|
Malicious spam, possibly the oldest kind of cyber threat, likely remains one of enterprises’ biggest security concerns.
Regardless of form and affected device, clicking a malicious link embedded in a spam email or downloading a malware-laden attachment can lead to financial, data, or identity theft. To this end, knowing and consequently blocking access to where these harmful messages come from is of utmost importance to companies.
As part of our ongoing effort to make the Internet safer, we sought to expand an initial list of 53 verified malicious spam domains aided by WHOIS, DNS, and IP intelligence. Our findings include:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
We began our investigation by looking for identifiable characteristics among the IoCs. To do so, we ran them through a bulk WHOIS lookup that revealed:
We subjected the IoCs to DNS lookups, which led to the discovery of 71 IP addresses to which they resolved. While none of them are currently detected as malicious, their connection to confirmed malicious spam domains warrant that they at least be monitored for signs of criminal activity.
A bulk IP geolocation lookup for the IP addresses showed that most of them were geolocated in the U.S., China, Germany, and Japan. Apart from Japan, the U.S., China, and Germany were part of Spamhaus’s list of top spam-sending countries as of 29 September 2022.
Next, we performed historical WHOIS searches for the IoCs, which uncovered 18 registrant email addresses. The majority of them (79%) were QQMail (i.e., qq.com) accounts although their owners would be hard to identify given the use of random characters (i.e., letters and numbers) instead of proper names.
To further expand the list of potentially related threat artifacts, the IP addresses were used as reverse IP search terms. That led to the discovery of 354 domains. Fortunately, none of them are currently deemed malicious. Several, however, shared similarities with the IoCs, and so warrant closer attention from security teams. These domains include 87 NRDs whose registrant details have been redacted.
Even if no organization can escape spam, protecting against outright malicious emails that can lead to financial and reputational damages can still be made more effective by identifying and blocking threats from the source with the aid of WHOIS, DNS, and IP intelligence.
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.
Sponsored byRadix
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byIPv4.Global