|
Scammers and fraudsters have been making life hard for users the world over for a long time now. To help expose potential malicious campaigns, threat researchers like Dancho Danchev have been collating indicators of compromise (IoCs) that can be used in further investigations.
Among his other findings, Danchev recently identified three unredacted email addresses known to have figured in international fraud campaigns. The WhoisXML API research team expanded the list of IoCs, identifying 3,751 additional artifacts, including:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
We began our analysis by looking for domains that were registered using the three email addresses identified as IoCs using Reverse WHOIS Search. That led to the discovery of 75 domains, five of which turned out to be malicious.
Two of the malicious domains were now unreachable. The other two of them (i.e., astralair[.]com and sahinler-tr[.]com), however, were seemingly up for sale. The last domain was currently parked, but given its name (i.e., usa-irs[.]com), could figure in Internal Revenue Service (IRS)-themed scams.
We continued on by subjecting the email-connected domains to DNS lookups, which uncovered nine IP address resolutions. Three of these IP hosts were confirmed to be malware hosts.
IP geolocation lookups for the IP addresses also showed they were mostly concentrated in North America. In particular, six of them were geolocated in the U.S. and one in Canada. The only one left with an identifiable geolocation pointed to Germany while the last host’s location was unknown.
Our analysis also revealed that seven of the IP hosts were shared with more than 300 resolving domains each while the remaining two appeared to be private. Specifically, only six domains resolved to 104[.]253[.]92[.]243 while a single domain was hosted on 154[.]64[.]232[.]58.
Next, reverse IP/DNS lookups for the IP hosts provided us with an additional 1,811 domains, six of which turned out to be malware hosts. Of these, 0-0[.]icu proved most interesting in that it continued to host content. that offered visitors a free gift should they shop on the site. Note that free offers are a typical scammer technique.
Screenshot of 0-0[.]icu
A closer look at the additional artifacts we found so far showed many of them contained the names of financial service providers (e.g., PayPal), banks (e.g., HSBC), postal service providers (e.g., FedEx), government institutions (e.g., IRS), and international nongovernmental organizations (NGOs) (e.g., United Nations).
To find more artifacts that could figure into scams in the future, we used the brand name-containing strings in the table below as Domains & Subdomains Discovery search terms. In particular, we limited our search for domains registered since 1 January 2023.
BRAND NAME | SEARCH STRING |
---|---|
PayPal | paypal |
HSBC | hsbc |
IRS | irs + us (Obvious false positives, such as those containing the stringfirst, were excluded.) |
Absa Bank | absabank |
Zenith Bank | zenithbank |
Western Union | westernunion |
FedEx | fedex |
TD Canada Trust | canadatrust |
Halifax | halifax |
FBI | fbi + us (Obvious false positives were excluded.) |
UN | unitednations (The stringunwasn’t used to remove as many false positives as possible.) |
Samsung | samsung |
First Bank | firstbank |
The results we collated gave us 1,856 more artifacts, 61 of which turned out to be malicious. Other strings commonly used alongside the brand names topped by track or trace, online, and service are shown in the word cloud below.
These strings found in several brand-containing domains are typically found in URLs that point to scam pages and phishing sites.
Our deep dive into the WHOIS and DNS records of three email addresses used by international fraudsters led to the discovery of more than 3,700 domains that could serve as hosts to scam pages in the future. In fact, 72 of them have already been tagged malicious.
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.
Sponsored byVerisign
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byCSC
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byIPv4.Global