It has become customary for cybercriminals to ride on famous brands to make their nefarious campaigns work. The release of the world’s most-awaited tech gadgets is no different. And given the public attention and techies’ innate desire to be first to own the latest gadgets, threat actors will always zoom in on prospective buyers via the most ingenious scams.

We trailed our sights on 2022’s most-sought-after tech releases in an effort to help users stay protected. Our investigation sought to determine if cybercriminals take just as long to prepare their campaigns as legitimate businesses do. Our key findings include:

• A total of 855 domains containing strings cybercriminals were likely to use in campaigns targeting the most-awaited gadgets’ potential buyers were discovered.
• We uncovered 118 subdomains containing strings cybercriminals may employ in campaigns targeting the techies lying in wait for 2022’s most-sought-after tech finds.
• Eight of the domains and subdomains containing the top 2022 products have been detected as malicious.
• Threat actors may have spent 3—29 weeks to prepare for their malicious campaign launches.
• The iPhone 14-related domain registration peaked in September, coinciding with its slated launch date.

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Fishing for Clues in the DNS

We began our investigation by looking for domain registration-related clues via Domains & Subdomains Discovery. Using our list of 2022’s most-awaited tech releases, we identified domain or subdomain strings that threat actors may plan to use for their scams (see the table below for details).

To determine if cybercriminals spent as much time as marketers typically did on their campaign preparation (i.e., a year before the launch), we looked at the domain registration volume trends for each product a year before their slated releases. For the products originally slated to hit the market sometime in 2022, we began the tracking around two years before the new dates their manufacturers set.

That led to the discovery of 855 domains. Note that obvious false positives like playdate-app[.]io, doggyplaydate[.]ws, and toddlerplaydate[.]com were removed from our list of “playdate”-containing domains given the string’s generic nature. A bulk malware check showed that four of these are currently detected as malicious, namely:

• steamdecktouchtype[.]com
• apple-iphone14[.]in
• iphone14[.]biz
• 25iphone14pro[.]top

Only two—iphone14[.]biz and 25iphone14pro[.]top—continued to host live content but none had anything to do with selling iPhone 14 based on screenshot lookups nor owned by the manufacturers of the products named.

It’s also interesting to note that only 41 of the 855 domains containing our predefined strings had unredacted registrant email addresses or were owned by the product manufacturers under scrutiny based on a bulk WHOIS lookup. Specifically, 24 indicated Apple, Inc. or Apple France as their registrant organization and three noted domains@apple[.]com as their registrant email address akin to domains the tech giant owned.

We followed the same steps for subdomains, leading to the discovery of 117 web properties bearing the strings identified earlier. Of these, four are currently classified as malware hosts—iphone14[.]pwr-lotterie1[.]tk, iphone14[.]issam[.]digital, www[.]iphone14[.]issam[.]digital, and iphone14metacollab[.]blogspot[.]com.

While all four pages remain live, Blogspot seemed diligent in removing the malicious blog from its platform. None of the subdomains were owned by the product manufacturers under study.

To know how much time threat actors spent on crafting their specially designed traps, we took a closer look at the malicious domains’ and subdomains’ (based on their root domains) WHOIS records. The malicious page iphone14metacollab[.]blogspot[.]com was, of course, excluded since anyone can create a blog on the platform.

Five of the malicious cyber resources were created between three and 29 weeks before their target products’ launch dates. One, however, was created a week after the target gadget’s release. Another—iphone14[.]pwr-lotterie1[.]tk—didn’t have a creation date on record. The more detailed the site, as was the case with iphone14[.]biz, it seemed, the longer the preparation took.

The quick answer to our primary question then is that cybercrime may require weeks or months of planning. The more convincing a malicious website wishes to appear for greater chances of success, the more work and longer prep time required.

In addition, further investigation into the iPhone 14 domains showed that the related registration volume peaked in September, coinciding with the product’s launch date. At present, domain registration has slowed down.

Cybercriminals and other threat actors are, as this study showed, aiming to gain the biggest profit. The time and effort they put into their campaigns and malicious sites could be expected to equate to their financial goals.

In the bad guys’ case, the better the hoax, the greater the potential gain. The threats fake sites pose, however, is avoidable with the help of diligent WHOIS and DNS intelligence monitoring and consequent threat source blocking.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.