It’s not uncommon to see free web hosting providers get abused as part of phishing campaigns. IBM X-Force Exchange, in fact, published three indicators of compromise (IoCs) related to such an incident, namely:

• URL: http[:]//direc7890[.]mypressonline[.]com
• Email address: yerlalonso@hotmail[.]com
• IP address: 185[.]176[.]43[.]106

The domain mypressonline[.]com leads to a website that offers a way for users to easily add subdomains related to their projects. Screenshot Lookup led us to that particular finding.

As part of our work to bring transparency to Internet usage and help keep users safe from digital threats, we used a combination of WHOIS, IP, and DNS intelligence sources and found:

• 1,460 subdomains under the domain mypressonline[.]com, nine of which were malicious.
• 805 domains sharing the same registrant organization identified as part of a historical WHOIS record of mypressonline[.]com, three of which were malicious.
• At least 300 domains sharing mypressonline[.]com’s IP address, two of which were malicious.

Read on to find out how we obtained the artifacts and additional IoCs in the next sections. To get a list of all the data gathered, download the threat research materials here.

How Big Is Mypressonline[.]com’s Digital Footprint?

We used a variety of WHOIS, IP, and DNS tools to determine how big mypressonline[.]com’s digital footprint may be.

Domains & Subdomains Discovery

We turned to Domains & Subdomains Discovery to uncover subdomains containing the string “mypressonline.” We found 1,460 subdomains. Examples include:

• 0x32[.]mypressonline[.]com
• abctaxi[.]mypressonline[.]com
• backlinks[.]mypressonline[.]com
• cajide[.]mypressonline[.]com
• dancekiss[.]mypressonline[.]com
• eago[.]mypressonline[.]com
• faizaturk[.]mypressonline[.]com
• g2rss[.]mypressonline[.]com
• half[.]mypressonline[.]com
• iconline[.]mypressonline[.]com

A significant share of these subdomains could belong to legitimate individuals or companies that used mypressonline[.]com’s service offering. As such, only some may have been made part of malicious campaigns.

Threat Intelligence Platform

Subjecting the 1,460 subdomains to a bulk malware check via the Threat Intelligence Platform (TIP) showed that nine of them were dubbed “dangerous” by various malware engines. These malicious subdomains are:

• getready[.]mypressonline[.]com
• ieguillermovalencia[.]mypressonline[.]com
• juneteenthtv[.]mypressonline[.]com
• kreativtrening[.]mypressonline[.]com
• phoenixparts[.]mypressonline[.]com
• spagne[.]mypressonline[.]com
• vamsipavan[.]mypressonline[.]com
• veed[.]mypressonline[.]com
• wyrokipolskie[.]mypressonline[.]com

WHOIS History and Reverse WHOIS Search

We wanted to see if more potentially abused properties pertaining to a past owner of mypressonline[.]com could be identified so we looked more closely at the domain’s WHOIS history. We found that:

• The domain’s ownership history went as far back as 30 March 2011.
• It has 31 historical WHOIS records. The 15 most recent ones have been redacted.
• Its WHOIS record dated 12 January 2018 showed a registrant organization (i.e., ATTRACTSOFT GMBH), which like the current registrant, is based in Germany.

Using Reverse WHOIS Search, we then found 805 domains that indicated ATTRACTSOFT GMBH as their registrant organization. Examples include:

• 007gb[.]com
• a2zmovies[.]com
• balcondeodonnell[.]com
• caamora[.]net
• dabsound[.]com
• e-dys[.]com
• f-gauthier[.]com
• gabrielvivas[.]com
• hack-virus[.]com
• i8it[.]net

Of these, three were dubbed “dangerous” by various malware engines, according to a bulk malware check via TIP. These malicious domains are:

10fast[.]net

ebac-control[.]com

xripton[.]com ## Screenshot Lookup

We subjected the 805 domains owned by ATTRACTSOFT GMBH to a bulk screenshot lookup and found that many of them had to do with various website development-related content. Examples include:

• 00sites[.]net
• agilityhoster[.]com
• batcave[.]net

These three sites hosted the same content:

Do Other Domains Resolve to the Same Host as mypressonline[.]com?

To determine the answer, we used the IP address 185[.]176[.]43[.]106 to perform a reverse IP lookup and uncovered at least 300 domains that shared the host of http[:]//direc7890[.]mypressonline[.]com/. We subjected these domains to a bulk malware check and found that accessing two of them (duolpall111[.]mypressonline[.]com and gestionarcreditobp[.]com) should be avoided.

Overall, our analysis led us to the finding that a portion of mypressonline[.]com’s subdomain footprint has probably been abused in phishing campaigns, possibly alongside other domain properties that belong to ATTRACTSOFT GMBH that we identified through WHOIS history searches.

If you want to know more about conducting a similar investigation, please don’t hesitate to contact us. We can provide you access to various intelligence sources and are always eager to collaborate with fellow researchers.