Many countries worldwide celebrate Safer Internet Day every February 8. And while most parents always strive to do their best to keep their children safe while browsing the Web, threat actors still manage to abuse their good intentions. How?

Many individuals and companies share content that could hopefully teach parents how to browse and interact with others on the Internet safely. But we found that many of the sites touting safer Internet best practices shouldn’t automatically be trusted. Our analysis, in fact, revealed:

• Almost 6,000 domains supposedly espousing safe Internet best practices (377 featuring the strings digital + safety, 4,420 with online + safety , and 1,187 containing safe + internet) but 2% of them are malicious.
• More than 1,200 subdomains aimed to help parents keep their kids safe on the Internet (63 digital + safety , 698 online + safety , and 440 safe + internet subdomains) but at least one of them was found malicious.
• The nearly 130 malicious web properties resolved to nine unique IP addresses, one of which was dubbed “dangerous” by various malware engines.

As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated all pertinent data and made it available to anyone interested. You may download the related threat research materials here.

What Our Initial Data Revealed

We used three string combinations to gather the data for our analysis, namely domains and subdomains that contain these words:

• digital + safety
• online + safety
• safe + internet

Domains & Subdomains Discovery provided us with more than 7,100 web properties (5,984 domains and 1,201 subdomains). We then ran these pages through bulk malware checks via the Threat Intelligence Platform (TIP) and found that almost 130 of them were dubbed “dangerous” by various malware engines. See the table below for examples.

Digging Deeper into the Data

As usual, we made it a point to expand the list of artifacts related to this threat. We checked the location of the malicious domains and subdomains and found that these resolved to nine unique IP addresses, namely:

• 99[.]83[.]154[.]118
• 34[.]102[.]136[.]180
• 64[.]70[.]19[.]203
• 68[.]65[.]122[.]196
• 128[.]199[.]84[.]63
• 52[.]19[.]194[.]233
• 208[.]91[.]197[.]91
• 99[.]83[.]154[.]118
• 109[.]71[.]253[.]24

Apart from refraining from accessing the malicious domains and subdomains we found earlier, users would also do very well from steering clear of any sites hosted on 99[.]83[.]154[.]118, which according to a TIP malware check, is malicious.

Interestingly, while 128[.]199[.]84[.]63 wasn’t deemed malicious by any malware engine, one of the domains (i.e., emulationsafety[.]online) that it plays host to is unsafe to access. Our analysis was limited to five connected domains per IP host so the other seven IP address resolutions could pose the same risk.

A WHOIS data review for the nearly 6,000 domains also showed that 97 were newly registered. Their owners could be riding on the popularity of sites that offer Internet safety best practices. The list of newly registered domains (NRDs) include malicious properties, namely:

• safetyover[.]online
• safetytreads[.]online
• safetyarticle[.]online

The continued registration of domains with the word “safety” could be due to the fact that they do work as an effective lure to get users to visit the hosted sites. That said, we’re bound to see more domains created with the strings we identified in the future.

Not all malicious web properties may have been designed that way. Some may have been compromised because they were insufficiently secured. Secure Sockets Layer (SSL) and mail exchanger (MX) record misconfigurations could lead to such cases. We looked more closely at the malicious domains and subdomains using TIP to prove that and found that apart from hosting malware, they also sported various configuration errors as shown by the table below.

TIP checks domains and IP addresses for possible errors or misconfigurations. Take onlinedepartmentwfbanksafetyteam[.]club, for instance. It has three outgoing links based on our TIP web analysis, one of them could be pointing to a malicious page or file. It also lacked a Secure Sockets Layer (SSL) certificate, making the site very vulnerable. Its WHOIS record has been redacted as well. Its MX records could have also been modified by unauthorized users, given that it doesn’t have Domain-Based Message Authentication, Reporting, and Conformance (DMARC) set up. Finally, the domain uses stealth nameservers, which could be a threat actor tactic to evade detection. All these misconfigurations could make the domain ripe for attacker picking.

If there’s a lesson that users can learn from our analysis, it’s that they shouldn’t trust a site just because its name touts safety. When browsing the Web, it’s always prudent to think twice about the websites you wish to access. As shown here, several pages that suggest keeping people safe from threats are malware hosts.

If you wish to perform a similar investigation, please don’t hesitate to contact us on threatintelligenceplatform.com. We’re always on the lookout for potential research collaborations.