Thanks to Dancho Danchev, WhoisXML API’s DNS Threat Researcher, for the original investigations available here, which led to the creation of this post.

On any given day, most of us get more emails that we won’t read than those that we would. Many of these messages will remain unread and sent to the trash. There comes the third category of emails: Those we wished we hadn’t read and acted upon because they are bound to be malicious, sent by cybercriminals trying to lure you into one of their scams.

We’ve encountered a couple of email addresses that belonged or were connected to known cybercriminals. Using them as pivot points on Maltego with WhoisXML API transforms, we expanded the digital footprints of the perpetrators of cybercrime.

Data Set

Hundreds of email addresses confirmed belonging to cybercriminals and money mule recruiters were gathered. These include the following whose footprints (connected domains and IP addresses) were expanded via Maltego with WhoisXML API transforms.

• nick2chocolate@hotmail[.]com
• silver[.]root@yahoo[.]com
• akaminosky@yahoo[.]co[.]uk
• mail@yahoo[.]com
• shwark[.]power[.]andrew@gmail[.]com
• hilarykneber@yahoo[.]com

Discoveries Using Maltego with WhoisXML API Transforms

Each of the six email addresses cited above to Maltego-WhoisXML API transforms to determine connected domains and IP addresses if any. We used the Historical Reverse WHOIS Search transform and found that the email addresses had connections to a total of 22 domains. Below are Maltego graphs showing the connections found.

nick2chocolate@hotmail[.]com

silver[.]root@yahoo[.]com

akaminosky@yahoo[.]co[.]uk

mail@yahoo[.]com

shwark[.]power[.]andrew@gmail[.]com

hilarykneber@yahoo[.]com

Given that the email addresses were confirmed malicious, it is safe to assume that it would be safer for organizations and individuals to avoid accessing the domains they are connected to as well.

Three of these connected domains, in fact, were dubbed “suspicious” on VirusTotal, namely, account-mail-yahoo[.]com, mail-yahoo[.]info, and open-mail-yahoo[.]com. Eight, meanwhile, were reported “malicious.” These are accounts-mail-yahoo[.]com, magicsystem[.]info, mg6-mail-yahoo[.]com, priv8darkshop[.]com, silver-root[.]com, supervpn[.]net, supervpn[.]us, and www—mail-yahoo[.]com. Including these 11 suspicious and malicious domains in blocklists is highly recommended, as accessing them can result in spamming, phishing, and malware infection.

Using the 34 connected domain names obtained as search terms for advanced reverse historical lookups on the Domain Research Suite (DRS), we uncovered another 195 domains that only sported different top-level domain (TLD) extensions. Examples of these include:

• gh0stmarketing[.]com
• supervpn[.]cn
• freshdump[.]org
• blockchane[.]online
• magicsystem[.]cn
• silver-root[.]shop
• federal-reservebnk[.]org
• mail-yahoo[.]net
• gewe[.]xyz
• epijobs[.]com
• viplending[.]com
• l-counter[.]net
• logisticsinternational[.]lk
• west-funds[.]xyz
• buyfakepassports[.]net
• musichammer[.]ru
• oemsoftbuy[.]ru
• automauto[.]ca
• geopozitiv[.]ru

Since they share similarities with the domains connected to the malicious email addresses, users may want to avoid accessing them as well or do so carefully, at the very least.

Running DNS lookups for the 229 domains provided us with a list of 85 unique IP addresses. Some of the domains shared hosts while others did not resolve to specific IP addresses. It may be worth watching out for communications from these in your network logs, as they may have connections to malicious activity or threat actors.

Blocking communications to and from devices with these 18 malicious IP addresses from our list is highly advised:

• 98[.]136[.]103[.]23
• 74[.]6[.]136[.]150
• 52[.]128[.]23[.]153
• 192[.]0[.]78[.]24
• 35[.]186[.]238[.]101
• 81[.]171[.]22[.]7
• 52[.]58[.]78[.]16
• 184[.]168[.]131[.]241
• 195[.]20[.]49[.]99
• 183[.]111[.]174[.]73
• 213[.]239[.]199[.]42
• 141[.]8[.]224[.]221
• 89[.]31[.]143[.]1
• 88[.]198[.]29[.]97
• 89[.]221[.]250[.]7
• 212[.]82[.]100[.]150
• 192[.]0[.]78[.]25
• 185[.]230[.]63[.]186

These IP addresses have been cited for malicious activity, primarily phishing and malware hosting, on VirusTotal.

Expanding lists of indicators of compromise (IoCs), such as the email addresses connected to threats, that we used as data source for this short analysis is advisable if organizations want to avoid as many threat vectors as possible.

Without digital footprint expansion using open-source tools like Maltego and the WhoisXML API transforms and other solutions featured in this post, we would have not been able to identify 229 domains and 85 IP addresses that could be connected to the threats. Worse, we wouldn’t know that blocking a total of 314 domains and IP addresses could keep our networks more resilient to threats.

Check this tutorial blog for more information about using WhoisXML API in Maltego. WhoisXML API is partnering with top security companies around the world. Check our partnership page for more details.