|
Twitter was recently abuzz with news regarding an ongoing Cardano scam via a downloadable phishing app. Posing as a giveaway promo, which is how cybercriminals have frequently been victimzing cryptocurrency owners these days, users who get tricked into downloading the rogue app end up with stolen credentials instead.
We began our investigation into the threat with two indicators of compromise (IoCs) disclosed in a tweet—the malicious domain name airdrop-ada[.]net and the malicious IP address 104[.]21[.]78[.]87. Using these as jump-off points, our deep dive revealed:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
In our effort to look for other artifacts, we subjected the domain airdrop-ada[.]net to a DNS lookup and found two additional IP addresses, apart from the one identified in the tweet—213[.]226[.]124[.]209 and 172[.]67[.]219[.]16.
We then looked for other potential connections using the string combination “airdrop + ada” on Domains & Subdomains Discovery. The query uncovered 29 possibly connected domains, such as:
Using the same string combination, we also discovered two possibly connected subdomains, namely:
Next, we used the IP addresses 213[.]226[.]124[.]209, 172[.]67[.]219[.]16, and 104[.]21[.]78[.]87 as reverse IP lookup search terms and found at least 300 domains that shared 104[.]21[.]78[.]87 as host. Examples include:
The high number of connected domains and the second-level domain (SLD) string dissimilarity indicate the likely use of shared hosting infrastructure. In addition, a bulk WHOIS lookup for the possibly connected domains showed that only 42 of the 301 possibly connected domains (14%) shared the domain IoC’s registrant country, reinforcing our earlier interpretation of the use of a shared hosting infrastructure.
Nevertheless, we subjected all the web properties we found to a bulk malware check on the Threat Intelligence Platform and discovered that two of them—dejob[.]xyz and dispenseoneglint[.]cyou—are considered malicious by various malware engines.
Cardano has been consistently part of the top 10 cryptocurrencies to invest in and that remains true this year. It’s not surprising, therefore, for it to be a favored cybercrime target. We looked into web properties containing Cardano and the names of other cryptocurrencies, in fact, around the same time last year and found around 30,000 potential threat vehicles.
We sought to discover if new domains and subdomains were registered just this year and found:
Note the growth in web property volume from 677 to more than double at 1,340 domains and subdomains in a span of less than a year. That not only denotes growth in the number of Cardano coin owners but likely also the threats that could target them.
All Cardano cryptocurrency owners should heed the call to avoid accessing the domains, subdomains, and IP addresses, especially those deemed “malicious,” if they want to avoid the risk of getting scammed or phished. Monitoring the possibly connected domains, particularly those registered in the U.S. and shared other WHOIS details with the domain IoC may also be worth doing.
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.
Sponsored byVerisign
Sponsored byRadix
Sponsored byDNIB.com
Sponsored byCSC
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byWhoisXML API