Home / Industry

The Business of Cybercrime: Does Malicious Campaign Planning Take as Long as Legitimate Marketing Campaign Planning?

It has become customary for cybercriminals to ride on famous brands to make their nefarious campaigns work. The release of the world’s most-awaited tech gadgets is no different. And given the public attention and techies’ innate desire to be first to own the latest gadgets, threat actors will always zoom in on prospective buyers via the most ingenious scams.

We trailed our sights on 2022’s most-sought-after tech releases in an effort to help users stay protected. Our investigation sought to determine if cybercriminals take just as long to prepare their campaigns as legitimate businesses do. Our key findings include:

  • A total of 855 domains containing strings cybercriminals were likely to use in campaigns targeting the most-awaited gadgets’ potential buyers were discovered.
  • We uncovered 118 subdomains containing strings cybercriminals may employ in campaigns targeting the techies lying in wait for 2022’s most-sought-after tech finds.
  • Eight of the domains and subdomains containing the top 2022 products have been detected as malicious.
  • Threat actors may have spent 3—29 weeks to prepare for their malicious campaign launches.
  • The iPhone 14-related domain registration peaked in September, coinciding with its slated launch date.

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Fishing for Clues in the DNS

We began our investigation by looking for domain registration-related clues via Domains & Subdomains Discovery. Using our list of 2022’s most-awaited tech releases, we identified domain or subdomain strings that threat actors may plan to use for their scams (see the table below for details).

Most-Awaited GadgetsSlated Release DateStrings
Panic Playdate18 April 2022playdateplaydate + console
Valve Steam Deck25 February 2022steam + deckvalve + steam + deck
Rivian R1TJanuary 2022 (for all variants but originally released in September 2021)rivian + r1t
Rivian R1SJune 2022rivian + r1s
Magic Leap 2September 2022magicleap2
Meta Quest 3October 2023 (delayed)meta + quest3
Apple iPhone 1416 September 2022apple + iphone14iphone14
Google Pixel Watch13 October 2022google + pixel + watchpixel + watch
Apple AR GlassesJanuary 2023 (delayed)apple + arglasses
Chevy Silverado EMarch 2023 (delayed)chevy + silveradoe
Google AR Glasses2023 or 2024 (delayed)google + arglasses

To determine if cybercriminals spent as much time as marketers typically did on their campaign preparation (i.e., a year before the launch), we looked at the domain registration volume trends for each product a year before their slated releases. For the products originally slated to hit the market sometime in 2022, we began the tracking around two years before the new dates their manufacturers set.

That led to the discovery of 855 domains. Note that obvious false positives like playdate-app[.]io, doggyplaydate[.]ws, and toddlerplaydate[.]com were removed from our list of “playdate”-containing domains given the string’s generic nature. A bulk malware check showed that four of these are currently detected as malicious, namely:

  • steamdecktouchtype[.]com
  • apple-iphone14[.]in
  • iphone14[.]biz
  • 25iphone14pro[.]top

Only two—iphone14[.]biz and 25iphone14pro[.]top—continued to host live content but none had anything to do with selling iPhone 14 based on screenshot lookups nor owned by the manufacturers of the products named.

It’s also interesting to note that only 41 of the 855 domains containing our predefined strings had unredacted registrant email addresses or were owned by the product manufacturers under scrutiny based on a bulk WHOIS lookup. Specifically, 24 indicated Apple, Inc. or Apple France as their registrant organization and three noted [email protected][.]com as their registrant email address akin to domains the tech giant owned.

We followed the same steps for subdomains, leading to the discovery of 117 web properties bearing the strings identified earlier. Of these, four are currently classified as malware hosts—iphone14[.]pwr-lotterie1[.]tk, iphone14[.]issam[.]digital, www[.]iphone14[.]issam[.]digital, and iphone14metacollab[.]blogspot[.]com.

While all four pages remain live, Blogspot seemed diligent in removing the malicious blog from its platform. None of the subdomains were owned by the product manufacturers under study.

To know how much time threat actors spent on crafting their specially designed traps, we took a closer look at the malicious domains’ and subdomains’ (based on their root domains) WHOIS records. The malicious page iphone14metacollab[.]blogspot[.]com was, of course, excluded since anyone can create a blog on the platform.

Five of the malicious cyber resources were created between three and 29 weeks before their target products’ launch dates. One, however, was created a week after the target gadget’s release. Another—iphone14[.]pwr-lotterie1[.]tk—didn’t have a creation date on record. The more detailed the site, as was the case with iphone14[.]biz, it seemed, the longer the preparation took.

The quick answer to our primary question then is that cybercrime may require weeks or months of planning. The more convincing a malicious website wishes to appear for greater chances of success, the more work and longer prep time required.

In addition, further investigation into the iPhone 14 domains showed that the related registration volume peaked in September, coinciding with the product’s launch date. At present, domain registration has slowed down.


Cybercriminals and other threat actors are, as this study showed, aiming to gain the biggest profit. The time and effort they put into their campaigns and malicious sites could be expected to equate to their financial goals.

In the bad guys’ case, the better the hoax, the greater the potential gain. The threats fake sites pose, however, is avoidable with the help of diligent WHOIS and DNS intelligence monitoring and consequent threat source blocking.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Commenting is not available in this channel entry.

Related

Topics

Brand Protection

Sponsored byCSC

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global