On 10 February 2023, Reddit announced it suffered a security incident where a phishing campaign led an employee to a website that imitated the network’s intranet gateway. The victim entered his credentials and a two-factor authentication (2FA) token, allowing the attacker to access codes, internal documents, and business systems. The attack was highly targeted. The threat actors knew what Reddit’s intranet address was, how it behaves, and what it looks like.

In connection with this incident, WhoisXML API researchers looked into intranet-related domains that could be used as attack vectors. The report focused on web properties added between 1 January and 20 March 2023 to uncover possible phishing vehicles similar to those used in the Reddit security incident. Our key findings include:

• 800+ cybersquatting domains targeting 20 of the most popular intranet software
• 220+ domains containing the string intranet
• Less than 1% of the cybersquatting domains that were publicly attributable to the imitated software providers
• 3.4% of the intranet-related domains that were flagged as malicious, some of which still hosted phishing sites as of 21 March 2023
• 60+ intranet domains that hosted publicly accessible login pages

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Cybersquatting Domains Targeting Popular Intranet Software

Using Domains & Subdomains Discovery, we found 814 recently added domains containing the brand names of 20 popular intranet software. We also retrieved 277 domains containing the word intranet registered within the same period, bringing the total number of domains to 1,091.

Domain Attribution

We retrieved the WHOIS records of the intranet brands’ official domain and the possible cybersquatting properties using Bulk WHOIS Lookup. Our analysis revealed that only five of the 814 cybersquatting domains shared the exact public registrant details as the software providers’ official domains.

We also did bulk IP geolocation lookups on the official domains and cybersquatting resources to check their IP addresses. Only two of the cybersquatting domains resolved to the legitimate domains’ IP hosts.

Overall, less than 1% of the cybersquatting properties could be publicly attributed to the imitated software providers, leaving most of the domains under unknown entities’ control.

WHOIS Infrastructures of the Intranet-Related Domains

With very few of the cybersquatting domains attributable to the legitimate software providers, we sought to analyze their registration details. While most of them had redacted WHOIS records, 37 of the domains still had public registrant details. They led us to 32 registrant email addresses that were mostly Gmail addresses.

Running these email addresses on Reverse WHOIS Search, we found they were associated with 10,611 domains. Dozens of these domains were cybersquatting properties targeting some of the intranet software featured in this study.

Furthermore, only one Gmail address accounted for 10,000 connected domains, suggesting they could be part of a domain investor’s portfolio. Here’s a screenshot of the connection established via Maltego.

Malicious and Suspicious Usage of the Cybersquatting Domains

While some domains could be legitimate intranet gateways of organizations, about 3.4% of the cybersquatting resources already figured in malicious campaigns as of 21 March 2023. Some continued to host phishing sites, like the domains below.

Some unflagged domains also hosted questionable content like nzintranetcompass[.]com, which led to a Windows Server page, and johnsonandwilsonintranet[.]com, which redirected to a Google Drive. Their website screenshots appear below.

Possible Vulnerabilities in Intranet Gateways

We mentioned that some of the intranet-related domains in this study could be legitimate intranet gateways. For example, our screenshot analysis showed that some of the domains resolved to 401, forbidden, or unauthorized access warning pages.

Several cybersquatting domains, however, hosted login pages. If these are legitimate, they could give threat actors a baseline for mimicking a target organization’s intranet gateway. They could also be vulnerable to brute-force attacks. On the other hand, if these domains are not legitimate intranet gateways, it could take only one employee of the target organization to fall for the trap.

As the Reddit security incident illustrated, intranets can serve as attack vectors simply by mimicking a target’s official gateway. With threat vectors piling up and organizations’ attack surfaces getting wider than ever, proactive threat monitoring and vulnerability scanning can help.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.