

Advanced persistent threat (APT) groups will employ any means necessary to compromise the networks of their intended targets. And for Cosmic Leopard, that means using GravityRAT, an Android-based malware, and HeavyLift, a Windows-based malware loader, in their most recent operation Cisco Talos has dubbed "Operation Celestial Force." more

Global DNS and Domain Activity Trends in Q2 2024

Our research team analyzed more than 21.5 million domains registered between 1 April and 30 June 2024, as seen in the Newly Registered Domains (NRDs) Data Feed. more

On the Hunt for Remnants of the Samourai Wallet Crypto Mixing Services in the DNS

Keonne Rodriguez and William Lonergan Hill, founders of Samourai Wallet, a cryptocurrency mixing service, were sentenced in April 2024 and their sites taken down for executing more than US$2 billion in unlawful transactions and laundering more than US$100 million in criminal proceeds. more

A Peek at the V3B Phishing Kit Attack via the DNS Lens

Phishing is and remains a top threat. Google alone blocks around 100 million phishing emails daily, and it doesn't help that phishers get extra help from phishing kits -- ready-made cybercrime tools that allow even cybercriminal newbies to launch attacks following a few simple steps. more

Tracking Down Fake Cryptocurrency Sellers Using DNS Intelligence

Threat researcher Dancho Danchev recently uncovered 130 domains that seemingly belong to fake cryptocurrency sellers. The WhoisXML API research team sought to find potential connections to the threat by expanding the current list of indicators of compromise (IoCs) using our vast array of DNS intelligence sources. more

Following the DNS Trail of APT Group Newbie Unfading Sea Haze

A new advanced persistent threat (APT) group dubbed "Unfading Sea Haze" has been trailing its sights on various organizations based in countries surrounding the South China Sea. more

On the DNS Trail of the Foxit PDF Bug Exploitation Attackers

Check Point Research reported a Foxit PDF Reader vulnerability that threat actors have begun exploiting, putting the application's users at risk. When exploited, the bug triggers security warnings that may deceive unsuspecting users into executing harmful commands. more

Profiling a Popular DDoS Booter Service’s Ecosystem

Cybercriminals can launch distributed denial-of-service (DDoS) attacks with relative ease these days by using DDoS booter services, online services that automate the DDoS attack process. more

A DNS Investigation of the Phobos Ransomware 8Base Attack

Intel-Ops researchers recently discovered that the 8Base Ransomware Group has been using Phobos ransomware to infect their targets' networks. 8Base has reportedly been active since mid-2023. more

Stately Taurus APT Group Targets Asian Countries: What Do the Campaign IoCs Reveal?

A decade-old advanced persistent threat (APT) group called "Stately Taurus," also known as "Mustang Panda" and "Earth Preta," was recently observed targeting Association of Southeast Asian Nations (ASEAN) countries in cyberespionage activities. Specifically, Palo Alto Networks observed two malware packages that may have been used to target Japan, Myanmar, the Philippines, and Singapore. more

Unraveling the World of Security Data Aggregation

More than 30.6 billion records have been exposed in 2024 so far based on 8,839 publicly disclosed incidents. Intensifying cybersecurity efforts has thus become more critical than ever for organizations the world over. more

A DNS Investigation of the Typhoon 2FA Phishing Kit

Bleeping Computer recently reported that a phishing-as-a-service (PhaaS) available in cybercriminal forums dubbed "Typhoon 2FA" has the ability to compromise Microsoft 365 and Google accounts even if users have two-factor authentication (2FA) enabled. more

Examining a U.S. Tax Scammer’s Web Infrastructure through the DNS Lens

The 2024 U.S. tax season is well underway, and as usual, scams of all kinds targeting taxpayers and causing the Internal Revenue Service (IRS) problems have cropped up. One such ongoing malicious campaign has explicitly been trailing its sights on small business owners and the self-employed. more

Hunting for TimbreStealer Malware Artifacts in the DNS

A new info-stealing malware called "TimbreStealer" is in town. Cisco Talos detected its distribution through a phishing campaign targeting Mexico. more

A Glimpse into the Global Domain Registration Trends Seen in Q1 2024

After analyzing 21+ million newly registered domains (NRDs) added from 1 January to 31 March 2024, our researchers found that the new domain registration volume declined by about 32% from the previous quarter. more

Uncovering Suspicious Download Pages Linked to App Installer Abuse

Threat actors have been abusing App Installer, a Windows 10 feature that makes installing applications more convenient. The abuse could lead to ransomware distribution and was likely carried out by financially motivated actors Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674. more

On the DNS Trail of the Rise of macOS Backdoors

macOS has been gaining the unwanted attention of more and more backdoor operators since late 2023. In February 2024, Bitdefender uncovered RustDoor, which was written in Rust and possibly has ties to the operators of a Windows ransomware. more

Checking Out the DNS for More Signs of ResumeLooters

Group-IB uncovered ResumeLooters, a threat actor group specializing in victimizing job hunters to steal their personally identifiable information (PII). more

WhoisXML API Publishes a New Study of 7 APT Groups That Have Targeted North America

In the past two decades, at least 41 advanced persistent threat (APT) groups have launched attacks on entities and organizations based in North America. more

Searching for Potential Propaganda Vehicle Presence in the DNS

The Citizen Lab recently uncovered an ongoing online propaganda campaign they have dubbed "PAPERWALL" that has been targeting local news outlets across 30 countries in Europe, Asia, and Latin America. more

Following the VexTrio DNS Trail

VexTrio, a traffic distribution system (TDS) provider believed to be an affiliate of ClearFake and SocGholish, among other threat actors, has been active since 2017. more

Tracing Ivanti Zero-Day Exploitation IoCs in the DNS

Among the latest to suffer from zero-day exploitation is Ivanti, a software company providing endpoint management and remote access solutions to various organizations, including U.S. federal agencies. more

DNS Investigation: Is xDedic Truly Done for After Its Takedown?

Law enforcement agencies shut down xDedic, a cybercrime-as-a-service (CaaS) marketplace specifically providing web servers to cybercriminals, back in 2019. However, WhoisXML API threat researcher Dancho Danchev posits that parts of its backend infrastructure may remain traceable. more

DNS Deep Diving into Pig Butchering Scams

New kids on the cybercrime block, pig butchering scams, have been making waves lately, and it is not surprising why. Scammers have been earning tons from them by being able to trick users into investing in seemingly legitimate business ventures but losing their hard-earned cash instead. more

The New RisePro Version in the DNS Spotlight

RisePro, a malware-as-a-service data stealer, has been plaguing users since 2022. ANY.RUN recently discovered and analyzed its latest version in great depth and identified 10 indicators of compromise (IoCs) -- three domains and seven IP addresses. more

Tracking Down Sea Turtle IoCs in the DNS Ocean

The Sea Turtle threat group recently made headlines when it expanded its operations to target ISPs and telecommunications and media companies in the Netherlands. In the past, Sea Turtle primarily targeted organizations in the Middle East and the U.S. using DNS hijacking and man-in-the-middle (MitM) attacks. more

Uncloaking the Underbelly of JinxLoader

Cybercriminals are known for using so-called "loaders" like Xloader to initiate computer infections. Worse, even newbies can now get their hands on these malware distributors via hacker forums. Case in point? JinxLoader, one of the latest malicious offerings up for grabs on the likes of hackforums[.]net. more

Examining the Mirai.TBOT IoCs under the DNS Microscope

The Mirai botnet, first discovered way back in 2016, made headlines and gained infamy as the biggest botnet to hit networks the world over. It has resurfaced with multiple ways of infecting Internet of Things (IoT) devices and the ability to launch zero-day exploits. more

A Deep Dive into 6 APT Groups Based in or Targeting APAC

Advanced persistent threat (APT) groups are more dangerous than your run-of-the-mill cybercriminals. They, after all, trail their sights not only on financial gain but loftier targets such as wreaking havoc on entire nations. more

WhoisXML API Launches New and Improved Website Categorization Products

WhoisXML API is thrilled to introduce a new version of Website Categorization API and Website Categorization Database. The product line now offers an enhanced website categorization model with additional context and is powered by advanced artificial intelligence (AI) algorithms, offering overall better stability and accuracy. more

Exploring Epsilon Stealer Traces Aided by DNS Intel

Computers that get infected with the Epsilon stealer could spell game over for serious gamers, but they are not the only ones at risk. The creators of games like EPSILON, Pokemon, and Roblox that the malware operators are mimicking stand to lose a lot as well. They may lose customers and damage their reputation in the process. more

WhoisXML API Newly Registered Domains V2 (NRD2) Achieved Massive Coverage Growth

WhoisXMl API is proud to announce data quality improvements of the Newly Registered Domains V2 (NRD2) Data Feed, specifically an 89% increase in total coverage over the last 12 months. Moreover, the data feed recorded a 153.95% increase in activity for the top 10 country-code top-level domains (ccTLDs). more

A Peek at the PikaBot Infrastructure

It is not uncommon these days for threat actors to use malicious search ads to distribute malware. To do that, though, they would need to know how to bypass Google's security measures by setting up decoy infrastructures. more

Investigating the UNC2975 Malvertising Campaign Infrastructure

Mandiant's Managed Defense Threat Hunting Team recently published an in-depth study of the malware distributed via what they have dubbed the "UNC2975 malvertising campaign." Users who have been tricked into clicking poisoned sponsored search engine results and social media posts ended up with computers infected with either the DANABOT or DARKGATE backdoor. more

Unveiling Global Domain Activity Trends in Q4 2023

The new domain name registration volume rose 10.24% from the third to the fourth quarter of 2023. WhoisXML API researchers uncovered this finding, along with other DNS trends, after analyzing more than 31 million newly registered domains (NRDs) added from 1 October to 31 December 2023 as seen in the Newly Registered Domains Data Feed. more

Kimsuky: DNS Intel Gathering

The Kimsuky Group, believed to be a North Korea-based advanced persistent threat (APT) group active since 2013, struck again several times this year. They gained notoriety for launching spear-phishing attacks on targets to gain initial access.  more

Unveiling Stealthy WailingCrab Aided by DNS Intelligence

The WailingCrab malware has gained notoriety for its stealth. IBM X-Force security researchers recently published an in-depth analysis of the malware, which has been abusing Internet of Things (IoT) messaging protocol MQTT. more

A Peek Under the Hood of the Atomic Stealer Infrastructure

The Atomic Stealer, also known as "AMOS," first emerged in September this year by spreading on Macs disguised as popular applications. This time around, it has been wreaking more havoc in the guise of a fake browser update dubbed "ClearFake." more

A Fake ID Marketplace under the DNS Lens

The concept of internationalization extends from the virtual to the physical realm. Many people wish to travel or even migrate to other countries at some point in their lives. Unfortunately, that's sometimes easier said than done given the many legal documents, including valid IDs, passports, and others required. more

Behind the Genesis Market Infrastructure: An In-Depth DNS Analysis

As long as cybercriminals remain in business, so will the number of underground marketplaces grow. And despite the crackdown on the biggest markets like Silk Road, cybercriminals will continue to strive to put up their own marketplaces, probably given their profitability. Case in point? more

Rogue Bulletproof Hosts May Still Be Alive and Kicking as DNS Intel Shows

Rogue bulletproof hosts are part and parcel of the cybercriminal market that is hidden deep underground. Without means to easily evade detection, attribution, and incarceration, many of today's cybercriminals would not be able to continue their malicious operations. more

Carding, Still in Full Swing as DNS Intel Shows

Carding has been around since the 1980s but has evolved to the point that even less experienced cybercriminals can now launch campaigns. How? Via the carding forums that riddle the Web these days. more

A DNS Deep Dive into BreachForums Domains

The Federal Bureau of Investigation (FBI) shut down BreachForums, a forum for English-speaking black hat hackers, on 21 March 2023, following the arrest of its owner Conor Brian Fitzpatrick. more

APT29 Goes from Targeted Attacks to Phishing via NOBELIUM: A DNS Deep Dive

APT29, believed to be an espionage group from Russia, became known for launching targeted attacks against organizations in Ukraine. But over the course of investigating the threat group, Mandiant discovered that it may have a hand in cybercriminal operations, specifically phishing, as well. more

Tracing BlackNet RAT’s History through a DNS Deep Dive

BlackNet RAT, first discovered during the COVID -- 19 pandemic and being distributed via spam messages offering an effective cure for the virus, seems to have outlived the global crisis. more

Phishing Group Found Abusing .top Domains

Threat researcher Dancho Danchev recently discovered a phishing operation that seemed to be abusing .top domains for which he collated 89 email addresses that served as indicators of compromise (IoCs).  more

Fishing for QR Code Phishing Traces in the DNS

Threat actors have been seen yet again abusing a technology meant to make things easy for all of us -- QR codes -- in one of the most commonly utilized cybercriminal activities - phishing. The rise in QR code phishing isn't surprising given that according to several studies, as much as 86% of the entire global population use their mobile phones for all kinds of transactions, including financial ones. more

Catching Messenger Phishing Footprints Using a DNS Net

A phishing campaign is currently targeting Facebook business accounts with password-stealing malware. The attackers have been using a massive network of fake and compromised Facebook accounts to send out millions of Messenger phishing messages. more

Rhysida, Not Novel but Still Dangerous: DNS Revelations

Rhysida, a new ransomware currently plaguing users may not be novel, but it's proving to be just as effective. Fortra published an in-depth analysis of the malware currently holding the data of healthcare organizations primarily based in the U.S. hostage. more

The Makings of ADHUBLLKA According to the DNS

It's not uncommon for cybercriminals to tweak an existing piece of malware and then call it a new creation. We've seen that happen even in malware's earliest days. It's actually happening more and more these days, especially with the rise of the malware-as-a-service (MaaS) business model. more

Probing the DNS for Signs of XLoader Abuse

XLoader has been plaguing macOS users since it was first discovered in 2021. Back then, though, it only posed a threat to those who opted to install Java on their systems. more

DNS Abuse and Redirection: Enough for a New JS Malware to Hide Behind?

DNS abuse combined with redirection seems to be gaining popularity as a stealth mechanism. We've just seen Decoy Dog employ the same tactic. More recently, a still-unnamed JavaScript (JS) malware has been wreaking havoc among WordPress site owners by abusing Google Public DNS to redirect victims to tech support scam sites. more

Searching for Smishing Triad DNS Traces

Given the ubiquity of mobile phone usage, you'd think we'd all know by now how to tell legitimate from scammy text messages. Then again, cybercriminals are always on top of their game -- learning how the latest technologies work and finding ways to abuse them. more

From URSNIF IoCs to Software Spoofing: Using DNS Intel to Connect the Dots

Financially motivated threat actors called "TA544" were first detected in 2017. TA544 is known for high-volume campaigns, sending hundreds of thousands of malicious messages daily. more

Thawing IcedID Out Through a DNS Analysis

Evolution isn't only for humans and other living things. Apparently, malware can evolve, too, and IcedID is a good example. First detected as a banking trojan in 2017, IcedID continues to undergo updates that make it even more dangerous. In the past few months, IcedID variants have been observed to deliver ransomware payloads instead of performing its original function -- stealing financial data. more

Examining WoofLocker Under the DNS Lens

WoofLocker tech support scams have been wreaking havoc since 2017 but the threat actors behind it don't seem to be done yet. In fact, the threat may have become even more resilient. more

Decoy Dog, Too Sly to Leave DNS Traces?

Decoy Dog, a malware renowned for abusing the DNS, specifically by establishing command and control (C&C) via DNS queries, first reared its head most likely in early 2022. Given its sly nature, the DNS malware has been used to successfully steal data from organizations throughout Russia and other Eastern European nations. more

Will Redis Remain on Threat Actors’ Radar?

Threat actors have been targeting vulnerable Redis instances since February 2022 when the Redis Lua Sandbox Escape and Remote Code Execution Vulnerability, also known as "CVE -- 2022 -- 0543," was discovered. The Mushtik Gang was one of the first cyber attack groups to exploit it. more

Finding WyrmSpy and DragonEgg Ties to APT41 in the DNS

APT41, also known as "Winnti," "BARIUM," or "Double Dragon," is an APT group said to originate from China. Having been active since 2012, APT41 rose to infamy by successfully launching targeted cyber espionage attacks on government agencies and private companies worldwide. more

DNS Insights behind the JumpCloud Supply Chain Attack

Even solutions meant to enhance security can sometimes fall prey to the best cyber attackers. That's what happened to JumpCloud, a cloud-based directory service platform designed to centralize and simplify identity access management (IAM). more

Signs of MuddyWater Developments Found in the DNS

Cyber espionage group MuddyWater's or Mercury's first major campaign was seen as early as 2012. But as things always go in the cybersecurity realm, threat groups, especially those that gain infamy, don't necessarily just come and go. more

AI Tool Popularity: An Opportunity for Launching Malicious Campaigns?

The latest fraud data Sift published in "Q2 2023 Digital Trust & Safety Index" revealed that 78% of users are concerned that fraudsters could exploit AI tools to victimize them. more

DNS Revelations on Eevilcorp

Phishing, despite its age and infamy, remains one of the top threats to corporate and personal networks alike. And it's not hard to see why -- it continues to be effective. In fact, more than a third of all data breaches today involve phishing. more

WhiteSnake Stealer Serpentines through the DNS

It's not unusual for data stealers to target several browsers simultaneously. Zooming in on multiple platforms at once, including email clients, gaming portals, chat apps, crypto wallets, and even VPN-protected services, however, is quite novel.  more

A DNS Deep Dive Into Malware Crypting

Each time organizations shore up their network defenses, cybercriminals devise new and innovative ways to up the cyber attack ante. That's actually the rationale behind malware crypting - the process of making malicious programs, apps, and files appear harmless to anti-malware and intrusion detection solutions. more

BlackCat Hacks Reddit Again, Take a Look at What the DNS Revealed

The first time the BlackCat ransomware gang breached Reddit's network last February, they phished an employee to hack into the target network. This time, according to a ReversingLabs detailed report, they successfully dropped BlackCat onto the company's systems and threatened to release its data if it fails to pay the ransom. more

MOVEit Bug-CLOP Ransomware Threat Vector Identification Aided by DNS Intelligence

The beginning of the month of June, according to CleanINTERNET, marked the emergence of several zero-day attacks targeting vulnerable MOVEit servers to exfiltrate confidential data. MOVEit Transfer is a managed file transfer software that supports file and data exchange. more

Alleviating the Risks .zip and Similar Domain Extensions Could Pose via DNS Intelligence

Google's announcement of the launch of the .zip ngTLD was met by a lot of debate. Many believe threat actors could abuse the ngTLD for phishing and other malicious campaigns, primarily since it could be easily confused with the .zip file extension. more

Scanning for LockBit Ransomware DNS Traces

ReliaQuest named LockBit one of the most effective and undoubtedly most prolific currently active ransomware groups today. In fact, the malware topped their latest ransomware quarterly list for the first three months of 2023, a continuation of their 2022 observation. more

When Marketing Vendors Get Attacked, Clients Suffer: Third-Party Risk Discovery in the DNS

Organizations get bombarded with countless attacks from every direction, including via their supply chain. FortifyData's recent record of the top third-party data breaches in 2023 brings to light how multidirectional threat sources can be. In one of the data breaches on the list, AT&T disclosed in March 2023 that threat actors accessed the information of approximately 9 million wireless accounts through the telecommunication company's marketing vendor. more

DNS Snooping on Apple iOS 14 Zero-Click Spyware KingsPawn

Last year, several governments reportedly used the NSO Group's spyware Pegasus to exploit a zero-day vulnerability in WhatsApp to spy on journalists, opposition politicians, and dissidents via their mobile devices. Apple quickly addressed the issue by launching more powerful data protection features. more

Scouring the DNS for Traces of Bumblebee SEO Poisoning

Google ad or search engine optimization (SEO) poisoning has long been a favored threat actor tactic to spread malware. A recent Secureworks study of Bumblebee, which comes in the guise of a software installer, proved that once again. more

A DNS Deep Dive: That VPN Service May Be OpcJacker in Disguise

The more dangerous browsing the Internet becomes, the more tools to address cyber threats emerge in the market. Virtual private network (VPN) service usage, for instance, gained ubiquity due to the ever-increasing number of data privacy intrusions. more

Searching for Nevada Ransomware Digital Crumbs in the DNS

 more

How the SVB and Credit Suisse Crash Was Reflected in the DNS

We've proven time and again that the effects of current events always extend to the DNS. Just last month, two big banks - the Silicon Valley Bank (SVB) and Credit Suisse - collapsed. Financial experts said more banks may be bound to follow. more

Dissecting 1M+ Malicious Domains Under the DNS Lens

Threat actors continue to abuse the DNS by weaponizing domain names. On 13 April 2023, through our recently launched Threat Intelligence Data Feeds (TIDF), we identified more than 1 million suspicious and malicious domains that figured in phishing, malware distribution, spam, and other cyber attacks, such as brute-force and distributed denial-of-service (DDoS) attacks. more

Discovering Potential BEC Scam Vehicles Through the DNS

Threats tend to become more advanced over time. So is the case of business email compromise (BEC) scams, which according to a SlashNext post, cost companies billions of U.S. dollars in losses per year. more

Looking for Traces of Social Media-Based Celebrity Scams in the DNS

Infoblox, in its Q4 2022 Cyber Threat Report, featured a "Meta" coin scam using fake celebrity endorsements targeting users in the European Union (EU). The analysis revealed several indicators of compromise (IoCs), specifically four domains and one IP address, that could help the public avoid the perils the scams posed. more

Detecting Possible Fraud Vehicles Specific to Latin America and the Caribbean

Although fraud is a global issue, some threats may be unique to certain regions. Accertify listed some subtrends specific to Latin America and the Caribbean (LAC), including those involving the airline and digital wallet industries. more

Drawing the Line Between SYS01 and Ducktail Through DNS Traces

Back in January of this year, we studied the infrastructure of Ducktail, a malware that trailed its sights on Facebook business owners and advertisers. Just this month, Morphisec researchers found a similar threat they've dubbed "SYS01." more

Black Basta Ransomware DNS Investigation Led to OneNote and Courier Impersonation

Among the most active and rapidly spreading ransomware in 2022 was Black Basta. It was first detected in April 2022 and victimized nearly 100 organizations in North America, Europe, and Asia by September that same year. As a ransomware-as-a-service (RaaS) malware, Black Basta employs double extortion to force victims to pay the ransom. more

2023 Update - How Are the Most-Spoofed Brands Represented in the DNS?

Even if cyber attack tactics, techniques, and procedures (TTPs) have become increasingly sophisticated over the years, age-old phishing remains the most-used attack vector to this day.  more

Probing Lorec53 Phishing through the DNS Microscope

Lorec53, a relatively new APT group according to NSFocus, actively targeted various Eastern European government institutions in 2021. The threat actors used well-crafted phishing campaigns to gather and steal data from their targets. Two years after their heyday, is the threat Lorec53 poses gone? Or has the group left still-active traces in the DNS? more

Is Your Intranet Vulnerable to Attacks? Investigating Intranet Impersonation in the DNS

On 10 February 2023, Reddit announced it suffered a security incident where a phishing campaign led an employee to a website that imitated the network's intranet gateway. more

Shining the WHOIS and DNS Spotlight on International Fraud

Scammers and fraudsters have been making life hard for users the world over for a long time now. To help expose potential malicious campaigns, threat researchers like Dancho Danchev have been collating indicators of compromise (IoCs) that can be used in further investigations. more

Beyond Healthcare IoCs: Threat Expansion and EHR Impersonation Detection

The healthcare industry has had a rough couple of years since the COVID-19 pandemic started. But this didn't stop threat actors from attacking the sector, with several healthcare organizations targeted by ransomware, data breach, and other cyber attacks. more

Detecting ChatGPT Phishing on Social Media with the Help of DNS Intelligence

Since its launch last November, the ChatGPT hype has only increased not only among users but also abusers. Cyble researchers recently spotted phishing attacks using supposed ChatGPT sites to phish for personally identifiable information (PII), specifically credit card data. more

Detecting Malware Disguised as OneNote with Threat Intelligence

We've seen threat actors abuse almost all Windows OS applications in their campaigns, disguising malware as macros, Word documents, Excel spreadsheets, and PowerPoint presentations to trick users into opening and executing them. Most recently, they've been spreading malware in the guise of OneNote documents to cause mayhem. more

Detecting Carder-Friendly Forums through IoC Expansion

Carding or the theft and consequent selling of credit and other payment card information to users has long been a problem. And with the ease of obtaining hosts for carder forums and communities and hiding their tracks online, the threat has become even bigger. more

SocGholish IoCs and Artifacts: Tricking Users to Download Malware

As all initial-access threats go, SocGholish is among the trickiest. It often comes disguised as software updates, deceiving victims into downloading a malicious payload that could eventually lead to more lethal cyber attacks. In fact, researchers at ReliaQuest found evidence that an initial SocGholish malware distribution was intended to deploy ransomware. more

The Fight Against Hive Ransomware May Not Be Done as Yet-Unidentified Artifacts Show

The Hive Ransomware Group has had more than 1,500 victims across more than 80 countries worldwide. They attacked hospitals, school districts, financial firms, and critical infrastructure until the U.S. Department of Justice (DOJ) disrupted their operations. Have we seen the fall of the group's entire infrastructure? more

Gauging How Big a Threat Gigabud RAT Is Through an IoC List Expansion Analysis

Targeting governments the world over in cyber attacks is not a novel concept. Doing that using mobile apps, however, is quite new as a tactic. And that's what Cyble researchers reported as Gigabud RAT's modus operandi - trailing its sights on citizens of Thailand, the Philippines, and Peru who use government-owned institutions' mobile apps. more

Catching Batloader Disguised as Legit Tools through Threat Vector Identification

Putting on a mask on malware has always worked to trick users into downloading them, and the threat actors behind Batloader banked on just that. Trend Micro researchers tracked and analyzed Batloader-related developments toward the end of 2022. more

Tracing Connections to Rogue Software Spread through Google Search Ads

Taking control of victims' accounts is typically the end goal of many cybercriminals, and they never cease to come up with wily ways to do so. Bleeping Computer researchers recently spotted hackers spreading malware mayhem through Google search ads supposedly pointing to open-source software download sites. more

Malware Persistence versus Early Detection: AutoIT and Dridex IoC Expansion Analysis

AutoIT-compiled malware and Dridex trace their roots to as far back as 2008 and 2014, respectively. As malware variants go, therefore, they've both had a long history and taken on various forms over time. But despite having been detected and consequently blocked with each new version, they're still alive and kicking -- a testament to their persistence. more

Sifting for Digital Breadcrumbs Related to the Latest Zoom Attack

Threat actors have been targeting Zoom and its users since the platform's launch, and it's easy to see why -- the latest stats show it accounts for 3.3 trillion annual meeting minutes worldwide. It's not surprising, therefore, that cyber attackers trailed their sights yet again on the communication app. more

Cloud Atlas May Hide Their Tracks but 1,800+ Unpublicized Artifacts Can Help Orgs Tag Them

Cyber espionage group Cloud Atlas has been trailing its sights on critical infrastructure operators in countries suffering from political conflict since its discovery in 2014. Aptly nicknamed "Inception," the group's tactic of going after nations with bigger problems than cybersecurity seems to be working, as evidenced by successful intrusions over the years. more

Exposing Chat Apps Exploited for Supply Chain Attacks

As far back as September 2022, Trend Micro reported that threat actors began exploiting chat apps Comm100 and LiveHelp100 to launch supply chain attacks. In a bid to help potential targets curb the problem, they publicized nine indicators of compromise (IoCs), specifically command-and-control (C&C) server addresses. more

Uncovering Other DarkTortilla Threat Vectors

As an age-old digital threat, phishing just continues to grow in sophistication over time, as DarkTortilla showed. Cyble Research and Intelligence Labs (CRIL) published a technical analysis of the threat specifically targeting Cisco and Grammarly. Are there other potential threat vectors, though? more

Supply Chain Security: A Closer Look at the IconBurst and Material Tailwind Attacks

Earlier this month, ReversingLabs published a report on the current state of software supply chain security. They stated that the volume of such attacks using npm and PyPI code have increased by a combined 289% in the past four years. The research also cited two npm attacks as evidence -- IconBurst and Material Tailwind. more

RedLine Stealer: IoC Analysis and Expansion

For roughly US$100, threat actors can purchase RedLine Stealer, a malware-as-a-service (MaaS) program first detected in March 2020 that continues to wreak havoc to this day. The malware can steal information from infected devices, including autocomplete and saved information on browsers. more

Own a Facebook Business? Beware of Ducktail

WithSecure recently unveiled a malicious campaign dubbed "Ducktail," which trailed its sights on Facebook business owners and advertisers. Believed to be run by Vietnamese operators, Ducktail uses malware to steal data from victims and hijack vulnerable Facebook business properties. more

Is Aurora as Stealthy as Its Operators Believe?

Stealth is a typical goal for most threat actors when launching malware and other attacks. The better hidden a malware is, the more effective an attack becomes. And that is what fast-rising data stealer Aurora is gaining notoriety for. more

Exposing the New Potential Ways Royal Ransomware Gets Delivered

DEV -- 0569, a threat actor Microsoft has been monitoring, was recently observed deploying Royal ransomware via pages posing as legitimate software download sites and repositories, among other stealthy tactics. He has so far used fake download sites for Adobe Flash Player, AnyDesk, Zoom, and TeamViewer in phishing emails and domains. more

WhoisXML API Launches Regulation-Specific IP Data Feeds

WhoisXML API's IP intelligence now includes Regulatory Compliance IP Data Feeds available as separate IP geolocation and IP netblocks files. These data feeds are filtered to only provide the IP geolocation and ownership data of IP addresses from sanctioned or restricted locations as specified by different regulatory authorities. more

Why Domain Seizure May Not Stop Money Mule Recruitment Campaigns

In the realm of cybersecurity, seizing domains unfortunately doesn't always mean the end for the threats they pose. Such could be the case for the 18 domains U.S. law enforcement agents recently took offline for their ties to a money mule recruitment operation reported by Bleeping Computer. more

From Counties to Banks: Tracing the Footprint of Ransomware Attack IoCs

SecurityScorecard published a report on a cyber attack that a U.S. county victim announced on 11 September 2022. With ransomware attacks against local government units increasing in the past few years, WhoisXML API researchers decided to build on the list of IP addresses related to the attacks. more

Watch Out, That Browser Extension Could Be Cloud9 in Disguise

Zimperium zLabs threat researchers recently reported the case of the Cloud9 Chrome Botnet, and rightly so. Many of us seem to forget just how much information cybercriminals can steal from our browsers. more

Is There More to the New Transparent Tribe TTPs?

The Pakistan-India rivalry has been going on for some time now, not just in sports events but also online in the form of cyber attacks. Zscaler ThreatLabz has been monitoring a result of this ongoing friction -- Transparent Tribe, also known as "APT -- 36" -- since the start of this year. more

Nothing Funny or Romantic about These RomCom IoCs and Artifacts

The threat actor dubbed "RomCom," known for deploying spoofed versions of popular software, has been quite busy these past few months. In the past, he was seen imitating Advanced IP Scanner and PDF Filler. More recently, though, he's been targeting Ukraine, the U.K., and other English-speaking countries by spoofing SolarWinds, KeePass, PDF Reader Pro, and Veeam. more

Robin Banks May Be Robbing You Blind

You may be wondering who Robin Banks is, but you should instead ask what Robin Banks is. Robin Banks is a phishing-as-a-service (PhaaS) platform that first surfaced in March this year. The name is a play on the phrase "robbing banks," coined by IronNet researchers who introduced the malicious platform to the world. more

Investment-Related Cybersquatting: Another Way to Lose Money?

This year, the stock market is at its most volatile state due to several factors. Debates abound about whether 2022 will be as bad as 2008, but we'll leave that up to the experts. more

Beware That Software Update, It Could Be Magniber in Disguise

Did you know that a Magniber ransomware infection can cost you a ransom of as much as US$2,500? The operators' favored method of delivery? Fake Windows 10 updates, putting 80% of all Windows operating system (OS) users worldwide at risk. The campaign, believed to have begun in April this year, remains a threat. Are Windows 10 users the only ones at risk, though? more

The Business of Cybercrime: Does Malicious Campaign Planning Take as Long as Legitimate Marketing Campaign Planning?

It has become customary for cybercriminals to ride on famous brands to make their nefarious campaigns work. The release of the world's most-awaited tech gadgets is no different. And given the public attention and techies' innate desire to be first to own the latest gadgets, threat actors will always zoom in on prospective buyers via the most ingenious scams. more

Dormant Colors IoC Expansion: Don’t Install Browser Extensions from These Domains

Internet users are being tricked into installing browser extensions that can hijack their web searches. The end goal could be to insert affiliate links, but who knows what other malicious activities the threat actors behind them are capable of? more

Rogue Tor Browser: When Search for Anonymity Leads to Exposure Instead

Anyone who wishes to browse the Internet without the prospect of being spied upon by others, whether for legal or illegal purposes, can always rely on using the Tor browser if they're so inclined.  more

Domain Shadowing IoC Expansion Led to Thousands of Possible Connections

Palo Alto Networks threat analysts discovered more than 12,000 cases of domain shadowing after scanning the Web from April to June 2022. For this threat, all cybercriminals need to do is create malicious subdomains under legitimate domains... more

Eternity’s LilithBot, Soon Available to Regular Internet Users?

Eternity, also known as the "EternityTeam" or "Eternity Project," has been active since January 2022 and tied to the Jester Group. It gained infamy for using the as-a-service subscription model to distribute its own brand of malware modules via underground forums. more

A Closer Look at Active Cyber Jihad Web Properties

Cyber jihad loosely refers to Islamic extremist terrorists' use of the Internet as a communications, fundraising, recruitment, training, and planning tool in their war against their enemies. Some of their most commonly cited enemies include the U.S., Western European countries, secular Arab governments, and Israel. more

Alleviating BlackEnergy-Enabled DDoS Attacks

BlackEnergy first appeared in 2007. Designed to launch distributed denial-of-service (DDoS) attacks or download customized spam or banking data-stealer plug-ins, it was again used to target the State Bar of Georgia last May more

Insights Into an Active Spam Domain Portfolio

Malicious spam, possibly the oldest kind of cyber threat, likely remains one of enterprises' biggest security concerns. Regardless of form and affected device, clicking a malicious link embedded in a spam email or downloading a malware-laden attachment can lead to financial, data, or identity theft. more

On the Frontlines of the Syrian Electronic Army’s Digital Arsenal

The Syrian Electronic Army (SEA) is a group of threat actors that have been around since 2011. Some of their possible victims are PayPal, eBay, Twitter, media outlets, and some U.S. government websites. more

The Inner Workings of the Russian Business Network

The Russian Business Network (RBN) claimed to be a legitimate Internet service provider (ISP) back in 2006. Shortly after establishing its business, however, it gained notoriety for hosting the sites owned by spammers, malware operators, distributed denial-of-service (DDoS) attackers, and other cybercriminals. more

Probing an Active Digital Trail of Iranian Hackers

WhoisXML API threat researcher Dancho Danchev obtained a publicly accessible list of email addresses known to be owned and used by Iranian hackers. The email addresses led us to more than 4,400 domain names, any of which can be weaponized and used in phishing, credential theft, and other forms of cyber attacks. more

Who Could Be Behind the Latest GitHub-Hosted Malware Infrastructure?

GitHub is a popular code repository used by almost all software developers. Anyone can access it to share their code with practically anyone interested. Unfortunately, not every GitHub user is trustworthy. It has, in fact, been used to host malware at least a couple of times. more

Should We Consider the Maze Ransomware Extinct?

The Maze Ransomware Group is one of the most notorious threat actor groups targeting large enterprises, such as Cognizant, Xerox, and Canon, and stealing massive amounts of sensitive data. Some of their ransomware distribution methods include spamming, phishing, and brute forcing. more

Tracing the Digital Footprint of Iran’s Mabna Hackers

In 2018, nine Mabna hackers were indicted by a U.S. grand jury for their involvement in different instances of cybercrime. Their victims included about 320 universities and over 50 private, government, and nongovernmental organizations in several countries. more

Profiling the Massive Infrastructure Behind the Democratic National Committee Cyberintrusion

The Democratic National Committee (DNC) breach was a high-profile cyber attack in recent history. Years later, the cybersecurity community can still benefit from insights and actionable intelligence relevant to the attack. In line with this, WhoisXML API threat researcher Dancho Danchev dove deep into the DNS system intrusion using publicly available indicators of compromise (IoCs). We further enriched his findings, allowing us to uncover: more

Is Your Software a Top Impersonation Target?

Anything conveniently obtainable online is often ripe for cybercriminal picking, and that's certainly true for the most commonly used software. We can't live without them, after all, if we are to thrive and not just survive in the digital world. more

DIY Web Attacks Might Still Live on via WebAttacker

Age is rarely an issue when it comes to malware campaigns, and that's certainly true for WebAttacker. WebAttacker is a do-it-yourself (DIY) malware creation kit that became popular back in 2006. It was the first exploit kit made available to cybercriminals in the Russian underground market for as little as US$20. more

Exposing a Currently Active Ashiyane Digital Security Domain Infrastructure

The infamous gray hat security company Ashiyane Digital Security Team has gone back online in 2021. At that time, WhoisXML API threat researcher Dancho Danchev exposed more than 100 domains belonging to the group. This analysis was recently expanded to further explore the Iran-based threat group's Internet-connected infrastructure. more

What Is the Current State of Malicious PPI Businesses and Affiliate Networks?

Pay-per-install (PPI) businesses and affiliate networks made for a booming cybercriminal underground market from 2008 to 2013. Buoyed by the proliferation of fake antivirus (FakeAV) peddlers, operators made staggering profits from the sale of rogue security software.
 more

From Counterfeiting to Phishing: Cybersquatting Properties Target Network Device Makers

Early last July 2022, news broke out about the arrest of a CEO who allegedly sold fake Cisco networking devices. While he used e-commerce sites as sales channels, the idea that counterfeit products are also peddled through cybersquatting domains is not too far-fetched. more

Q2 2022 Domain Registration Trends Report

We tracked the digital spillovers of the Russia-Ukraine war two weeks after it began and saw how the news was reflected in domain registrations. We also noticed that even this year’s Oscars slapping incident drove relevant domain registrations. more

Is Monkeypox Following COVID-19’s (Digital) Footsteps?

The public attention COVID -- 19 got was truly reflected in the Domain Name System (DNS). And Monkeypox seems to be following the trail the pandemic blazed, though to a smaller extent, as threat actors seem to be using it as the latest phishing lure. How has this new virus been affecting domain registration? more

WhoisXML API Expands DNS Database Coverage and Adds New Record Type

AAAA and PTR records were added to WhoisXML API's DNS Database Download's existing pool of six DNS record types (i.e., A, MX, NS, TXT, CNAME, and SOA records). All these records are now updated daily, making the database more up-to-date and relevant in supporting security processes. more

Have You Seen These Roaming Mantis Connected Artifacts Wandering into Your Phone?

A financially motivated threat group called "Roaming Mantis" was seen targeting Android and iOS device users through malicious SMS communications. The messages sent Android phone users to download pages while iOS users were redirected to credential-stealing login pages. more

Profiling the Threat Actor Known as “Hagga” and His Work

Agent Tesla, an infamous data stealer, has been plaguing Internet users since 2014. Much has been revealed about the malware, but the world didn't come to know about one of its more adept campaign perpetrators -- Hagga -- until last year. more

Beauty and the Beast: Are These Domains Possible Vehicles for Cosmetic Product Counterfeiting?

Months after TikTok launched its marketplace in September 2021, several users have raised concerns about the authenticity of the products they purchased. The complaints mainly pertain to beauty products, such as sunscreens, lip glosses, and makeup brushes. Aside from being ripped off, consumers may be exposed to more danger. more

Are Threat Actors Intercepting Your OTPs? These Cyber Resources Might Be Helping Them

A group of researchers recently discovered a new Android banking Trojan they called "Revive" since threat actors designed it to restart if it stops working. Once a device is infected, hackers can intercept messages, including online banking one-time passwords (OTPs). Revive also enables attackers to steal login credentials since it can read and store everything the user types on the infected device. more

Luxury Jewelry, Anyone? Watch Out for Fakes

Scammers and counterfeiters are always on the lookout for quick gains. And the more expensive the fake item, the bigger the possible gain. It’s no wonder then why they’re looking to mimic the world’s most popular luxury jewelers. more

Koobface Makes a Comeback

The Koobface Gang gained notoriety from 2008 to the 2010s for spreading malware via Facebook and other social networks. Believe it or not, the gang amassed millions of dollars from their online scams while hiding in plain sight in St. Petersburg, Russia. After being publicly identified in 2012, the gang members shut down their operations. more

Unlike Its Namesake, Aoqin Dragon Isn’t Mythical

Aoqin Dragon, like the mythical character it's named after, has recently been unearthed after nearly a decade of flying under the cybersecurity community's radar. Now believed to have been active since 2013, the advanced persistent threat (APT) group has targeted various organizations in the government, education, and telecommunications sectors. more

Matanbuchus with Cobalt Strike: Not Your Favorite Combo

For US$2,500, threat actors can employ Matanbuchus, a malware-as-a-service (MaaS) package found delivering Cobalt Strike beacons through phishing and spam messages. Cobalt Strike is a powerful security tool that threat actors are increasingly using as a reconnaissance and post-exploitation weapon. more

DNS Business Impersonation Landscape Report – 2022 Edition

Threat actors are increasingly impersonating businesses in phishing attacks. In May 2022, 52% of business email compromise (BEC) scams impersonated third-party organizations, exposing businesses to supply chain attacks. more

Conti Ransomware: Still Alive and Kicking

Conti ransomware surfaced as far back as 2020. Believed to have been created by Russia-based cybercriminal group Wizard Spider, it has been involved in a multitude of double extortion campaigns over the years. more

Predator Surveillance Software May Not Be Lawful at All

As technology advances, so does the world of espionage. That has given birth to several companies, such as Cytrox, that specialize in creating spyware. Predator, along with other applications of its kind, has been advertised as legal spyware-for-hire. more

GALLIUM APT Group and Other Threat Actors in Disguise

Two cyber threats recently caught the attention of WhoisXML API researchers, primarily since parts of their infection chain hide behind legitimate services. This tactic is tricky for security teams because blocking the domains involved means blocking legitimate applications, too. more

Both Aged and New Domains Play a Role in the NDSW/NDSX Malware Campaign

Cyber attackers typically use newly registered domains (NRDs) in their campaigns to evade detection, particularly since the implementation of privacy protection in WHOIS records. But some also use aged domains like the SolarWinds hackers to render a sense of legitimacy to their pages. more

Phishers Are Impersonating Maersk: What Other Container Shipping Companies Are Targeted?

Phishing emails impersonating Maersk, one of the largest container shipping companies, targeted more than 18,000 people since the beginning of the year. The email address imitated the legitimate company’s email address but led to a phishing page designed to look like Maersk’s shipping portal login page. more

Careful, the Next Premium SMS Offer You Subscribe to May Be Malicious

Premium Short Message Service (SMS) abuse is no longer new. But it's pretty rare for such threats to rack up hundreds of dollars in additional phone bill costs for every victim each year. more

Father’s Day: Bad Guys’ Activities

Threat actors don't rest. Their malicious campaigns operate 24/7, especially when special occasions are approaching. Last May, we discovered over a thousand web properties related to Mother's Day, many of which either hosted questionable content or have been flagged as malicious. more

In the Market for a New Car? Beware Not to Get on the Phishing Bandwagon

In an earlier post, we looked at how cybersquatters took advantage of the popularity of seven car manufacturers to lure unwitting victims to fake sites. Since then, we were alerted to a phishing campaign this time targeting several German car dealers via age-old but still effective phishing. more

Blurring the Lines between APTs and Cybercrime: Cobalt Mirage Uses Ransomware to Target U.S. Organizations

In the past, security experts typically made a distinction between a cybercrime and an advanced persistent threat (APT). While cybercrime focused on obtaining financial gain, APTs trailed their sights on specific organizations, often to steal nation-state secrets. more

Online Shopping Danger? 13K+ Cybersquatting Properties of Top E-Commerce Sites Discovered

AliExpress is among the most visited business-to-customer (B2C) e-commerce sites globally, with millions of visitors daily. Therefore, a recent cybersquatting campaign targeting the platform could lure many victims into buying counterfeit products, divulging their login credentials, downloading malware, and many other actions that could jeopardize their data and devices. more

A Look into New Cybersquatting and Phishing Domains Targeting Facebook, Instagram, and WhatsApp

When Facebook changed its parent company name to Meta in October 2021, we detected more than 5,500 newly registered domains (NRDs) a week after the announcement. In more recent news, a judge dismissed the company's cybersquatting and trademark infringement case against Namecheap. more

Beware of Frappo and Related Cybersquatting Domains

There's a new phishing-as-a-service (PaaS) solution in town, and it's called "Frappo." This new phishing toolkit enabled threat actors to launch impersonation attacks on at least 19 companies in the financial, entertainment, and telecommunications industries. more

Cardano Joins the List of Favored Crypto Scam Targets

Twitter was recently abuzz with news regarding an ongoing Cardano scam via a downloadable phishing app. Posing as a giveaway promo, which is how cybercriminals have frequently been victimzing cryptocurrency owners these days, users who get tricked into downloading the rogue app end up with stolen credentials instead. more

These DeFi Domains Might Be Risky to Investors

Non-fungible token (NFT) companies like Dapper Labs and Yuga Labs were recently seen performing defensive domain registration. While this strategy is only a part of a broader brand protection program, large companies in other industries implement it as well. more

Website Defacement: Age-Old but Still Works as Ongoing Campaigns Show

Threat actors the world over have long been employing website defacement as a tactic to further their political, environmental, or even personal agenda. They essentially replace the content of target sites to display their messages through various means, including SQL injection, cross-site scripting (XSS), and other initial compromise techniques. more

Behind the Bylines of Fake News and Disinformation Pages

Fake news and disinformation have been significant issues for some time now, even urging the U.S. government to push back against proliferators who, some opine, do the malicious deed for political or financial gain. Amid this scenario, many have begun doubting what's real and what's not on the Web not just in the U.S. but worldwide. more

Threat Actors Might Be Interested in Elon Musk’s Twitter Purchase, Too

The Internet has been abuzz with talks about Elon Musk buying Twitter since he made an initial offer of US$44 billion on 14 April 2022. The even bigger news? Twitter accepted the offer despite some employees' qualms about Musk's future plans for the company. more

Through the Spyglass: NSO Group Spyware Pegasus in Focus

The NSO Group has been known for targeting dissident journalists and bloggers notably with its proprietary spyware Pegasus. In November 2021, for instance, Apple sued the NSO Group for its alleged surveillance and targeting of its device users. more

Sinkholing May Not Spell the End for Malware Hosts and Botnets

Sinkholing has long been employed as an effective cybersecurity solution to curb the spread of dangerous malware. Remember the infamous WannaCry ransomware outbreak in 2019? Security teams put a stop to the threat through sinkholing. more

We Don’t Want to Spoil Mother’s Day but These Domains Might

We're supposed to spoil our mothers on Mothers' Day, but with various scams out there, you may end up losing money or with a malware-infected device. WhoisXML API researchers found more than a thousand digital properties that could be used in Mothers' Day scams. more

Expanding the Conti Ransomware IoCs Using WHOIS and IP Clues

On 9 March 2022, the Cybersecurity and Infrastructure Security Agency (CISA) added 98 indicators of compromise (IoCs) to their Conti ransomware alert page. WhoisXML API researchers examined these flagged domain names for recurring characteristics to uncover more artifacts. more

HermeticWiper: Another Threat Targeting Ukraine at Large

HermeticWiper, also known as "IsaacWiper" or "Sandworm," which wipes the data on computers, rendering them useless, has reportedly affected hundreds of Ukrainian users since it surfaced. While a few cybersecurity specialists have publicized indicators of compromise (IoCs) related to the ongoing campaigns, we found more connected web properties that users may need to steer clear of to avoid becoming the next victims. more

Operation Dream Job: Same Tactics, New Vulnerability and Domains?

Operation Dream Job, a malicious group first seen in 2020, involves threat actors spoofing job hunting sites to lure people. It resurfaced in February 2022, this time exploiting a zero-day vulnerability in Google Chrome more than a month before the flaw was detected and a patch was made available. more

What Are the DNS Artifacts Associated With APT36 or Earth Karkaddan?

APT36 or Earth Karkaddan is an advanced persistent threat (APT) actor group targeting various government entities, most especially those based in India. The web properties they use for campaigns include only a few domains and IP addresses along with related malware hashes as indicators of compromise (IoCs). more

From Fake News Proliferation to Data Theft: Tracing the Red Cross Hack to a Misinformation Network

The International Committee of the Red Cross (ICRC) hack in January 2022 led to the compromise of the sensitive information belonging to 515,000 people. While no indicators of compromise (IoCs) relevant to the attack have been publicized, a security researcher did expose a possible link to an Iranian misinformation network. more

Behind the Innovative Marketing Rogue Scareware Distribution Network

Cybercriminal network Innovative Marketing made headlines in rogue scareware's heyday. Between its founding in Kyiv, Ukraine, in 2009 and the three years it continued operating, the company reportedly amassed close to US$700 million in revenue. more

WhoisXML API Introduces Data Streaming as a Delivery Model

In addition to batch data feeds, real-time APIs, and web-based GUIs, WhoisXML API now delivers domain intelligence through data streaming. With the new delivery model, the company provides the data to users as soon as they are made available and processed at an interval of 1 hour or less. more

Be Wary of Bogus Web Properties This Tax Season

The U.S. tax season began when the Internal Revenue Service (IRS) started accepting and processing 2021 tax returns on 24 January 2022. The deadline is set for 18 April 2022, and taxpayers expect to receive email notifications regarding penalties, refunds, and other tax-related issues more

Are Cybersquatters Going After the Car Manufacturing Sector?

Distinguishing properties added by the companies themselves is an essential part of this study. If the legitimate company owns the domains and subdomains, they have control over these assets. Otherwise, the digital properties can be considered rogue that can be potentially used in brand abuse, phishing campaigns, and other malicious activities. more

The Oscars and Suspicious Web Activity: What’s the Link?

It's not unusual for movies, actors, and actresses to serve as lures in cyber attacks. Our recent post on "Spider-Man: No Way Home" proved that. Phishers and other threat actors will, unfortunately, try to capitalize on anything that's bound to get a lot of user attention. And the annual Oscar Awards is no stranger to such a scenario. Just last year, in fact, hackers used nominated films as phishing baits. This year may be no different. more

DHL Was the Most-Phished Company in 2021, Will That Be True in 2022, Too?

Checkpoint researchers identified DHL as the most-imitated brand in phishing campaigns at the end of 2021. We sought to find if that will remain the case this year by looking at various intelligence sources. more

2022 Olympic Winter Games: Prime Ground for Phishing Lures?

Threat actors have notoriously taken advantage of the Olympic Games's popularity to launch malicious campaigns. The "OlympicDestroyer" malware was most notable, using a domain related to the Pyeongchang 2018 Winter Olympics. But the COVID -- 19 bubble in the 2022 Olympic Winter Games may have increased the danger. more

Malicious Valentine: Uncovering Thousands of Connections to Romance-Themed Campaign IoCs

Romance-themed malicious campaigns are launched throughout the year, but days leading up to Valentine’s Day could be particularly timely for such activities. more

The Irony: Data Privacy Sites Bring Risks Instead of Protection

Many countries celebrate Data Privacy Awareness Week every last week of January. Each year, the National Cyber Security Alliance (NCSA) makes it a point to remind users about the importance of keeping their digital data safe from all kinds of threat actors. In fact, they commemorated this year's Data Privacy Awareness Week with various events. more

Exploring BlackTech IoCs Reveals Hundreds of Artifacts in 2022

BlackTech, an APT group known for cyber espionage activities targeting Asia, was recently detected using a new malware called “FlagPro.” NTT Security named some indicators of compromise (IoC) related to the new campaign, including five IP addresses and two subdomains. more

REvil Ransomware: What Can We Learn from Published IoCs in 2022?

Ransomware has been one of the biggest threats to Internet users the world over since the malware first surfaced. REvil was one of the most notorious ransomware variants of 2021, pushing the U.S. Department of State to offer a US$10 million reward to anyone who can name and locate REvil gang leaders and up to US$5 million for any of their affiliates in November. more

65,000+ NFT-Related Domains and Subdomains: Possible Vehicles for NFT Scams?

Non-fungible token (NFT) scams can come in various forms, but one thing is sure: the threat actors behind them often use domain names, fake websites, and phishing emails. more

Illegally Streaming “Spider-Man: No Way Home” Could Be Hazardous to Your Computer

Given the dangers that COVID-19 poses to people's health and the emergence of new variants every so often, it's easy to see why avid moviegoers would resort to streaming instead. But while they may indeed be avoiding the disease, their attempts to download pirated movies is not only illegal -- it could put their computers at risk. more

New Zloader Campaign: Where Do IoCs Lead Us?

Zloader, a banking malware that steals sensitive user data, is back with a more sophisticated infection chain. It evades detection while exploiting Microsoft's digital signature verification method. more

Gift Cards, Anyone? Watch Out for Fraud and Malware Hosts

Giving gifts the whole year round is normal, but a whole boatload of presents are bought and sold most especially during Christmas and holiday seasons. The end-of-year holidays, unfortunately, also usher in the greatest number of gift card scams. But the world's biggest brands are no longer newbies to the threat, which is why Amazon, iTunes, and Target, among many others, have put up pages where scam victims can report malicious sites and pages. more

Log4j Vulnerability: What Do the IoCs Tell Us So Far?

A zero-day vulnerability found in Log4j, a logging library commonly used in Java, was detected on 9 December 2021. The vulnerability known as "CVE -- 2021 -- 44228" or "Log4Shell" enables attackers to execute codes and access all data on an infected machine remotely. more

“Nickel” APT Group: What We Found About Microsoft’s Latest Domain Seizure

Threat actors reportedly attacked 29 government agencies worldwide in a recent malicious campaign. The attacks were attributed to China-based advanced persistent threat (APT) group Nickel, which has been known to trail its sights on governments and nongovernmental organizations (NGOs) across Europe, the Americas, and the Caribbean. more

Are Mypressonline.com’s Free Subdomain Creation Services Being Abused?

It’s not uncommon to see free web hosting providers get abused as part of phishing campaigns. IBM X-Force Exchange, in fact, published three indicators of compromise (IoCs) related to such an incident. more

What WHOIS History Reveals about 3,800+ Verified Phishing Hosts

The ability to retrieve historical WHOIS information can be essential for the cybersecurity community, particularly when it comes to threat hunting and cybercrime investigation. This investigative capability is highlighted in our latest downloadable white paper "Digging Up Zombie Domains: What WHOIS History Reveals about 3,800+ Verified Phishing Hosts" where we analyzed thousands of verified phishing hosts and their historical WHOIS records. more

Telcos Are on Phishers’ Radar, Who Is at Risk?

The November 2021 PhishLabs Quarterly Threat Trends & Intelligence Report indicated the finance, social media, and telecommunications industries as phishers’ most targeted sectors. Last month, we analyzed a squatting campaign targeting U.S. Bancorp to determine if other banks were at risk, this time we’ll look into the top 3 phishing industry target – telecommunications. more

Locky Ransomware: Still a Threat as List of IoCs Grows

Locky has been around since 2016, contributing to the total amount lost to ransomware worldwide, which has to this day reached US$20 billion in the U.S. alone. It usually gets delivered to users’ computers via emails with malicious attachments in the form of macro-laden Word documents. more

Facebook Is Now Meta, Will Threat Actors Ride the Wave?

Facebook CEO Mark Zuckerberg, on 28 October in Connect 2021, introduced Meta, which will be Facebook’s parent company, along with the organization’s various apps and technologies. According to Zuckerberg, "Meta’s focus will be to bring the metaverse to life and help people connect, find communities, and grow businesses." more

Are Banks and Their Customers Once Again at Risk of Typosquatting Woes?

A typosquatting campaign targeting U.S. Bancorp was uncovered a few weeks ago, potentially posing a threat to the financial institution and its customers. As of this writing, four domains and their IP resolutions were identified as indicators of compromise (IoCs). more

Insurance Companies Are The Target of Recent Cybersquatting Campaigns

An ongoing cybersquatting campaign targeting MetLife, a global insurance company, was reported by IBM Exchange X-Force, listing 12 malicious domains. We dug deeper into the campaign as part of our goal to expand lists of indicators of compromise (IoCs). more

Are Cybersquatting Campaigns Targeting Airlines Taking Off?

Details about an ongoing cybersquatting campaign targeting Turkish Airlines were recently unveiled, naming 13 malicious domains connected to the threat. As one of our primary goals is to expand published lists of indicators of compromise (IoCs), we dug deeper into the campaign to determine if the threat is confined to Turkish Airlines or if other industry players are at risk as well. more

DNS Record Contents: Are Organizations Giving Away More Than They Should?

There are several directions an organization can take when naming critical digital properties. A classic tactic is using a common theme, such as pet names, planets, or colors. A CTO suggested naming database nodes after “Game of Thrones (GoT)” characters. Taking this route makes for an obscure naming system that would be difficult for third parties to guess. more

Exposing an Active Kaseya Ransomware Attack Infrastructure

Kaseya, an IT solution developer targeting managed service providers (MSPs) and enterprises, became a victim of a massive ransomware attack last July. While the company’s CEO said that less than 0.1% of its clients were affected, the fact that it mostly served MSPs, the data belonging to as many as 1,500 small businesses could have been compromised. more

Exposing Rogue Free VPN Users – An OSINT Analysis

According to recent research conducted by DNS Threat Researcher Dancho Danchev, the National Security Agency (NSA) seemingly runs a free VPN domain portfolio to lure malicious users and learn more about their Internet activities. more

Upcoming Hollywood Movie Releases and Domain Registration Trends, Is There a Connection?

It’s not uncommon to see news stories that blame piracy or prerelease leakages for poor movie revenue turnouts. We’ve seen that happen over time with movies like “X-Men: Origins Wolverine,” “Star Wars: Episode III: Revenge of the Sith,” and “Expendables 3.” more

An Analysis of the Gaming Industry’s Domain Attack Surface

The videogame industry has outperformed the movie and North American sports industry in 2020, and market experts expect the trend to continue on in 2021. So reports about the increasing cyber attacks targeting the said industry is not surprising as threat actors tend to go after lucrative targets. more

Phorpiex Botnet Extortion: DNS Facts and Findings

The Phorpiex botnet has been operating for years now. It first focused on distributing old-school worms that spread via infected USB drives or through chats that relied on the Internet Relay Chat (IRC) protocol. more

Beyond Hafnium Attacks: An Expansion of IoCs Related to 3 APT Clusters

The Hafnium attacks targeting Microsoft Exchange Server vulnerabilities triggered several cybersecurity investigators and researchers to hunt for other threat actors that use similar attack methods. Among them is the Cybereason News Network. more

Credential-Hinting Domain Names: A Phishing Lure?

As an attack vector, phishing has had several underlying purposes – e.g., delivering malware, stealing sensitive information, and defrauding victims. However, it looks like most phishing emails could be used to obtain user credentials according to the 2021 Annual State of Phishing Report by Cofense. more

What Are the Internet Domains Connected to the Conficker Botnet?

Conficker gained prominence back in 2008, when it was then considered possibly the most widespread worm affecting millions of Windows computers worldwide. For several years, the worm, also known as "Downup," "Downadup," "Downad," or "Kido," was the top malware infector. more

Investigation of an Iranian Misinformation Network: Are Some IRGC Domains Still Up?

June 2021 saw the U.S. Department of Justice (DOJ) shutting down and seizing several websites believed to be involved in misinformation campaigns. These websites published news-related content and seemingly had connections to Irani governmental entities. In fact, some of them were found to be the property of the Iranian Islamic Radio and Television Union (IRTVU). more

WhoisXML API Launches White-Label Brand Monitor to Make Brand Protection More Accessible

WhoisXML API recently launched a while-label variant of its Brand Monitor solution so more organizations can offer domain brand protection and marketing services using their own label. more

Are Companies Doing Enough to Tackle CEO Impersonation on the DNS?

A recent study of CEO impersonation showed that phishing in its various forms is a threat not just to the world's top companies but also to the top CEOs. more

What’s the Domain Attack Surface of the Top 10 Most Impersonated Brands in Q2 2021?

Domain attack surface discovery is an incessant quest for domain and subdomain names that could be used as attack vectors. The larger its attack surface, the more vulnerable an organization tends to be. On the other hand, the more attack vectors discovered, the higher the chances of mitigating cyber attacks. more

Domain Research Suite (DRS) Is Now Available as a White-Label Version

The Domain Research Suite (DRS) has been helping organizations search for relevant domain data and monitor web properties and registrants of interest for years now. To continue to support this effort, a white-label version of DRS is now available to vendors so they can help their own roster of clients improve their brand protection strategies, among other use cases. more

Could the LGBTQ Community Be a Target of Internet Threat Actors?

Pride month is celebrated worldwide. While it's meant to be a time of celebration for members of the LGBTQ community and their families and supporters, its popularity has also made it a possible target of cyber threats. In this post, we look at potentially dangerous Internet properties that have been registered both recently and over the years. more

Uncovering Office 365-Related Artifacts with IP and Domain Intelligence

While Office 365 is one of the most prevalent office suites out in the market today, its users can't rest easy. Cybercriminals and threat actors will always find ways to abuse the most popular brands in various ways. more

The Joe Biden-Kamala Harris Tandem’s Effects on Domain and Subdomain Registrations

It has been months after Joe Biden and Kamala Harris took office as president and vice president of the U.S., respectively. And since that time, they were naturally featured in most news outlets. What we wanted to know, though, is how all the attention has been affecting the domain registration world. more

Zero-Trust Implementation Using WHOIS, IP, and DNS Data

The U.S. government released the Executive Order on Improving the Nation's Cybersecurity in May 2021, highlighting the rationale of a zero-trust security approach. While the order only covers the government's digital infrastructure, this initiative could also serve as a catalyst for more robust global cybersecurity. more

Analyzing Recently Discovered Windows 11-Themed Assets

The release of a new application or operating system (OS) is typically greeted by enthusiasm, diverse opinions, and potential threats. Windows 11's case is no different as we identified various assets that could be misused on the Internet. more

WhoisXML API Upgraded Its Web Categorization Engine

Web categorization engines and related tools are built to help organizations classify websites they do business or generally interact with. WhoisXML API's Website Categorization API and Website Categorization Lookup used to classify websites into 25 possible categories. more

Liberty Front Press Network: An IoC Enrichment & Threat Intelligence Analysis

Liberty Front Press is a fake news network that has been operating since Trump's administration and was said to be designed to leverage liberal resentment against the former U.S. president while promoting pro-Iranian foreign policy narratives via social media. more

Are There More Properties Connected to the Pareto Botnet?

The Pareto botnet, known for using almost a million infected Android devices to spoof people seemingly watching ads on smart TVs, was reportedly taken down recently through the collaboration of industry players, notably Roku and Google. more

A Look Back at the 2016 U.S. Elections-Related Attacks

The 2016 U.S. elections sparked a lot of controversies, as several law enforcement agents and security researchers believed countries like Russia may have greatly influenced its turnout. We sought to find out more about it via an OSINT analysis using various domain and IP intelligence tools. more

WhoisXML API Enriches Its DNS Database Download Capabilities

WhoisXML API's repository of historical Domain Name System (DNS) lookup records continues to grow in volume and coverage. The DNS database download service has recently been expanded to now include six types of DNS databases. more

A Glimpse of Big Telcos’ Domains and Subdomains Footprints

Telecommunications companies are a favored cyberattack target. After all, telcos build, control, and operate critical infrastructure that almost everyone uses to communicate. They also store large amounts of sensitive data that could easily be exploited when falling into the wrong hands. more

Emotet Botnet Reconnaissance: What’s the Latest?

Emotet traces its origin as far back as 2014, when its simplest form as a banking Trojan first made the headlines. Over the years, its creators have constantly improved the malware, a popular malware-as-a-service (MaaS) offering in cybercriminal underground fora. more

Top Music Streaming Services: What’s Their Potential Domains & Subdomains Attack Surface?

Content streaming services are no stranger to cyberattacks, and the recent Spotify squatting campaign reported by IBM X-Force Exchange is proof of that. Spotify, however, is not alone on the boat, as many other streaming services have fallen prey to attacks over the years. more

More from DarkSide? We Ran an Analysis of Additional Identified Artifacts

On 14 May 2021, Analyst1 security researchers released a detailed report on the DarkSide cybercriminal gang, which is believed to be responsible for ransomware attacks targeting the Colonial Pipeline. Part of the report was several indicators of compromise (IoCs), specifically 41 malware hashes, two domains, and three IP addresses. more

ZeuS, Still Alive and Kicking in the Form of Jabber ZeuS?

ZeuS malware traces its origin as far back as 2006, when it was used to steal victims' online banking credentials. In 2011, its source code was leaked on a file-sharing site and quickly spread throughout various underground fora. more

Why Are Seemingly Intranet Pages Exposed on the Internet?

Intranets are by definition meant for internal use only -- employee communication, content management, and the like. They are part of the Deep Web where search engines can't index sites, and unauthorized people shouldn't be able to access them. more

Uncovering More Artifacts Related to the Endless Mayfly Disinformation Campaign

Many reports have released indicators of compromise (IoCs) regarding the Endless Mayfly disinformation campaign. But for those who don't know what it is, Endless Mayfly uses fake social media accounts and media websites to spread false information that has to do with U.S., Israel, and Saudi Arabia relations. more

Given a Malicious Email Address, What Can You Discover with Maltego’s WhoisXML API Transforms?

On any given day, most of us get more emails that we won't read than those that we would. Many of these messages will remain unread and sent to the trash. There comes the third category of emails: Those we wished we hadn't read and acted upon because they are bound to be malicious, sent by cybercriminals trying to lure you into one of their scams. more

Crypto-Related Domains and Subdomains: What’s Underneath the 30K of Them?

Cryptocurrencies keep making waves in the online community, making them prime vehicles of threat actors in scam, phishing, and other malicious campaigns. Fraudsters, for one, have stolen millions of dollars worth of cryptocurrencies from investors through websites that promise rewards, giveaways, and earning opportunities. more

Looking Into the Latest Microsoft Exchange Server Vulnerability Exploitation

A threat actor reportedly infiltrated the network of and stole data from a financial institution about a month ago by exploiting any of four Microsoft Exchange Server vulnerabilities -- CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, or CVE-2021-27065. While patches for all these have been released, users who have not downloaded and installed these could remain at risk. more

Hidden Botnet C&C on Legitimate Infrastructure? The Case of 000webhostapp[.]com

Threats can come from anywhere, even from legitimate hosting infrastructure. In fact, many cybercriminals often host their command-and-control (C&C) servers in known hosting providers' networks, sometimes those that offer bulletproof hosting services, to evade detection and consequent blocking. more

A Deep Dive into Known Magecart IoCs: What Are the Connected Internet Properties?

Magecart-style attacks have been around for a while and continue to be mentioned in the news in 2021. We found and collected a list of 20 domain names that have been mentioned in the past months on VirusTotal as Magecart indicators of compromise (IoCs). more

COVID-19-Related Bulk Domain Registrations: A Possible Case of DNS Abuse?

Addressing Domain Name System (DNS) abuse has been a priority of the Internet Corporation for Assigned Names and Numbers (ICANN), notably since March 2020. During its 70th conference, the organization's members talked about creating a web page defining DNS abuse-related terms, which should be updated over time, to help users report cases. more

“Voltswagen”: April Fool’s Prank, Brand Turmoil, and Bulk Domain Registrations

The accidental leak of Volkswagen's new name that turned out to be an April Fool's prank made headlines. Some were relieved that it was just a marketing stunt, while others cried foul. But those in the field of cybersecurity became more curious. What did the cyber world look like during the supposed leakage until the announcement that it was a prank? more

What Are the Common Forms of Bulk Domain & Typosquatting Registrations?

Typosquatting can enable a variety of cyber threats that include but are not limited to phishing, malware-enabled attacks, and vulnerability exploitation. In a nutshell, the attackers can rely on the technique to mimic legitimate solution and service providers' domains to trick users into thinking they are getting update notifications from their vendors, for example, when they are actually not. more

We Detected and Analyzed Thousands of CCTV-, Firewall-, and SCADA-themed Domains & Subdomains

Did you know that a comprehensive subdomain database can give you 69,383 fully qualified domain names (FQDNs) with the string "firewall," 241,654 FQDNs for "cctv," and 19,048 FQDNs for "scada"? That data can give cybersecurity researchers possible starting points for an article or even a full-blown research paper. more

Come April, Nothing Is Certain Except Phishing and Taxes

In the past years, threat actors have made it a point to prey on U.S. taxpayers using phishing emails supposedly from the Internal Revenue Service (IRS). The goal is often to trick victims into giving their login credentials to various platforms. This year is no different. more

Expanding the List of Artifacts for the Recent JPMorgan Chase Squatting Campaign

On 13 March, IBM X-Force Exchange published nine artifacts -- three domain names and six IP addresses -- related to a squatting campaign targeting JPMorgan Chase and its stakeholders. We dug deeper into the list in hopes of publicizing additional artifacts that users may need to be wary of. more

An In-Depth Look at the Risks Kozow.com Subdomains May Pose to Internet Users

Kozow[.]com hosts the website of free dynamic Domain Name System (DNS) service provider Dynu Systems. It has been cited for ties to several malicious activities over the past few months. To see if it would be a good idea for organizations to consider blocking the domain from their networks, we collated a list of kozow[.]com subdomains and subjected them to deeper scrutiny. more

How Do You Choose the Best Threat Intelligence Platform for Your Company?

Experts often say every cyber threat intelligence team needs a threat intelligence platform, but what is it really and how do you choose the best one for your company? Andreas Sfakianakis, in his recent SANS Institute CTI Summit 2021 talk titled "Excelling at Threat Intelligence Platform Requirements," inspired us to take a deeper look. more

Keeping Track of Ramnit through Artifact Expansion

Ramnit stands out as a malware as it continues to evolve and requires cybersecurity experts and law enforcement agents to stay alert. Variants have been recently detected, so that security companies such as Prevailion advise organizations to keep Ramnit on their radar. more

A List of Potential Attack Artifacts for the Top 3 Phished Brands in 2020

In a recent study INKY subjected around 657 million emails in 2020 and found almost 5 million phishing campaigns, more than 590,000 of which were brand impersonations. It then came up with a list of the top 25 most phished brands in a 2021 report. more

A Look at Recent Attacks on K-12 Distance Learning Providers Using Domain Intelligence

As early as December of last year, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) received reports of several cyber attacks targeting K-12 distance learning institutions. more

SolarWinds Cyber Intel Analysis Part 2: A Look at Additional CISA-Published IoCs

A few weeks back, we added unpublicized artifacts to the list of indicators of compromise (IoCs) published by both FireEye and Open Source Context back in December 2020. Some would have thought that would put a stop to the havoc the SolarWinds threat actors have been wreaking, but the group targeted Malwarebytes just recently according to a company report. more

How to Monitor IP Netblocks for Possible Targeted Attacks

A couple of weeks back, a security researcher alerted his LinkedIn contacts about possibly ongoing targeted attacks stemming from the Iranian subnet 194[.]147[.]140[.]x. He advised cybersecurity specialists to watch out for subnets that may be threatful and consider blocking them. This post encouraged us to look into the subnets and details our findings using IP Netblocks WHOIS Database. more

Boosting Domain Protection Strategies with Typosquatting Domain Intelligence

An enterprise's domain portfolio continues to change as it offers new products and services or withdraw old ones. Mergers, acquisitions, and buyouts would also affect its domain portfolio. Constant monitoring of one's domain portfolio and its related infrastructure is crucial in today's cybersecurity landscape. more

Enriching Know-Your-Customer (KYC) Practices With IP Intelligence

Know-your-customers (KYC) policies aim to minimize the risk of money laundering, bribery, and other types of fraud. While it was originally implemented in financial institutions, companies outside the financial sector have adapted KYC with digital transactions as the primary driver. These days, the approach is enforced by virtual asset dealers, nonprofit organizations, and even social media companies. more

Post-Riot Domain Registration Trends: Findings From Tracking Trump-Related Domains and Subdomains

The U.S. Capitol riot on 6 January 2021 was an unexpected event following the 2020 U.S. elections. The incident also made headlines worldwide, prompting us to track the registration trend for Trump-related domains and subdomains. We also looked into two domains for Trump's e-commerce stores that Shopify shut down. more

Blind Eagle Targeted Attack: Using Threat Intelligence Tools for IoC Analysis and Expansion

Blind Eagle is a South American threat actor group believed to be behind APT-C-36 and that has been active since at least 2018. It primarily targets Colombian government institutions and large corporations in the financial, petroleum, and professional manufacturing industries. more

Cyber Threat Intel Analysis and Expansion of SolarWinds Identified IoCs

The SolarWinds hack affected several government agencies and tech companies in the U.S. and worldwide. The sophisticated malware attack is believed to have compromised the trusted IT management software as early as March 2020 but only came to light in December. more

Enriching Intrusion Detection and Prevention Systems with IP and Domain Intelligence

Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs), collectively called "intrusion detection and prevention systems (IDPSs)," monitor network traffic to stave off unauthorized access. Roughly speaking, an IDS detects possible malicious network activities, while an IPS stops malicious traffic from entering and possibly damaging a network. more

Threat Intel Expansion on Cosmic Lynx BEC Campaign’s Recorded IoCs

Why go after individuals when you can get greater rewards by zooming in on more lucrative targets like large multinational corporations (MNCs)? That's the premise behind the Cosmic Lynx business email compromise (BEC) campaign that brought several MNCs, many of which were Fortune 500 or Global 2000 companies, to their knees. more

QAnon and 8Chan Digital Footprint Analysis and Investigation Expansion

In October, Brian Krebs reported that several websites related to 8Chan and QAnon went offline, albeit only briefly. That happened when the entity protecting them from distributed denial-of-service (DDoS) attacks, CNServers LLC, terminated its service to hundreds of Spartan Host IP addresses... more

Attack Surface Discovery: A Review of FINRA-lookalike Domain and Linked IoCs

More recently, phishers used a Financial Industry Regulatory Authority (FINRA) look-alike domain in an attempt to breach several of its members' networks. Tasked to oversee 624,000 brokers in the U.S., attacking FINRA's clientele could yield a hefty sum should phishing email recipients fall for the ruse. more

A Brief OSINT Analysis of Charming Kitten IoCs

Charming Kitten is a cybercriminal group believed to be of Iranian origin, which was first seen in 2014, but had been active for years after the initial detection. The group use an intricate web of methods such as spear phishing and impersonation. more

Revisiting APT1 IoCs with DNS and Subdomain Intelligence

Cyber espionage is a type of cyber attack that aims to steal sensitive and often classified information to gain an advantage over a company or government. The 2020 Data Breach Investigations Report (DBIR) revealed that several hundreds of incidents across industries in the previous year were motivated by espionage. more

Dark Caracal: Undisclosed Targeted Attack IoCs Can Pose Risks

Targeted attacks are known as some of the most destructive cyber attacks in that they zoom in on organizations that either provide critical services or have massive user bases. more

How Much of a Fortune 500 Company’s Digital Footprint Can Be Publicly Attributed to It?

Not all of the domains that contain a company's brand are under its control. A portion of them - sometimes even the vast majority -- is typically registered by unidentifiable third parties with masked WHOIS records. Arguably, WHOIS redaction might also be preferred by the companies themselves for privacy purposes. But to which extent is this the case? more

A Look Into Tor Nodes’ Locations and ISPs with IP Intelligence

The Tor Project has been synonymous with the Deep Web, as it is a primary method by which users can access hidden portions of the Internet. Besides traffic encryption, an additional feature that gives Tor users anonymity is that their network traffic passes through several nodes, making the real source unidentifiable. more

What Subdomains Lookup Revealed About Thousands of Microsoft-Related Subdomains

Microsoft is among the most imitated brands globally. Running the company's popular product and service names, such as LinkedIn, Office365, and Windows, on a subdomains lookup tool, we uncovered 7,900 related subdomains. more

Thousands of Government-Related Subdomains Revealed in Subdomains Search

Elections and other events related to the government typically drive a great amount of Internet activity. Considering the domain name space, we found 4,197 subdomains related to the U.S. elections and the government in general. more

Attack Surface Analysis: Most Blacklisted IP Addresses Scrutinized

The attack surface of every Internet user gets wider every day, but it doesn't mean there's nothing that can be done about it. For one, analyzing possible attack vectors, such as suspicious or malicious domain names and IP addresses, can help with attack surface management. more

Attack Surface Analysis of 3 Social Media Giants

Cybercrime is first and foremost financially motivated. Cybercriminals look for lucrative targets, including social media networks with hundreds of millions of monthly active users. We put this perspective to the test by analyzing the domain attack surface of three of today's largest social media platforms. more

Third-Party Vendor Risk Management: A Look into Top Couriers’ Digital Footprint

Just as no man is an island, no company can perform core functions without other organizations' help. This fact is highlighted in today's age of outsourcing, partnership, and third-party connections. Unfortunately, threat actors have also found a massive opportunity in these relationships. more

Attack Surface Reduction: Scrutiny of the Top Payment Processing Companies

Almost every transaction on the Internet is riddled with risks, and the use of online payment processing platforms is no exception. With more people opting to transact online and use digital wallets, threat actors have much to gain by targeting online payment processing platforms. more

Enriching IP Blacklists Using a Reverse IP/DNS Database

Every organization faces two kinds of cyber threats daily - "known" and "unknown" ones. Known threats are those that security experts have discovered, often published in blogs and major news outfits with accompanying indicators of compromise (IoCs). Unknown threats, meanwhile, are those that remain hidden to victims and researchers. IoCs for these have yet to be identified and disclosed. more

Beefing Up Third-Party Risk Management with Reverse DNS Search

Most businesses rely on third-party entities to outsource certain functions, save on costs, and strengthen their cybersecurity capabilities. While working with external providers makes perfect business sense, it also poses cyber risks. more

Strengthening Brand Protection with Subdomain Lookups: A Short Study

Threat actors usually ride on a brand's popularity to make phishing campaigns believable. A common approach involves registering typosquatting domains that closely resemble those of the legitimate owners. Yet monitoring typosquatting domains may just be the tip of the iceberg in the fight against phishing. more

Attack Surface Monitoring: Two Ways to Detect Phishing Subdomains

Phishing attacks' success can be partially attributed to threat actors' use of branded domain names, including both legitimate and misspelled variants. It's no wonder, therefore, that blacklisting sites like PhishTank provide users a way to search phishing URLs by target brand. more

Not All VPN Users Are Worth Trusting, a Lesson for Cloud Service Providers

Virtual private networks (VPNs) are widespread; about a third of the Internet population uses them worldwide. Their primary reason? VPN usage touts more secure browsing. more

Gathering Context Around Emotet, Trickbot, and Dridex C&C Servers with Bulk IP Geolocation

Dridex, Trickbot, and Emotet are banking Trojans that have enabled cybercrime groups to steal hundreds of millions of dollars from their victims. These malware have evolved over the years, and just recently, Emotet was seen using stolen attachments to make their spam emails more credible. more

Augmenting Digital Risk Protection with Threat Intelligence Sources

The world continues to produce and consume digital content at an increasingly fast pace across channels - making risk exposure continuously greater in the process. To tackle this problem, digital risk protection allows organizations to address digital risk factors and monitor and reduce their attack surface. more

Threat Intelligence Feeds in the Fight against Insurance-Themed Cyber Attacks

Threat actors are seasoned posers. They often pose as bank employees, police officers, or court officials. A coronavirus-themed campaign even had them posing as the Director-General of the World Health Organization (WHO). Insurance companies are also increasingly targeted, which can be attributed to the ongoing global health crisis. more

WHOIS History Footprint Tells Us More about the Man Behind the Biggest BLM Scam

In 2018, the biggest scam that banked on the Black Lives Matter movement was exposed. An Australian National Union Workers official named Ian Mackay was allegedly behind the Black Lives Matter Facebook page that garnered more than 700,000 followers and racked over US$100,000 in donations. more

100K+ List of Disposable Email Domains Under Security Analysis

Disposable email addresses are quite widespread and for different reasons. Some people believe that using throwaway or temporary email addresses helps them protect their privacy. Others, however, use these in more questionable endeavors - hence the relevance of monitoring disposable email domains. more

Detecting Possible Domain Generation Algorithm-Related Threats Using Typosquatting Data Feed

Domain generation algorithm (DGA) is used to generate several domain names commonly used for command-and-control (C&C) servers in malware attacks. The logic behind a domain name generation algorithm is quite simple. Instead of hard-coding the domain or IP address into the malware, the malware finds its C&C under a domain with a seemingly random name. more

Subdomain Lookup as Part of Cybersecurity Best Practices

Threat actors are always on the lookout for potential ways into target networks. And although the cybersecurity world has a lot on its radar already, subdomains are entry points that are not always easy to identify and may end up overlooked. more

Using WHOIS History and Other Intelligence Sources for Establishing Potential Attack Surfaces

Cyber attacks can come from practically any angle, and more often than not, it's hard to see them coming without knowing all there is to know about a domain's WHOIS history and connected domain entities. Several aspects come into play in this scenario, one of which is old and forgotten pages on a website. more

DNS Records Lookup of “Walmart Drive-In Movie Theater” Domains Indicates Likely Typosquatting

People may not yet be keen on going to movie theaters due to COVID-19. As such, drive-in movie theaters have become more prominent as these help implement social distancing measures. more

What a WHOIS Registrant Lookup Can Tell about “Kanye West” Newly Registered Domains

Kanye West trended after he announced his plan to run for U.S. president on 4 July 2020. On Twitter, his announcement was liked over 1.1 million times and retweeted more than 500,000 times. Elon Musk was also quick to express his support. more

Host to IP and DNS Analysis of Dozens of Fortnite-Inspired Typosquatting Domains

Captain America arrived on Fortnite in time for the 4th of July celebration. This announcement was big news to the gaming community, with search terms such as "fortnite captain america skin" and "fortnite captain america" significantly rising in popularity on Google in the past week. more

Bulk Domain Lookup of 3,000+ NRDs with “Deal” Word Strings Appearing Days before July 4

The U.S. Independence Day comes with both fireworks and the best deals. On this holiday, retailers usually offer big discounts. At this time when people may opt to shop online, several publications like TechRadar and Business Insider even curated a list of 4th of July deals from different retailers. more

Bulk WHOIS Lookup of Florida SMMC Lookalike Domains Shows Signs of Typosquatting

A bulk whois lookup of domain names similar to the official website of the Florida Statewide Medicaid Managed Care (SMMC) Program -- www[.]flmedicaidmanagedcare[.]com -- indicates that a typosquatting event, or a cybersquatting one at the very least, might be at play. more

Hundreds of Election-Related Domain Names Seen as 2020 U.S. Elections Nears

Even as the world continues to tackle the coronavirus pandemic, essential events just can't be delayed. The U.S. presidential elections will continue to take place on 3 November 2020. more

Upward Trend Seen in “All Lives Matter,” “BLM,” and “Protest” Domain Registrations

George Floyd passing away while being arrested in Minneapolis, Minnesota, sparked several Black Lives Matter (BLM) protests worldwide. The protests started on 26 May, a day after Floyd's death, spanning states and even countries within a few days. more

Punycode Phishing: Internationalized Domain Names Remain a Threat in 2020

Back in 2018, investigative journalist Brian Krebs warned against the nuances of internationalized domain names (IDNs). These domains, which contain non-Latin characters but appear to do so, can be used to create visual confusions that can become particularly handy in executing credible punycode phishing campaigns. more

WhoisXML API Detects Hundreds of Microsoft-Inspired Typo Domains

Microsoft is among the top technology companies globally and so is in critical need of brand protection. The company name already figured in many phishing campaigns, including Microsoft Office 365 that has been abused several times in business email compromise (BEC) scams. more

Typosquatting Data Feed Can Enhance Lloyds Bank’s Typosquatting Protection

Typosquatting are among the cybersecurity threats that deserve a closer look in the financial sector. In fact, the early detection of typosquatting domains can help financial institutions maneuver away from cyber risks that could cause much damage. But to what extent is this the case? more

60+ PayPal Potential Typosquatting Domains Detected in the Beginning of June

PayPal is still one of the most imitated brands on the Internet. From 1-8 June 2020, the Typosquatting Data Feed detected a total of 64 PayPal lookalike domains. more

Typosquatting Domains Every AppleID Owner Should Avoid

On 29 April 2020, IBM X-Force warned users of an AppleID typosquatting campaign specifically targeting members of the media sector. We sought to dig deeper into these threats and find other relevant domains and IP addresses that users, regardless of industry, may need to steer clear of. more

Typosquatting Protection: A Look into Instagram-Themed Domain Names

On Instagram's Help Center, there are sections solely dedicated to Intellectual Property. The social media giant also provided avenues for reporting account impersonation and trademark violations. more

Investigating Typo Domains Beyond Credit Suisse’s Spying Scandal

In 2019, Credit Suisse was hit by a spying scandal that quickly spiraled into several things - a public confrontation, a resignation, and a death. Iqbal Khan, the bank's former head of wealth management, confronted a private investigator on the streets on 17 September after noticing that someone was following him. more

IP Geolocation Intelligence: An Aid Against Location-Based Threats?

Cybercrime is borderless. Just like marketing teams use location-based targeting to create a deeper connection with customers through content personalization, cybercriminals adjust their attacks to exploit their victims' fears. more

Newly Registered Domain List Shows Recent Registrations Continue to Pose Cybersecurity Risks

Analysts and researchers have advised to be wary of newly registered domains (NRDs) for several years. Back in 2019, it was even suggested that 70% of new domain registrations are malicious. We keep identifying many suspicious newly registered domains in our Newly Registered & Just Expired Domains database even today, many of which are related to current world events such as the spread of COVID-19. more

How to Avoid Phishing Campaigns Targeting CARES Act Recipients

Amid the spread of COVID-19, the world continues to suffer dire health and economic consequences. To help, national governments have released funds to support companies and laid-off employees. more

Newly Registered Domains Database Shows Threat Actors Exploit the Need for N95 Masks amid the Pandem

As the coronavirus infection toll continues to rise, many countries are scrambling to get their hands on medical-grade N95 face masks. A commodity that once only served a purpose in specialized sectors such as healthcare has become a premium product demanded by the public. more

Domain and IP Intelligence Checks Following the Launch of the COVID-19 Solidarity Response Fund

COVID-19 caught everyone by surprise. No one thought a virus could inflict so much damage to the global economy, but it has. As thousands of businesses closed shop and millions of employees lost their jobs, governments and international organizations alike sought to provide financial assistance to the severely affected. more

Under the Hood of 3M- and 3M Mask-Themed Recently Registered Domains

The rapid spread of COVID-19 had people scrambling to protect themselves. Among different means of protection, besides imposed community quarantines and social-distancing measures, it has been widely recommended to purchase reliable surgical masks and respirators. Mass demand for such products quickly led to a shortage in different parts of the world. more

Domain Intelligence Shows Cybercriminals May Abuse Video-Conferencing Services’ Brand Names

As a huge chunk of the world's population is staying at home because of social distancing measures, video-conferencing businesses saw an opportunity to expand their freemium offers. more

Even for Available Domain Names, There Is No Leaving WHOIS History to Chance

A lot of thinking and energy often goes into finding the "best" Internet domain name for a new brand, product, or service. So, isn't it wonderful when the perfect match turns out to be available right away for purchase with any big registrar? more

Addressing Business Email Compromise in the Time of Coronavirus with Email Validation

Cybercriminals know no boundaries. While the world battles the COVID-19 pandemic, threat actors continue to attack businesses that may already be suffering from operational setbacks. more

Brand Monitor and Typosquatting Data Feed: Two Assets to Support Spear-Phishing Prevention

Spear-phishing email attacks pose a significant challenge to most organizations. A successful attempt can cost a company an average of US$1.6 million per incident. more

What Cyber Threat Intelligence Tools Can Reveal about a Targeted Attack

Targeted attacks are considered insidious digital threats as they may lead to debilitating data breaches with substantial financial repercussions. Apart from money lost to theft, victims may shed even more resources as they face expensive lawsuits, hefty fines, and settlements for failing to comply with data privacy regulations in addition to reputational damage. more

Looking Into a Possible Coronavirus-Themed Survey Scam Turning Out to Be a False Positive

Having crossed the two-million mark in coronavirus infections worldwide, citizens from all nations are facing a difficult time. Sadly, cyber threats and attacks currently spreading online are making the situation worse. more

Coronavirus: Cybersecurity Implications and Fraudulent Infection Maps

The world has been on edge for the past weeks as many nations enforced mass quarantines amid the continued rise in the number of Coronavirus-infected patients. As a result, about a third of the global population is staying at home to avoid further spread of the virus, and people have been relying on online channels to stay updated. more

How to Maintain Your Website’s Network Reachability with DNS Lookup Solutions

If you sometimes lose your temper because a website isn't loading fast enough, you're not alone. Slow websites are not only annoying; the consequences for website owners can also be far-reaching. more

3 Ways a DNS Lookup Tool Can Help Prevent DNS Attacks

The Domain Name System (DNS) is a crucial element of the Internet and a foundation of networking. Every organization going online uses the DNS. more

Getting Rid of Bad Hosts with WHOIS and Reverse IP Lookups

As stewards of the Web, Internet infrastructure providers are often held accountable for ensuring the safety of users. Sadly, the recent spate of high-profile security incidents shows that this is not an easy task. more

How a Passive DNS Database Can Help Improve Cyber Resilience

As cyber-attacks become more robust and sophisticated every day, the world of cybersecurity saw the need to shift. Hence, cyber resilience became the new norm. Cyber resilience bases itself on the fact that cyber risks are no longer just IT risks but also business risks. more

Preventing Media Theft with an IP Geolocation Database

Since time immemorial, entertainment companies always had to contend with content theft. Bootleggers are nothing new in the industry, and their ways have evolved much along with technology. more

Beefing Up Trademark Monitoring with Domain Brand Monitoring Solutions

Thousands of trademark infringement cases get heard every year -- some of which are more unexpected than others. For instance, let's take a look at one that originates in the world of fiction. Like SpongeBob himself and Patrick, the Krusty Krab has been a centerpiece in the "SpongeBob SquarePants" cartoon series and movies. more

2 Ways Content Filtering With Website Contacts and Categorization Can Help Businesses

The business world has seemingly divided views on content filtering. Some say that the tactic is too restrictive, while others opine that it can help in a lot of ways. Building on the latter perspective, in an age when the Internet has become a breeding ground for almost anything. more

Using Email Validation Tools to Stop Malspam Campaigns in Their Tracks

Melissa, what many consider to be the first malspam campaign, emerged in 1999. Once successfully installed, the "mass-mailing" virus forwarded copies of itself to the first 50 email addresses on a victim's contact list. While the malware wasn't as dangerous as current variants, it could still effectively max out network resources, resulting in downtime. more

How to Build an Attack Profile with WHOIS Database Download as a Starting Point

Fighting cybercrime is a never-ending battle. As threat actors continue to craft different ways to attack and scam their target victims, companies need to build their security arsenals to fight against all kinds of threats. What's more, an effective way to achieve cyber resilience is by getting to know the enemy and build attack profiles. more

Prevent Network Users from Visiting Fake Domains and Settlement Pages with WHOIS Lookups

Typosquatting is a malicious tactic that cyberattackers employ to entrap users who mistype web addresses on their browsers. Often, mistyped domain addresses redirect to copycats of legitimate sites and are owned by threat actors. more

How IP Geolocation Lookups Help Thwart Cyber Attacks

Cyber attacks can hit any organization and even derail its operation on a grand scale. Just recently, ISS World, a facility management service provider with clients in more than 70 countries worldwide, released a statement where it mentions being the victim of a malware attack. more

Why Typosquatting Protection Is a Must for Settlement Pages

The Telephone Consumer Protection Act (TCPA) is a federal statute that restricts telemarketers from making automated and unsolicited calls as well as sending faxes and messages to people. Affected individuals may choose to file a complaint and collect a minimum of US$500 for each illegal communication received. more

Phishing Attacks Still Haunt Banking Institutions: How Can Domain Reputation Checks Help?

Phishing attacks continue to post an upward trend. Over the years, phishers have improved their methods, using very convincing domains to bait victims into their schemes. more

How to Protect Your Brand with WHOIS-Powered Domain Brand Protection Solutions

Most businesses know the importance of protecting a brand. But, only a few of them understand that protecting their online properties is just as central to their brand-protection strategies. more

Using WHOIS Domain Lookup Tools to Identify Malicious Domains and Prove Misuse

Presumptive conclusion or inference suggests that a piece of evidence is authentic based on other facts recognized by the law. When law enforcement and cybersecurity researchers investigate cases, they come across strong evidence that may be insufficient on their own to implicate a victim or move a case forward. more

Fight Against Phishing: Email Address Verification as a Cybersecurity Process

Phishing keeps making much noise in the realm of cybersecurity, and not in a good way. A majority of cyber attacks start with a phishing email, making the tactic responsible, at least partially, for close to 90% of data breaches. more

How to Avoid IP Spoofing with a Reverse IP Address Lookup Service

IP spoofing is a cyberattack technique that entails using a device or a network to fool users into thinking the attacker is part of a legitimate entity. Often, cybercriminals use this method to access computers in a target network to obtain sensitive information, turn systems into zombies, or launch a denial-of-service (DoS) attack. more

Online Brand Protection Tips with Domain Brand Protection Software

The more popular a brand is, the more customers buy its products. That same popularity makes it a lucrative target for infringers to sell counterfeits. As such, it has become a must for global brands to use brand protection software to make sure their reputation and consumers do not suffer. more

What Services Should Be Part of Your Domain Brand Protection Strategy?

Gone are the days when a single department in an organization shouldered the responsibility for a company's brand protection strategy. A research paper that discussed the future of online brand protection shows that inter-department involvement, starting with the board's approval and support, down to the implementation of the strategy by different departments, is required. more

The Perils of Typosquatting: The Likely Targets and the Price They Pay

Typosquatting is also known as "URL hijacking," and for good reason. Just as hijackers unlawfully seize a vehicle, typosquatters take over a domain name and use it for malicious activities. more

Domain Squatting Disputes: How WHOIS Lookup Tools Can Help

Reverse domain name hijacking (RDNH) can be considered a severe threat to any honest-to-goodness small business or your average website owner. more

Post-GDPR WHOIS Domain Search: Are Cybercrime Investigations More Difficult to Do?

One of the first go-to resources for law enforcers and cybercrime investigators is the WHOIS database. WHOIS domain search tools such as WHOIS Lookup provide rich information about a particular domain name or IP address. more

How to Avoid Fraudulent Classifieds Sites with WHOIS Domain Name Search Tools

When visitors fail to recognize that the site they visit is a fraudulent copy of that of a famous brand, they can expose themselves to cybercrime and other attacks. As part of these attacks, typosquatting is a common technique that hackers use to lure victims. They create websites that very closely resemble that of the brand they are trying to hijack so the victims would not have a clue that it is fake. more

How Domain Reputation API Can Help Detect HTTPS-Protected Phishing Sites

Over the past five years, the Internet has seen the mass migration of websites from HyperText Transfer Protocol (HTTP) to its extension, HTTP Secure (HTTPS). HTTPS is a communication protocol that encrypts the data exchanged between sites and user agents. more

How to Avoid Fake Product Support Pages with WHOIS API’s Help

Sometimes, seeing several permutations of a famous company's domain names is not just a mere coincidence. Often, these are typosquatting attempts. They are not merely a nuisance, either, because clicking such a URL can have severe effects. more

How to Safeguard Against Domain Look-Alikes with Domain and Brand Monitoring Services

Should organizations need to worry about domain look-alikes? The answer is, unfortunately, yes. Threat actors often impersonate popular brands and domains to lure users into visiting malicious pages and divulging their personally identifiable information (PII). more

Reverse Domain Hijacking and the Use of WHOIS and Domain Brand Monitoring Tools

In a Uniform Domain-Name Dispute-Resolution Policy (UDRP) case, the complainant usually has to prove three elements to win. Failing to satisfy these evidentiary requirements can render the case not only null and void, but the panel may also consider it as a reverse domain name hijacking (RDNH) instance. more

Addressing Cybersquatting Dangers Using Brand Alert API and WHOIS Lookup

While other organizations also hear Uniform Domain Name Dispute Resolution Policy (UDRP) cases, the World Intellectual Property Organization (WIPO) is the largest. more

Fake Airline Ticket Scams: Domain Spoofing and Other Red Flags

The holidays are a bustling time for businesses and, unfortunately, fraudsters too. Travel fraud is rife in the lead up to the festivities, with airline ticket scams taking center stage. According to a report by The Street, airlines lose US$2.4–4.8 billion yearly due to false bookings. Consumers, meanwhile, lose US$283–588 per transaction. more

Take Brand Protection Up a Notch with Domain Research and Monitoring Tools

Cybersquatting is likely one of the oldest digital threats out there, but somehow, it still works. The first cybersquatting case filed after the implementation of the Uniform Domain Name Dispute Resolution Policy (UDRP) involved the domain worldwrestlingfederation[.]com. more

Mitigating Phishing Attacks on Cloud/File Storage Services through Domain Reputation API

Moving more workloads to the cloud has become a top priority for enterprises. Some 96% of organizations are, in fact, already using cloud computing in one or more areas of their business. Cloud computing benefits enterprises in many ways, but perhaps the driving force behind the increased cloud adoption is this: Organizations that use cloud services grow faster. more

Taking a Closer Look at Reverse Domain Name Hijacking (RDNH) with WHOIS Search and Brand Monitor

The World Intellectual Property Organization (WIPO) recorded a 12% increase in Uniform Domain-Name Dispute Resolution Policy (UDRP) cases filed in 2018. In fact, WIPO saw a total of 3,447 cases that covered 5,655 domain names. What this implies... more

Legal Services as a Phishing Target: How Domain Reputation Checks Can Help

The legal sector has become a favored target of phishing campaigns. 80% of law firms reportedly received phishing emails in 2018. And in 2017, the success of these phishing campaigns was 300% higher than in 2016. more

Reverse Domain Name Hijacking: What It Is and How to Avoid It through a Domain Availability Check

Deciding on a domain name is both an exciting and challenging task that every website owner must undertake. A good domain name must sound interesting and be easy to remember while echoing the nature of the business. more

The Need for Email Address Verification in Light of Subpoena-Themed Phishing Attacks

At the most basic level, the Internet consists of interconnected networks that communicate using standard protocols such as the Border Gateway Protocol (BGP) and the Domain Name System (DNS). As such, it is built on trust or an honor system – trust that routing requests received from another network are valid, and the traffic sent in response to requests is legitimate. more

How Threat Intelligence Software Can Help Prevent Breaches Caused by Server Misconfigurations

Early this month, the Gekko Group, an AccorHotels subsidiary erroneously uploaded more than 1TB of confidential information on a publicly accessible cloud-based server. This error led to the exposure of tons of data owned by its partner hotels' clients, travel agencies, and customers. more

The Louisiana State Ransomware Attack: Enhancing Cyberdefense with Reverse IP Address Lookup

An attempted ransomware attack on some Louisiana state servers caused the state's cybersecurity team to shut down their IT systems and websites. Governor John Bel Edwards, however, emphasized that not all of the state's servers were affected. more

The Orvis.com Data Leak: A Short Investigation Using WHOIS Information

On November 11, news about the massive data exposure of the clients of Orvis, a 163-year-old retailer, made headlines. Some of the company's login credentials were posted online... With over 80 retail stores, 10 outlets, and hundreds of independent dealers worldwide, we believe potential attackers could get their hands on millions of customer data. more

Investigating Domain Abuse Complaints with Brand Monitoring Software

Cybersquatters can pose severe risks for brands, so it's good news when a company wins against them. Home Box Office, Inc. (HBO) recently won its case in a domain dispute for TrueDetective.com. The titular show has a huge cult following, which explains why someone may want to leverage a domain name around it. more

How Reverse WHOIS Search Can Help Protect Against MegaCortex and Other Ransomware

Earlier this week, a new variant of MegaCortex ransomware was found encrypting files and changing victims' passwords on Windows-based computers. Victims who fail to pay the ransom were as usual threatened that their personal data would be released. How does the attack work? more

The Web.com Data Breach: A Quick Investigation with Domain Reputation Lookup

On 16 October, Web.com – the world's oldest domain name provider and owner of Network Solutions, NameSecure, and Register.com – disclosed a major breach resulting in the leakage of its customers' personally identifiable information (PII). more

Do Security Service Providers Need Their Own Data Scientists?

In a world where society is driven by information, data science has gained solid ground over the past years for its ability to separate the wheat from the chaff. Its predictive power is now being explored in the context of cybersecurity. After all, efficient threat protection requires gathering and interpreting the enormous amounts of traffic generated to and from one's network. more

SOAR Versus SIEM: The Fundamental Differences

Security orchestration, automation, and response (SOAR) and security information and event management (SIEM) tools share several components and so most security operations teams use the terms interchangeably. more

Being Cybersecure Is Not Enough, Become Cyber-Resilient Instead

Technology, for its immense evolution, has now become a significant driver of the economy – both digital and global. Along with developments and innovations such as cloud-based computing and Internet-connected mobile devices, however, cybercrime lurks in the shadows. more

Can Security Analytics Combat Digital Fraud with IP and Domain Name Monitoring?

For several years, digital security relied on a simple strategy – gain insight from past events, learn from them, and base security protection accordingly. more

Alleviating the Constant Clash Between DevSecOps and DevOps Teams

One of the main struggles of organizations is streamlining processes through cost-effective means. This problem is adequately addressed by DevOps, a set of processes that aims to unify development and operations. more

Moving from the Castle-and-Moat to the Zero-Trust Model

The traditional notion of the security perimeter is growing increasingly problematic in the wake of highly publicized attacks. The perimeter is becoming nonexistent, as cloud-based infrastructures replace legacy systems. more

What to Look for in Digital Forensics and Incident Response Experts

While it's true that the lines between cybersecurity roles have become blurred, some have more significant barriers to entry. The field of digital forensics and incident response (DFIR), in particular, is an altogether different beast. more

Why IT Security and DevOps Teams Are Often at Odds

Achieving an ideal organizational network means seamless development, operations, and security. Knowing and achieving that, however, is a great challenge. more

Mitigation and Remediation: Where Threat Intelligence Fits In

Mitigation and remediation are two words thrown around a lot in cybersecurity, often, interchangeably. While there exists a stark contrast between one and the other, both play a crucial role in security service providers' risk-related decisions. more

4 Cybersecurity Jobs Created in Response to Evolving Threats

Emerging malicious threats are driving the demand for new cybersecurity experts. The rise of ransomware and machine learning (ML)-driven attacks underscores the importance of having the capability to track and prepare to combat such threats. In response, the profession had to adapt quickly by employing staff with the necessary offensive and defensive skills. more

Carpet-Bombing Attacks: A Rising Threat to ISPs

News of a South African ISP's two-day outage sent the industry abuzz last month, highlighting the need for improved distributed denial-of-service (DDoS) attack mitigation. more

How Threat Intelligence Prevents Nameserver Takeovers and Their Far-Reaching Damage

In an ideal world, administrators should never run across threats to their web properties. However, human errors and vulnerabilities inevitably get in the way of cybersafety. Managed Domain Name System (DNS) providers, registrars, and services can sometimes put users at immense risk as well. more

Information Rights Management or User Access Management, Which One Is Better?

The current security landscape calls for intensive monitoring and analysis to effectively identify possible threats to applications, systems, and infrastructure. With millions of threats discovered monthly, security experts must revamp and update their cybersecurity measures and tools. more

Blacklisting or Whitelisting, Which Is Better?

Organizations in the cybersecurity industry must make crucial decisions to ensure they do the job right. One of these decisions includes whether to use blacklisting or whitelisting. more

Online Streaming: Boon or Bane to the Media Industry and Digital Rights Management?

Copyright infringement laws have become less effective due to the ease of sharing content over the Web. Music streaming services, for example, have increased music consumption and the overall industry revenue, but it also has lessened album sales and song downloads. more

Why Companies Should Strive to Stay on Google’s Good Side

Imagine that your registrar informs you the domain you've been eyeing would soon become available for purchase. That's good news. However, your security adviser told you to make sure a domain is threat-free before you buy it. more

Can Domain Blacklisting Be Avoided?

If we're to sum up what any domain owner would want to avoid, it would be ending up in anyone's blacklist. Domain blacklisting has detrimental consequences for any business. Actually, it can have the same or similar negative brand effects as you'd see in the aftermath of a data breach or PR incident. more

How to Stay Safe Against DNS-Based Attacks

The Domain Name System (DNS) plays an essential role in resolving IP addresses and hostnames. For organizations, it ensures that users reach the proper sites, servers, and applications. While it's a fundamental base for a functioning Web, the problem is that this system can easily be abused. more

Procuring Digital Evidence for Reverse Domain Hijacking Case with Domain Research & Monitoring Tools

Reverse domain name hijacking is a shady practice that some individuals and organizations carry out. It occurs when a trademark owner makes false claims in an attempt to gain control of a domain that someone else owns. more

The Importance of Predictive Analytics and Machine Learning in Cybersecurity

Experts in the realm of cybersecurity are continually trying to keep up with the changes in the threat landscape. Even with advanced tools on hand, any IT security professional knows that a data breach can happen at any time. more

IP Geolocation: Improving Data Loss Prevention in Virtual Environments through Geofencing

Each day, threat actors search for targets whose assets they can compromise for personal gain. Their attacks often use exploit kits that can find gaps in networks that they use to infiltrate and compromise vulnerable systems and applications. more

Thoughts and Recommendations on Addressing Vulnerability Exploitation

Cybercriminals aren't always as creative as we think they are. There is a myth about them having a never-ending supply of techniques and tricks up their sleeves. However, many can't be considered as innovators in their shady field. more

Can IP Geolocation Contribute to Detecting Online Credit Card Fraud?

The problem of credit card fraud is not set to be resolved anytime soon. On the one hand, detecting and preventing the artifice is one of the most challenging aspects of e-commerce. more

Is Blocking via IP Geolocation the Answer to Preventing DDoS Attacks?

If there's anything we learned about the threat landscape, it's that none of us are safe from malicious actors. Becoming a victim is not a matter of "if" but "when." Enterprises are now aware that the thought of being "too big to fail" is no longer applicable. more

Common Threats That Can Be Overcome by Email Verification

One of the most effective and prevalent ways to reach someone in today's business world remains email. With billions of users worldwide, it is the backbone of business communications. more

How IP Netblocks Data Can Enrich SIEM Software

There's no denying the fact that many enterprises worldwide use security information and event management (SIEM) software. These products collect, analyze, and create reports on cybersecurity data from the range of systems an organization uses. Some SIEM programs are even capable of stopping attacks in progress as soon as these are detected. more

Domain & IP Intelligence: An Advantage to Managed Detection and Response

Outsourcing may not always have had the best connotation. In the context of cybersecurity, however, the activity is a vital one and often even the only real alternative for many small- and medium-sized organizations. more

How to Address Blended Threats with Domain Data

Fighting off individual threats is challenging enough, but things get complicated, and the results more damaging when organizations face blended threats. The practice of combining security threats such as malware and attack vectors confounds if not overwhelms victims, making them easy prey. more

Website Categorization: Enhancing URL Filtering for MSSPs

Although the Internet offers many opportunities, it also comes with a wide variety of issues. Cybercrime is rampant, and not knowing how to navigate the Web safely can lead to severe consequences. Phishing is one of the top concerns for enterprises. And managed security service providers (MSSPs) have decided that URL filtering is one way to resolve the issue. more

Should Cybersecurity Teams Consider Next-Generation Firewalls?

Cyber attacks and hacking methodologies are growing in complexity over time. This concern has led many enterprises to look toward more advanced capabilities to enhance their cybersecurity. One solution they have found is utilizing next-generation firewalls. more

How Website Categorization Technology Can Assist MDR Teams

The threat landscape is more complicated than it was before. Many organizations are thus starting to weigh their options on how to protect their data best. Amid the persistent cybersecurity skills shortage, companies are wondering if they should turn to outsourced services. more

Can Website Categorization Support Fraud Monitoring?

Detecting and preventing fraud have become in-demand over the years. As such, expectations from fraud solution providers have gone up as well. more

The Growing Need for Managed Detection and Response Services

A recent prediction from Cybersecurity Ventures states that the cybersecurity sector is going to have as many as 3.5 million unfilled positions by the year 2021. That is why managed detection and response (MDR) services are now more important than ever. more

Fraud Protection Measures Against Malicious New Domains

Many domain names are registered each day and so become part of the Domain Name System (DNS). In fact, research shows that at least two new registrations are seen per second. Although most of these are done for commercial and other legitimate purposes, not everyone who registers a domain has good intentions. more

How SIEM Vendors Can Reduce False Positives from Their Products

Organizations operating a security information and event management (SIEM) solution are struggling with one of the biggest problems in cybersecurity today: false positives. more

Why Suspicious Email Addresses Must be Verified

Has the world moved on from email marketing? Some might think that email has got nearly obsolete with the rise of social media channels and all the buzz about virtual reality, machine learning, and chatbots that abound. more

Gaining Transparency Across the Web with a Bulk WHOIS API

In this article, let's take a look at several use cases for the API and talk about why you should start employing it today. more

Why Organizations Should Care about Threat Intelligence Today

Threat intelligence is the cornerstone of a mature cybersecurity plan. Staying abreast of the emerging threats and knowing where and when your adversaries are about to strike is a crucial aspect in building organizational cyber defenses. more

WHOIS Database Download Services in Theory and Practice

Let's start this post on WHOIS database download services with a story. Meet James, a businessman who has just taken an important step in developing the digital presence for his small business by registering a domain name. more

Why You Should Pick the Best WHOIS Database Download to Safeguard PII

Data, due to increased accessibility and interconnection, has been making the World Wide Web go round. Without your log-in credentials, you can't check your email, see what your friends and family are up to on social media, listen to music or watch movies and your favorite shows on streaming services, book a ride, shop for groceries, or do online transactions. more

Reverse WHOIS: A Powerful Process in Cybersecurity

The future continues to look bleak as the total amount lost to cybercrime is expected to keep growing. It will, in addition, put incentives for innovation and investment at risk, making cybercrime more profitable than ever. more

5 Reasons Why Businesses Must Do Email Verification

Everything important in business needs to be adequately maintained for effective long-term operations. This includes relationships with customers, employees, and partners as well as IT systems and equipment. more

IP Geolocation: How to Locate and Stop Phishing Threats

The web has made the world a smaller place by reducing the relevance of location. How so? Anyone, no matter where they are, can now reach out to anyone else with useful information ranging from breaking news events to commercial proposals. more

Cybercrime Innovation: Tackling Emerging Threats and Vulnerabilities

What keeps CISOs up at night? For hundreds of senior company leaders across countries and industries, the steady growth of cybercrime is one of their biggest concerns. Consequently, organizations spend more money than ever to mitigate the risks and consequences of data breaches, despite a new wave of attacks being on its way as we speak. more

Threat Intelligence: Understanding Adversaries and Threats

This quote from The Art of War could not be more relevant when we think of today's digital battlefield: "If you know the enemy and know yourself, you need not fear the result of a hundred battles." more

SSL Configuration Analysis: What Is It? Why Does It Matter?

Anyone interested in starting doing business online should have a few essential things ready before rushing head-on, including a memorable name and a potentially profitable business model. more

The Roots of WHOIS and Its Applications: 3 Fundamental Questions

Journalists, brand specialists, cybersecurity researchers... Everyone wants answers on who does what online, so where can you get the clues you seek? WHOIS data, alongside its databases and related products, can help you find out who's behind the most notorious websites - and possibly the shadiest ones as well. more

Why Your Company Needs to Use Cybersecure IP Geolocation APIs

All entrepreneurs typically have a single goal in mind - ensuring their company's success -- and that means reaching and getting as many customers as possible. Nowadays, that translates to taking advantage of the data that GPS-enabled devices provides. more

3 Ways to Combat Phishing in 2019

Just when we thought that phishing has run out of its bag of tricks, hackers are changing their tactics. Whereas before the attacks could be generalized and random, this time, they are more targeted, tailored, and personal. What are crooks up to? more

Domain Research and Monitoring: Keeping an Eye on the Web for You

Maintaining an online presence isn't as simple as choosing a name, putting it up, and waiting until things turn out well. Once you're out there, you have to keep an eye on your domain and what's happening around because not doing so could put you at a disadvantage or even in danger. more

How the Best IP Geolocation API Can Support Cybersecurity Efforts

Cybersecurity is pretty much a game of "hide and seek" - cybercriminals hide, cybersecurity teams seek -- and the damage is often based on how long the perpetrators are able to continue their attacks without being found. more

WHOIS History API: Powering Domain Investigations

The Internet is like a beach - you will most likely leave behind footprints while you are there. And these impressions can be traced back to whoever left them. The same is true with domain ownership. That website name you plan to launch your next venture on? Its domain may have a history of its own. more

The Era of Malware: 3 Techniques to Detect and Stay Protected

A while back, creating malicious software was sort of a hobby for programmers. It was hardly ever used to make money, but more of a way to show off what one can do with a computer. more

Domain Reputation API: Scoring High Points for Deliverability and Security

As scary as it may seem, everyone is a target on the Web. Worse, your susceptibility to cyber attacks, when not promptly addressed, marks you not just as a target but can even lead others to consider you as a threat. more

4 Professions Leveraging WHOIS to Stay Ahead

Who are the entities behind the domains on the Web? This question has nothing to do with stalking but is critical for various business activities. Domainers, for instance, want this information to negotiate lucrative purchases while journalists might need it to set up interviews or get leads during investigations. more

A Quick Guide to Understanding IP Geolocation API

Do you know where your online customers are? Can you tell whether the right users in your network are all authorized to access its content? Are you able to detect and block suspicious traffic and devices? more

A Snapshot of the Fundamentals of Threat Hunting

Like it or not but the face of cybersecurity has changed over the past few years and while conventional approach has taken a back seat lately, non-traditional methods are coming to the rescue. more

Cybersecurity on the Clock: How to Run More Timely and Efficient Operations

A career as an information security analyst is one of the top technology jobs nowadays and for a good reason. Billions of dollars are spent every year to fight cybercrime, and companies are now willing to pay top rates for the best talent available. more

Marketing and Media Teams Can Streamline Their Services With WHOIS Databases

The world of marketing and media isn't a walk in the park. The teams working in those departments are always on the move continually looking for ways to improve their strategies. A WHOIS database can prove useful for them in many ways. Read on to find out how. more