Home / Industry

To our readers: Does your company offer DNS or DNS Security services? CircleID has an opening for an exclusive sponsor for our DNS topic. Gain unparalleled results with our deep market integration. Get in touch: [email protected]

Are Mypressonline.com’s Free Subdomain Creation Services Being Abused?

It’s not uncommon to see free web hosting providers get abused as part of phishing campaigns. IBM X-Force Exchange, in fact, published three indicators of compromise (IoCs) related to such an incident, namely:

  • URL: http[:]//direc7890[.]mypressonline[.]com
  • Email address: [email protected][.]com
  • IP address: 185[.]176[.]43[.]106

The domain mypressonline[.]com leads to a website that offers a way for users to easily add subdomains related to their projects. Screenshot Lookup led us to that particular finding.

Image 1: Screenshot Lookup result for mypressonline[.]com

As part of our work to bring transparency to Internet usage and help keep users safe from digital threats, we used a combination of WHOIS, IP, and DNS intelligence sources and found:

  • 1,460 subdomains under the domain mypressonline[.]com, nine of which were malicious.
  • 805 domains sharing the same registrant organization identified as part of a historical WHOIS record of mypressonline[.]com, three of which were malicious.
  • At least 300 domains sharing mypressonline[.]com’s IP address, two of which were malicious.

Read on to find out how we obtained the artifacts and additional IoCs in the next sections. To get a list of all the data gathered, download the threat research materials here.

How Big Is Mypressonline[.]com’s Digital Footprint?

We used a variety of WHOIS, IP, and DNS tools to determine how big mypressonline[.]com’s digital footprint may be.

Domains & Subdomains Discovery

We turned to Domains & Subdomains Discovery to uncover subdomains containing the string “mypressonline.” We found 1,460 subdomains. Examples include:

  • 0x32[.]mypressonline[.]com
  • abctaxi[.]mypressonline[.]com
  • backlinks[.]mypressonline[.]com
  • cajide[.]mypressonline[.]com
  • dancekiss[.]mypressonline[.]com
  • eago[.]mypressonline[.]com
  • faizaturk[.]mypressonline[.]com
  • g2rss[.]mypressonline[.]com
  • half[.]mypressonline[.]com
  • iconline[.]mypressonline[.]com

A significant share of these subdomains could belong to legitimate individuals or companies that used mypressonline[.]com’s service offering. As such, only some may have been made part of malicious campaigns.

Threat Intelligence Platform

Subjecting the 1,460 subdomains to a bulk malware check via the Threat Intelligence Platform (TIP) showed that nine of them were dubbed “dangerous” by various malware engines. These malicious subdomains are:

  • getready[.]mypressonline[.]com
  • ieguillermovalencia[.]mypressonline[.]com
  • juneteenthtv[.]mypressonline[.]com
  • kreativtrening[.]mypressonline[.]com
  • phoenixparts[.]mypressonline[.]com
  • spagne[.]mypressonline[.]com
  • vamsipavan[.]mypressonline[.]com
  • veed[.]mypressonline[.]com
  • wyrokipolskie[.]mypressonline[.]com
WHOIS History and Reverse WHOIS Search

We wanted to see if more potentially abused properties pertaining to a past owner of mypressonline[.]com could be identified so we looked more closely at the domain’s WHOIS history. We found that:

  • The domain’s ownership history went as far back as 30 March 2011.
  • It has 31 historical WHOIS records. The 15 most recent ones have been redacted.
  • Its WHOIS record dated 12 January 2018 showed a registrant organization (i.e., ATTRACTSOFT GMBH), which like the current registrant, is based in Germany.

Using Reverse WHOIS Search, we then found 805 domains that indicated ATTRACTSOFT GMBH as their registrant organization. Examples include:

  • 007gb[.]com
  • a2zmovies[.]com
  • balcondeodonnell[.]com
  • caamora[.]net
  • dabsound[.]com
  • e-dys[.]com
  • f-gauthier[.]com
  • gabrielvivas[.]com
  • hack-virus[.]com
  • i8it[.]net

Of these, three were dubbed “dangerous” by various malware engines, according to a bulk malware check via TIP. These malicious domains are:

10fast[.]net

ebac-control[.]com

xripton[.]com ## Screenshot Lookup

We subjected the 805 domains owned by ATTRACTSOFT GMBH to a bulk screenshot lookup and found that many of them had to do with various website development-related content. Examples include:

  • 00sites[.]net
  • agilityhoster[.]com
  • batcave[.]net

These three sites hosted the same content:

Image 2: Screenshot Lookup results for sample domains owned by a former registrant organization of mypressonline[.]com

Do Other Domains Resolve to the Same Host as mypressonline[.]com?

To determine the answer, we used the IP address 185[.]176[.]43[.]106 to perform a reverse IP lookup and uncovered at least 300 domains that shared the host of http[:]//direc7890[.]mypressonline[.]com/. We subjected these domains to a bulk malware check and found that accessing two of them (duolpall111[.]mypressonline[.]com and gestionarcreditobp[.]com) should be avoided.


Overall, our analysis led us to the finding that a portion of mypressonline[.]com’s subdomain footprint has probably been abused in phishing campaigns, possibly alongside other domain properties that belong to ATTRACTSOFT GMBH that we identified through WHOIS history searches.

If you want to know more about conducting a similar investigation, please don’t hesitate to contact us. We can provide you access to various intelligence sources and are always eager to collaborate with fellow researchers.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Commenting is not available in this channel entry.

Related

Topics

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

Cybersecurity

Sponsored byVerisign