NordVPN Promotion

Home / Industry

Shining the WHOIS and DNS Spotlight on International Fraud

Scammers and fraudsters have been making life hard for users the world over for a long time now. To help expose potential malicious campaigns, threat researchers like Dancho Danchev have been collating indicators of compromise (IoCs) that can be used in further investigations.

Among his other findings, Danchev recently identified three unredacted email addresses known to have figured in international fraud campaigns. The WhoisXML API research team expanded the list of IoCs, identifying 3,751 additional artifacts, including:

  • 75 domains that used the email addresses to register them, five of which turned out to be malicious
  • Nine IP addresses that played host to the email-connected domains we identified, three of which were confirmed malware-laden
  • 1,811 domains that shared the IoCs’ IP hosts, six of which turned out to be malware hosts
  • 1,856 domains that contained some brand names that appeared as strings in the email- and IP-connected web properties we found, 61 of which have been dubbed malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

WHOIS-Related Findings

We began our analysis by looking for domains that were registered using the three email addresses identified as IoCs using Reverse WHOIS Search. That led to the discovery of 75 domains, five of which turned out to be malicious.

Two of the malicious domains were now unreachable. The other two of them (i.e., astralair[.]com and sahinler-tr[.]com), however, were seemingly up for sale. The last domain was currently parked, but given its name (i.e., usa-irs[.]com), could figure in Internal Revenue Service (IRS)-themed scams.

DNS-Connected Findings

We continued on by subjecting the email-connected domains to DNS lookups, which uncovered nine IP address resolutions. Three of these IP hosts were confirmed to be malware hosts.

IP geolocation lookups for the IP addresses also showed they were mostly concentrated in North America. In particular, six of them were geolocated in the U.S. and one in Canada. The only one left with an identifiable geolocation pointed to Germany while the last host’s location was unknown.

Our analysis also revealed that seven of the IP hosts were shared with more than 300 resolving domains each while the remaining two appeared to be private. Specifically, only six domains resolved to 104[.]253[.]92[.]243 while a single domain was hosted on 154[.]64[.]232[.]58.

Next, reverse IP/DNS lookups for the IP hosts provided us with an additional 1,811 domains, six of which turned out to be malware hosts. Of these, 0-0[.]icu proved most interesting in that it continued to host content. that offered visitors a free gift should they shop on the site. Note that free offers are a typical scammer technique.

Screenshot of 0-0[.]icu

A closer look at the additional artifacts we found so far showed many of them contained the names of financial service providers (e.g., PayPal), banks (e.g., HSBC), postal service providers (e.g., FedEx), government institutions (e.g., IRS), and international nongovernmental organizations (NGOs) (e.g., United Nations).

To find more artifacts that could figure into scams in the future, we used the brand name-containing strings in the table below as Domains & Subdomains Discovery search terms. In particular, we limited our search for domains registered since 1 January 2023.

BRAND NAMESEARCH STRING
PayPalpaypal
HSBChsbc
IRSirs + us
(Obvious false positives, such as those containing the stringfirst, were excluded.)
Absa Bankabsabank
Zenith Bankzenithbank
Western Unionwesternunion
FedExfedex
TD Canada Trustcanadatrust
Halifaxhalifax
FBIfbi + us
(Obvious false positives were excluded.)
UNunitednations
(The stringunwasn’t used to remove as many false positives as possible.)
Samsungsamsung
First Bankfirstbank

The results we collated gave us 1,856 more artifacts, 61 of which turned out to be malicious. Other strings commonly used alongside the brand names topped by track or trace, online, and service are shown in the word cloud below.

These strings found in several brand-containing domains are typically found in URLs that point to scam pages and phishing sites.


Our deep dive into the WHOIS and DNS records of three email addresses used by international fraudsters led to the discovery of more than 3,700 domains that could serve as hosts to scam pages in the future. In fact, 72 of them have already been tagged malicious.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

DNS

Sponsored byDNIB.com

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

NordVPN Promotion