|
Infoblox, in its Q4 2022 Cyber Threat Report, featured a “Meta” coin scam using fake celebrity endorsements targeting users in the European Union (EU). The analysis revealed several indicators of compromise (IoCs), specifically four domains and one IP address, that could help the public avoid the perils the scams posed. The IoCs identified in the report were:
In keeping with WhoisXML API’s mission to make the Internet a transparent and safe place for users, we expanded the list of IoCs in hopes of identifying social media pages that could already be serving or used to serve as fraud vehicles. Our analysis led to the discovery of:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
We began our analysis with WHOIS lookups for the domains identified as IoCs that allowed us to draw some similarities among them, namely:
Next, DNS lookups for the four domains provided an additional three IP addresses, bringing the total number of IP hosts to four. We used these as reverse IP lookup search terms, which indicated that three were shared while 45[.]63[.]119[.]177 in the original IoC list was dedicated. Our search uncovered 830 additional domains that shared the IoCs’ IP hosts. Of these, 26 turned out to be malware hosts based on a bulk malware check.
Screenshot lookups for the malicious sites revealed that only one—bnzzl[.]net—continued to host live content that looks like a mobile phone directory.
It was also interesting to note that 11 of the malicious IP-connected domains bore a striking resemblance to two domains tagged as IoCs. Like 365coinmode[.]com and 365graphiccoin[.]com, they contained the strings 365 and coin.
The Infoblox report identified brands and celebrities whose names may have been abused to serve malware through their Facebook and LinkedIn profiles. We named them in the table below and indicated the strings we used on Domains & Subdomains Discovery to search for potentially connected domains. We also included strings found among the IoCs in our search.
Brand/Celebrity Name | Description | Search String |
---|---|---|
Metacoin | Cryptocurrency used as lure in the scams | metacoin |
SoulCircuit | DJ duo whose fake profile was used in the scams | soulcircuit |
Tom Moore | One of SoulCircuit’s members | tommoore |
Dan Timcke | One of SoulCircuit’s members | dantimcke |
Kyriakos Mitsotakis | Greece’s Prime Minister whose fake profile was used in the scams | kyriakosmitsotakis |
Giorgia Meloni | Italy’s Prime Minister whose fake profile was used in the scams | giorgiameloni |
Pedro Sánchez | Spain’s Prime Minister whose fake profile was used in the scams | pedrosanchez |
Rachelle Young | U.S.-based financial analyst whose fake profile was used in the scams | rachelleyoung |
Mario Draghi | Spanish public official whose fake profile was used in the scams | mariodraghi |
Dietrich Mateschitz | Austrian businessman whose fake profile was used in the scams | dietrichmateschitz |
365coinmode[.]com | Domain identified as an IoC | 365coinmode. |
365graphiccoin[.]com | Domain identified as an IoC | 365graphiccoin. |
spartan-trade[.]com | Domain identified as an IoC | spartan-trade. |
networkfsi[.]com | Domain identified as an IoC | networkfsi. |
Note that Metacoin is a cryptocurrency owned by Inblock. To date, no such thing as Meta coin, owned by Mark Zuckerberg’s Meta, exists.
Using the strings mentioned above, we found 1,657 string-connected domains. No domains containing dantimcke, 365coinmode., and 365graphiccoin., however, were found. Also, only one—walletmetacoin[.]trade—turned out to be a malware host so far. Like two of the original IoCs, it also contained the string coin.
According to Infoblox, the cryptocurrency scams targeted Facebook and LinkedIn users. In addition to uncovering other domains that could be part of the threat actors’ infrastructure, we also wanted to see if they possibly compromised social media pages apart from those mentioned in the report.
Our search led to the discovery of 529 Facebook and LinkedIn subdomains that began with either facebook.com or linkedin.com and were created from 1 January 2023 onward. Thirteen of them were tagged as malicious, all pointing to Facebook pages. Three of the malicious supposedly Facebook pages had the string kinderramadan.com.
Apart from identifying 2,490 additional threat artifacts via DNS connections, our analysis also uncovered 13 possibly compromised Facebook pages that could already have figured in scams. That goes to show that IoC expansion is a great addition to any organization’s threat discovery toolset.
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byCSC
Sponsored byIPv4.Global
Sponsored byRadix
Sponsored byVerisign
Sponsored byWhoisXML API