Cracks and keygens have long been a problem for software vendors in that they allow users to install their products without needing to pay for a legitimate license. As the Internet and website development advanced and became more accessible, the number of sites offering software cracking tools grew.

Our research team recently searched the Web for websites that peddle cracks and keygens in an attempt to add more artifacts to publicly available lists of indicators of compromise (IoCs). We used 39 domains identified as IoCs as a starting point and found:

• 500 IP addresses to which the domains identified as IoCs resolved, most of which are geolocated in the U.S.
• 15 email addresses used to register the domains tagged as IoCs
• 152 additional domains possibly connected to the IoCs since they shared their registrant email addresses and IP hosts
• 8,475 additional domains containing the strings “crack,” “keygen,” and “serial,” 81 of which are malicious according to various malware engines

A sample of the additional artifacts obtained from our analysis is available for download from our website.

What We Already Know

Our research team collated 39 domains known for hosting malicious crack and keygen sites. Accessing any of these is harmful to corporate network-connected users in that the activity could lead to malware infection. Worse than that, however, using cracked software is illegal and companies that allow employees to use them could be fined as much as US$150,000 if proven to have committed software piracy in the U.S.

What Our Analysis Revealed

As part of our ongoing effort to make the Internet safer, we sought to identify other threat artifacts aided by WHOIS, DNS, and IP intelligence.

We began by subjecting the IoCs to DNS lookups, which led to the discovery of 500 IP addresses to which they resolved. Based on the results, most of the crack and keygen sites pointed to the U.S., Netherlands, Germany, Canada, China, and France.

We then looked at the IoCs’ historical WHOIS records and uncovered 15 unredacted email addresses used to register them. Most of them were Gmail accounts, which isn’t surprising since anyone can easily obtain one.

Using the IP addresses and email addresses as reverse WHOIS search terms to find more artifacts provided us with 152 additional domains. A closer look at them pointed to seven that may be crack and keygen sites—crack[.]ws, crack[.]ms, netcrack[.]com, crackway[.]com, serials[.]ws, serialsource[.]net, and serialdevil[.]com. The sites’ screenshots showed that four were parked or up for sale, one led to a blank page, one was unreachable, and one—serials[.]ws—was indeed a crack and keygen site.

We then wanted to know if crack and keygen site creation remains popular to this day. So, we searched for domains registered just this year and using strings commonly included in crack and keygen site names, namely “crack,” “keygen,” and “serial.” The searches gave us 6,563 domains containing “crack,” 141 domains containing “keygen,” and 1,771 domains containing “serial.”

A bulk malware check via Threat Intelligence Platform (TIP) for the 6,500+ domains showed that 81 of them were malicious. Below are examples of the malicious crack and keygen sites.

Exhaustive threat intelligence can help security teams uncover more malicious web properties than those that appear on publicly available lists of IoCs. Our IoC expansion study also showed that cracks and keygens remain an issue given the thousands of domains pointing to websites that sell them registered just this year.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.