|
It’s not uncommon to see free web hosting providers get abused as part of phishing campaigns. IBM X-Force Exchange, in fact, published three indicators of compromise (IoCs) related to such an incident, namely:
The domain mypressonline[.]com leads to a website that offers a way for users to easily add subdomains related to their projects. Screenshot Lookup led us to that particular finding.
As part of our work to bring transparency to Internet usage and help keep users safe from digital threats, we used a combination of WHOIS, IP, and DNS intelligence sources and found:
Read on to find out how we obtained the artifacts and additional IoCs in the next sections. To get a list of all the data gathered, download the threat research materials here.
We used a variety of WHOIS, IP, and DNS tools to determine how big mypressonline[.]com’s digital footprint may be.
We turned to Domains & Subdomains Discovery to uncover subdomains containing the string “mypressonline.” We found 1,460 subdomains. Examples include:
A significant share of these subdomains could belong to legitimate individuals or companies that used mypressonline[.]com’s service offering. As such, only some may have been made part of malicious campaigns.
Subjecting the 1,460 subdomains to a bulk malware check via the Threat Intelligence Platform (TIP) showed that nine of them were dubbed “dangerous” by various malware engines. These malicious subdomains are:
We wanted to see if more potentially abused properties pertaining to a past owner of mypressonline[.]com could be identified so we looked more closely at the domain’s WHOIS history. We found that:
Using Reverse WHOIS Search, we then found 805 domains that indicated ATTRACTSOFT GMBH as their registrant organization. Examples include:
Of these, three were dubbed “dangerous” by various malware engines, according to a bulk malware check via TIP. These malicious domains are:
10fast[.]net
ebac-control[.]com
xripton[.]com ## Screenshot Lookup
We subjected the 805 domains owned by ATTRACTSOFT GMBH to a bulk screenshot lookup and found that many of them had to do with various website development-related content. Examples include:
These three sites hosted the same content:
To determine the answer, we used the IP address 185[.]176[.]43[.]106 to perform a reverse IP lookup and uncovered at least 300 domains that shared the host of http[:]//direc7890[.]mypressonline[.]com/. We subjected these domains to a bulk malware check and found that accessing two of them (duolpall111[.]mypressonline[.]com and gestionarcreditobp[.]com) should be avoided.
Overall, our analysis led us to the finding that a portion of mypressonline[.]com’s subdomain footprint has probably been abused in phishing campaigns, possibly alongside other domain properties that belong to ATTRACTSOFT GMBH that we identified through WHOIS history searches.
If you want to know more about conducting a similar investigation, please don’t hesitate to contact us. We can provide you access to various intelligence sources and are always eager to collaborate with fellow researchers.
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byRadix
Sponsored byCSC