Home / Industry

Telcos Are on Phishers’ Radar, Who Is at Risk?

The November 2021 PhishLabs Quarterly Threat Trends & Intelligence Report indicated the finance, social media, and telecommunications industries as phishers’ most targeted sectors. Last month, we analyzed a squatting campaign targeting U.S. Bancorp to determine if other banks were at risk, this time we’ll look into the top 3 phishing industry target—telecommunications.

The key findings, which we’ll dive deeper into later on, include:

  • A total of 290 newly registered domains (NRDs) and subdomains containing the strings “broadband,” “mobile,” and “telecom” made their way into the Domain Name System (DNS) between 26 October and 26 November 2021.
  • Six of the 10 biggest telcos worldwide and their customers may be at risk of getting phished.
  • The 290 NRDs and subdomains resolved to 186 IP addresses, which may be worth monitoring for signs of malicious activity.
  • Five domains/subdomains should not be accessed, as these were tagged “dangerous” by various malware engines.
  • A total of 21 IPv4 addresses should be included in company blacklists.

The complete list of suspicious and malicious domains identified in this post is available for download on our website.

Data Collection

To further ascertain if telcos are indeed on threat actors’ radar, we obtained lists of domains and subdomains containing the strings “broadband,” “mobile,” and “telecom.” We then went through these lists to determine which companies could become phishing targets and if campaigns might already be ongoing.

Our search for domains and subdomains led us to:

  • 146 domains containing the string “broadband”
  • 4,519 domains containing the string “mobile”
  • 599 domains containing the string “telecom”
  • 175 subdomains containing the string “broadband”
  • 10,000 subdomains containing the string “mobile”
  • 348 subdomains containing the string “telecom”

Note that these web properties were limited to those registered between 26 October and 26 November 2021. As such, thousands more are possibly already online and even more will potentially get added over time.

Analysis

To get our analysis going, we obtained a list of the 10 biggest telcos worldwide. We sought to find out how many of the NRDs and subdomains could be used to mimic them in phishing campaigns. Our findings showed that T-Mobile subscribers had the highest number of domains for our search strings.

Chart 1: Domain and subdomain volume breakdown by telco

AT&T, meanwhile, was the most prevalent when it comes to subdomains. Other telcos and their customers may also be at risk, including Verizon, NTT, Deutsche Telekom, Vodafone, and Orange. A total of 238 domains and 52 subdomains may be worth monitoring for signs of malicious ties, including the following:

DOMAINSSUBDOMAINS
verizon-mobiles[.]commobile[.]attmycsp[.]com
vertrieb-deutsche-fondsimmobilen[.]demobile[.]attwachtv[.]com
tmobileusa[.]wsmobile[.]attnowtv[.]com
vodafonemobilebooster[.]commobile[.]a1att[.]com
orange-espacemobile[.]appmobile[.]livetheorangelifee[.]com

None of the 290 domains and subdomains containing the names of the top 10 telcos worldwide appeared to be owned by the companies, according to a bulk WHOIS lookup, making the web properties suspicious.

Subjecting them to a bulk DNS lookup gave us a list of 186 IP addresses. Examples include:

  • 103[.]159[.]36[.]180
  • 2001[:]4860[:]4802[:]38[:]15
  • 134[.]0[.]10[.]171
  • 2001[:]4860[:]4802[:]36[:]15
  • 185[.]101[.]158[.]246
  • 2001[:]4860[:]4802[:]34[:]15
  • 185[.]101[.]158[.]113
  • 2001[:]4860[:]4802[:]32[:]15
  • 23[.]227[.]38[.]32
  • 2606[:]4700[:]6811[:]c549

A majority of the IP addresses (156 to be exact) are IPv4 addresses.

Chart 2: IP address breakdown by type

We also subjected the 290 domains and subdomains to a bulk malware check using the Threat Intelligence Platform and found that five of these were dubbed “dangerous” by various malware engines. Monitoring them may thus not be enough, blocking access to and from them is more advisable.

Checking the 156 IPv4 addresses for malware connections, meanwhile, revealed that 21 were tagged “malicious.” Examples include:

  • 23[.]227[.]38[.]32
  • 34[.]102[.]136[.]180
  • 72[.]167[.]191[.]69
  • 216[.]239[.]34[.]21
  • 104[.]17[.]196[.]73

Blocking access to and from web properties that resolve to them may be necessary.


As our findings revealed, telcos are seemingly on cybersquatters’ sights and some domains and subdomains containing the names of the top 10 companies worldwide require blacklisting or at the very least monitoring. T-Mobile, AT&T, Verizon, NTT, Orange, Deutsche Telekom, and Vodafone subscribers should especially be wary.

If you wish to perform a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

DNS

Sponsored byDNIB.com

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix