In an earlier post, we looked at how cybersquatters took advantage of the popularity of seven car manufacturers to lure unwitting victims to fake sites. Since then, we were alerted to a phishing campaign this time targeting several German car dealers via age-old but still effective phishing.

What the Public Knows So Far

A published report identified 37 domains as indicators of compromise (IoCs) related to this threat. We used these as jump-off points for a more in-depth investigation and found:

• A couple of unredacted registrant email addresses
• More than 1,200 possibly connected domains (some registered using the identified unredacted email addresses while others shared the domain IoCs’ IP hosts or contained the same strings)
• Several IP address resolutions of the domain IoCs
• A dozen possibly connected domains dubbed “malicious” by various malware engines

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Deep Dive Revelations

We began by subjecting the 37 domain IoCs to a bulk WHOIS lookup and found that none of them seemed to belong to a legitimate carmaker or auto dealership company. Two of them (bornagroup[.]ir and groupschumecher[.]com), however, were registered using what looked to be personal email addresses left unredacted.

Screenshot lookups showed that many of the domain IoCs resolved to index pages while a few were parked or currently under development. One—auto-falkanhahn[.]de—looked to be still up and running and should be avoided, especially by biking aficionados given the content it hosts.

Using the unredacted registrant email addresses as reverse WHOIS search terms led to the discovery of 10 possibly connected domains.

We also used the domain IoCs as DNS lookup search terms and found 21 active and unique IP resolutions. Utilizing these as reverse IP lookup search terms allowed us to uncover 1,011 more domains.

Interestingly, screenshot lookups for these additional domains showed that 26 hosted the same content as auto-falkanhahn[.]de or were redirects, namely:

• admin-shopify[.]com
• appleld[.]logn-alert[.]com
• inc-ialert[.]com
• lcloud[.]inc-ialert[.]com
• lcloud[.]logn-alert[.]com
• logn-alert[.]com
• mail[.]inc-ialert[.]com
• mail[.]logn-alert[.]com
• maps[.]inc-ialert[.]com
• maps[.]logn-alert[.]com
• post-redelivery[.]co[.]uk
• support[.]inc-ialert[.]com
• support[.]logn-alert[.]com
• themasterdevin[.]us
• www[.]appleld[.]inc-ialert[.]com
• www[.]appleld[.]logn-alert[.]com
• www[.]inc-ialert[.]com
• www[.]lcloud[.]inc-ialert[.]com
• www[.]lcloud[.]logn-alert[.]com
• www[.]logn-alert[.]com
• www[.]maps[.]inc-ialert[.]com
• www[.]maps[.]logn-alert[.]com
• www[.]myfundcheckers[.]com
• www[.]support[.]inc-ialert[.]com
• www[.]support[.]logn-alert[.]com
• www[.]themasterdevin[.]us

Similarities in the hosted content and strings used (“logn-alert,” “inc-alert,” and “themasterdevin”) provide supporting evidence that these domains could be part of the same infrastructure or owned by the same individual or group. Refraining from accessing them may thus be a great idea as well.

Given that the domain IoCs featured common string combinations like “auto + center,” “auto + haus,” and “auto + house,” we obtained other domains via Domains & Subdomains Discovery that could be considered artifacts. We found 206 such domains.

Finally, subjecting the web properties (domains and IP addresses) not yet identified as possibly related to this campaign to a bulk malware check via the Threat Intelligence Platform showed that 12 of them should be blocked on user networks as they have been dubbed “malware hosts” by various engines.

Users currently in the market for their next cars but do not want to get their credentials stolen instead should avoid accessing the artifacts (12 domains) deemed unsafe in this post. Refraining from accessing any site with the same content as auto-falkanhahn[.]de is also a good idea. And should you receive an email coming from the email addresses we identified, don’t even think of opening them.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.