As an age-old digital threat, phishing just continues to grow in sophistication over time, as DarkTortilla showed. Cyble Research and Intelligence Labs (CRIL) published a technical analysis of the threat specifically targeting Cisco and Grammarly. Are there other potential threat vectors, though?

WhoisXML API researchers obtained three indicators of compromise (IoCs) and performed an expansion analysis that led to the discovery of:

• Two IP addresses the domains resolved to
• 300+ domains that shared the IoCs’ IP hosts, two of which were found malicious
• 11,358+ domains that contained the strings Cisco, Grammarly, or Atomm and could be used for other malicious campaigns; only 4% of these domains seemingly belonged to the legitimate companies and 23 were found malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

DNS Ties

The CRIL report identified two domains—cicsom[.]com and gnammarly[.]com—and one URL—https://atomm[.]com[.]br/[.]well-known/acme-challenge/ol/Fjawtld[.]png—as IoCs.

DNS lookups for the IoCs allowed us to uncover two IP resolutions—104[.]21[.]15[.]248 and 172[.]67[.]165[.]88. Both IP addresses were geographically located in the U.S. and managed by Cloudflare, Inc.

Reverse IP lookups for these then led to the discovery of at least 300 potentially connected domains. A bulk malware check for these web properties revealed that two were malicious, namely, bridgesconstructionservicesinc[.]com and cl7q5s[.]cyou.

WHOIS Connections

Since the phishers’ targeted legitimate companies, we looked for other possible cybersquatting domains. We used the strings Cisco, Grammarly, and Atomm as Domains & Subdomains Discovery search terms to do that, though we only focused on looking for domains akin to the IoCs.

Our search uncovered at least 11,358 domains, 23 of which turned out to be malicious. In particular, 21 of these web properties seemingly served as malware hosts, one was a confirmed spam host, and another one was a confirmed phishing page. We named 10 of the malicious domains below.

Apart from typosquatting on the companies’ brands, some of the malicious domains also seemed to redirect to the organizations’ legitimate pages. Here’s an example obtained from a screenshot lookup.

Next, we compared the 11,000+ potential cybersquatting domains’ WHOIS records with those of the legitimate companies. Only 451 of them were owned by the imitated entities. Note that the comparisons were easy to do for Cisco since the organization didn’t redact their WHOIS records. It wasn’t as straightforward, however, for Grammarly that had a redacted WHOIS record.

We had to use two filters for the Grammarly look-alike domains. First, we filtered out those that used a different registration organization other than Domains By Proxy, LLC. Next, we took out the digital properties that indicated a registrar name other than GoDaddy.com, LLC. That left us with only 27 domains likely owned by Grammarly out of the total 476 that contained the company’s brand name.

The table below shows the specific WHOIS record details we used to determine ownership.

We also obtained screenshots for look-alike domains that could serve as phishing pages or other malware distributors, assuming they did not redirect to other pages. Here are some examples of the suspicious web pages that didn’t share the WHOIS record identifiers we used for Cisco and Grammarly.

And while the content of some of the look-alike domains didn’t sport the spoofed companies’ logos and content, they could easily trick visitors into giving out personal information, putting them in danger of getting phished or scammed. Examples of such suspicious domains hosting pages that offered prizes in exchange for playing a game or account login pages are shown below.

Our IoC expansion analysis aided by IP, DNS, and WHOIS intelligence enabled us to uncover 11,600+ artifacts that could be connected to DarkTortilla. It also allowed us to identify 29 malicious domains that could particularly put Cisco or Grammarly customers at risk of spamming, phishing, and computer malware infection.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.