|
This year, the stock market is at its most volatile state due to several factors. Debates abound about whether 2022 will be as bad as 2008, but we’ll leave that up to the experts. What we know is, because the stock and forex market status is attracting media and public attention, threat actors might be riding that particular wave.
This study analyzed thousands of web properties containing “nasdaq” as a string. And since the forex market has also been making headlines, we included the search term “forex” in our searches. Our key findings include:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
To determine how dangerous the investment-related digital properties might be, we used our extensive DNS and IP intelligence sources to determine their locations, ownership details, and content. Below are four questions we sought to answer.
The domains containing “nasdaq” and “forex” were mainly registered in the U.S. A significant percentage were also registered in Iceland, but mostly because the registrants employed the services of a privacy redaction provider based in that country.
About 90% of the properties had active IP resolutions, mostly geolocated in the U.S. and Germany.
Most of the web resources were managed by Namecheap, accounting for about 17% of the total volume. It was followed by GoDaddy and GMO with 9.5% and 7.5% shares, respectively.
Also, note that almost all of the domains studied had redacted WHOIS records. About 80% of the registrant email addresses we retrieved through a bulk WHOIS search were anonymized.
We subjected all the digital properties to a domain malware check and found that several have already figured in malicious campaigns. Despite having been reported, some continued to host live content. A few examples are shown below.
We saw three types of malicious content used in different campaigns after a closer look at the sample malicious domains, namely:
A screenshot lookup on all the resolving resources revealed several domains that hosted the same content as those flagged “malicious.” Below are some examples of domains hosting the same Nasdaq login page as nasdaqtaiwan[.]com.
The following domains hosted content similar to the malicious domain clever-forex[.]com, a page that promised clients up to US$10,000 as a signup bonus. It also featured the same Telegram account.
We also found dozens of domains that looked similar to forextrackingnumbercheck[.]com, with pages showing thumbnail photos seemingly promoting Exness. Several domains seemed to imitate the trading platform.
Aside from Exness, some content was also made to look like those of legitimate websites. Here are some examples.
While some of the web properties in this study may be operated by legitimate stock and forex brokers, several may figure in malicious campaigns targeting investors. We already found dozens flagged as malicious and more that could be potentially dangerous.
Aside from educating investors about the dangers of cybersquatting, regular monitoring of investment-related web resources can help detect suspicious domains and subdomains earlier before investors lose money to threat actors.
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.
Sponsored byCSC
Sponsored byVerisign
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byIPv4.Global
Sponsored byRadix
Sponsored byDNIB.com