|
An ongoing cybersquatting campaign targeting MetLife, a global insurance company, was reported by IBM Exchange X-Force, listing 12 malicious domains. We dug deeper into the campaign as part of our goal to expand lists of indicators of compromise (IoCs). By doing so, we hoped to determine if more attack vectors could be targeting MetLife and if the threat also applies to other insurance companies.
Feel free to download the sample list of additional IoCs and artifacts related to this threat research. Our main findings are also further detailed below.
The 12 malicious domains can be found in this report. While the registrar and registrant details of the domains have been redacted, we know that they share the same nameservers (ns2[.]bodis[.]com and ns1[.]bodis[.]com). They also resolve to the same IP address (199[.]59[.]242[.]153), which is tagged “malicious.” All domains’ registrant country is China, but the IP address is geolocated in the U.S.
We investigated the published IoCs using the WHOIS and IP data we uncovered using different domain intelligence tools. We detail our findings in the succeeding sections.
Since the 12 malicious domains were reported on 23 September 2021, we wanted to see if other MetLife-related domains have been registered since then. Our Domains Discovery service revealed that 63 domains that contained the text string “metlife” were added to the Domain Name System (DNS) since 23 September 2021.
A bulk WHOIS lookup for the domains revealed that only 23 had retrievable WHOIS records. Four of them were registered in China, the registrant country of the 12 MetLife domains, namely:
On the other hand, a bulk IP geolocation lookup of the 63 domains revealed that 57 resolved to IP addresses, 31 of which pointed to 199[.]59[.]242[.]153, the malicious address connected to the 12 published MetLife domains. Despite the association, none of the 31 domains are being flagged “malicious” at the time of writing.
As part of the IoC expansion, we also investigated if there are indications of similar campaigns targeting other insurance providers and the insurance industry in general. We retrieved 6,185 domains containing the word “insurance” added since the MetLife cybersquatting campaign was reported and found 91 with the same nameserver as the IoCs.
A bulk IP geolocation lookup further revealed that 5,454 domains had IP resolutions and 315 resolved to the malicious IP address. However, only one has been flagged by malware check engines—mynationwidepetinsurance[.]com.
Other insurance companies may be targeted in a similar cybersquatting campaign. Looking at Forbes’ list of top car insurance companies, for instance, our data revealed that some of the company names also appeared in our dataset multiple times. Below is a breakdown of the insurance companies and the number of related domains we found.
Insurance Company | Number of Cybersquatting Domains | Insurance Company | Number of Cybersquatting Domains |
---|---|---|---|
Farmers | 10 | State Farm | 5 |
USAA | 8 | Nationwide | 4 |
Allstate | 7 | Travelers | 3 |
Aside from the domains containing the names of popular insurance companies, a bulk malware check for the 6,185 insurance-themed domains returned nine malicious properties, namely:
Only one of these malicious domains targeted MetLife Insurance, while the rest targeted different insurance companies.
Like other sectors under the umbrella of the financial industry, the insurance sector is a likely target for cybersquatting campaigns. These campaigns can serve as gateways for more damaging cyber attacks, such as phishing, malware, ransomware, and credential harvesting. As such, it’s crucial to nip these attacks in the bud by detecting possible cybersquatting domains. The IoCs IBM named could only be part of a more extensive campaign with other undetected attack vectors.
Are you interested in the data we presented? Or are you investigating a similar campaign? Contact us today for possible collaboration and more about the methodology and tools we used to get data.
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byRadix
Sponsored byDNIB.com
Sponsored byCSC
Sponsored byWhoisXML API