Malicious spam, possibly the oldest kind of cyber threat, likely remains one of enterprises’ biggest security concerns.

Regardless of form and affected device, clicking a malicious link embedded in a spam email or downloading a malware-laden attachment can lead to financial, data, or identity theft. To this end, knowing and consequently blocking access to where these harmful messages come from is of utmost importance to companies.

As part of our ongoing effort to make the Internet safer, we sought to expand an initial list of 53 verified malicious spam domains aided by WHOIS, DNS, and IP intelligence. Our findings include:

• 71 IP addresses to which the domains identified as indicators of compromise (IoCs) resolved, a majority of which are geolocated in the U.S.
• 18 unredacted email addresses used to register the IoCs obtained from historical WHOIS records
• 354 additional domains that shared the IoCs’ registrant email addresses or IP hosts

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Insights Gleaned from the Initial List of IoCs

We began our investigation by looking for identifiable characteristics among the IoCs. To do so, we ran them through a bulk WHOIS lookup that revealed:

• Four domains with retrievable current WHOIS records—chbit[.]com, ghqd[.]net, mvgu[.]net, and nitrogem[.]com.
• All four IoCs were newly registered domains (NRDs) whose registrant details have been withheld for privacy.
• Four of the IoCs—corvusrex[.]com, skyrecs[.]com, nitrogem[.]com, and cinelon[.]com—continue to host live content that look to belong to legitimate businesses based on the results of screenshot lookups. If they were primarily created for malicious spam campaigns, then their owners exerted effort to mask their criminal intent by building believable business websites.

WHOIS, DNS, and IP Intelligence-Enhanced Insights

We subjected the IoCs to DNS lookups, which led to the discovery of 71 IP addresses to which they resolved. While none of them are currently detected as malicious, their connection to confirmed malicious spam domains warrant that they at least be monitored for signs of criminal activity.

A bulk IP geolocation lookup for the IP addresses showed that most of them were geolocated in the U.S., China, Germany, and Japan. Apart from Japan, the U.S., China, and Germany were part of Spamhaus’s list of top spam-sending countries as of 29 September 2022.

Next, we performed historical WHOIS searches for the IoCs, which uncovered 18 registrant email addresses. The majority of them (79%) were QQMail (i.e., qq.com) accounts although their owners would be hard to identify given the use of random characters (i.e., letters and numbers) instead of proper names.

To further expand the list of potentially related threat artifacts, the IP addresses were used as reverse IP search terms. That led to the discovery of 354 domains. Fortunately, none of them are currently deemed malicious. Several, however, shared similarities with the IoCs, and so warrant closer attention from security teams. These domains include 87 NRDs whose registrant details have been redacted.

Even if no organization can escape spam, protecting against outright malicious emails that can lead to financial and reputational damages can still be made more effective by identifying and blocking threats from the source with the aid of WHOIS, DNS, and IP intelligence.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.