On 13 March, IBM X-Force Exchange published nine artifacts—three domain names and six IP addresses—related to a squatting campaign targeting JPMorgan Chase and its stakeholders. We dug deeper into the list in hopes of publicizing additional artifacts that users may need to be wary of.

IoC List Expansion

We obtained a list of 79 domains that resolved to two of the IP addresses on IBM’s list—192[.]64[.]119[.]61 (resolved to chaselocked23[.]com)

and 192[.]64[.]119[.]166 (resolved to secure07o-chase[.]com) via reverse IP/DNS searches. We compared the WHOIS record details of these domains with those of the two on IBM’s list aided by Bulk WHOIS Lookup. The chart below shows their similarities.

A total of 52 domains shared the two IoCs’ registrant country and privacy protection service provider. Only one domain name shared the year the IoCs were created but 11 were updated the same year the IoCs were. Finally, 65 domains shared the same registrar as the two IoCs.

Of the 79 domains identified with the help of passive Domain Name System (pDNS) and WHOIS data, seven each were registered in the U.S. and Canada, while the registrant countries of the remaining 13 were undisclosed.

While a majority of the 79 domains shared the same privacy protection service provider (WhoisGuard, Inc.) with the IoCs, seven were under Contact Privacy, Inc., two had a publicly viewable registrant name or organization, while the remaining 18 did not include their providers, if any.

Of the 79 domains, only one shared the IoCs’ creation year. The rest were spread across years between 2006 and 2020. A total of 22 domains were created in 2020; 16 in 2019; 10 in 2018; eight in 2014; three each in 2017 and 2015; two in 2016; and one each in 2013, 2012, 2011, 2007, 2006, and 2001. The remaining eight domains’ creation years were undisclosed.

While only 11 of the 79 domains shared the IoCs’ update year (2021), they had one more thing in common with the campaign identifiers. A majority (42 domains) were updated in 2020, two in 2019, and three in 2018. The remaining 21 domains did not disclose their update dates.

As a final step to expanding the list of published IoCs, we consulted typosquatting data feeds for January and February 2021 since the campaign used newly registered domains (NRDs), a common threat actor tactic to evade detection, blocking, and identification. We wanted to see how many more JPMorgan Chase domain look-alikes were bulk-registered and could figure in future similar attacks.

A search for the string “chase” in the January enriched data feed led us to a total of 69 bulk-registered domains. Of these, only 12 are publicly attributable to JPMorgan Chase. The rest were spread across various privacy-protection service providers, including WhoisGuard, Inc. (8) and Contact Privacy, Inc., PrivacyGuardian.org, and Whoisprotect.cc (4 each). The remaining 37 left their registrants undisclosed.

For the month of February, we saw 140 domains, none of which are publicly attributable to JPMorgan Chase. They were spread across eight privacy-protection service providers, namely, 1&1 Internet Limited (23 domains); Whoisprotection.cc (19); Contact Privacy, Inc. (16); WhoisGuard, Inc. (9); Domain Euy (6); Private by Design LLC (5); and Whois Privacy Service (1). Two publicly disclosed their registrants, while the remaining 59 did not disclose their registrants.

It is common practice for domain squatters and threat actors to prey on big brands and reputable institutions for their gain. Looking at typosquatting data feeds and WHOIS and pDNS records can be good starting points to identify domains warranting further investigation.

If you are interested in the complete list of artifacts we uncovered for this post or would like to collaborate on similar research, feel free to contact us.