Infoblox, in its Q4 2022 Cyber Threat Report, featured a “Meta” coin scam using fake celebrity endorsements targeting users in the European Union (EU). The analysis revealed several indicators of compromise (IoCs), specifically four domains and one IP address, that could help the public avoid the perils the scams posed. The IoCs identified in the report were:

• 365coinmode[.]com
• 365graphiccoin[.]com
• spartan-trade[.]com
• networkfsi[.]com
• 45[.]63[.]119[.]177

In keeping with WhoisXML API’s mission to make the Internet a transparent and safe place for users, we expanded the list of IoCs in hopes of identifying social media pages that could already be serving or used to serve as fraud vehicles. Our analysis led to the discovery of:

• Three additional IP addresses that played host to the domains identified as IoCs
• 830 domains that shared the IoCs’ IP hosts, 26 of which turned out to be malicious
• 1,657 domains that contained the same strings as those tagged as IoCs, one of which was dubbed a malware host
• 529 Facebook and LinkedIn pages that made their way into the DNS from 1 January 2023 onward, 13 of which were found to be malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Expanding the Current List of IoCs

We began our analysis with WHOIS lookups for the domains identified as IoCs that allowed us to draw some similarities among them, namely:

• All four domains were created in 2022 and could thus be considered newly registered when they were used in malicious campaigns.
• Three of the domains—365coinmode[.]com, 365graphiccoin[.]com, and networkfsi[.]com—were registered in Iceland with Namecheap, Inc.
• Two of the domains—365coinmode[.]com and 365graphiccoin[.]com—shared the same IP host—45[.]63[.]119[.]177, which Infoblox also identified as an IoC.

Next, DNS lookups for the four domains provided an additional three IP addresses, bringing the total number of IP hosts to four. We used these as reverse IP lookup search terms, which indicated that three were shared while 45[.]63[.]119[.]177 in the original IoC list was dedicated. Our search uncovered 830 additional domains that shared the IoCs’ IP hosts. Of these, 26 turned out to be malware hosts based on a bulk malware check.

Screenshot lookups for the malicious sites revealed that only one—bnzzl[.]net—continued to host live content that looks like a mobile phone directory.

It was also interesting to note that 11 of the malicious IP-connected domains bore a striking resemblance to two domains tagged as IoCs. Like 365coinmode[.]com and 365graphiccoin[.]com, they contained the strings 365 and coin.

• 365coinedition[.]com
• 365coinhtech[.]com
• 365coinlibrary[.]com
• 365coinpromarket[.]com
• 365generatorcoin[.]com
• 365packetcoin[.]com
• 365procentercoin[.]com
• 365profactorycoin[.]com
• 365promotioncoin[.]com
• 365smartcoin[.]com
• 365workspacecoin[.]com

The Infoblox report identified brands and celebrities whose names may have been abused to serve malware through their Facebook and LinkedIn profiles. We named them in the table below and indicated the strings we used on Domains & Subdomains Discovery to search for potentially connected domains. We also included strings found among the IoCs in our search.

Note that Metacoin is a cryptocurrency owned by Inblock. To date, no such thing as Meta coin, owned by Mark Zuckerberg’s Meta, exists.

Using the strings mentioned above, we found 1,657 string-connected domains. No domains containing dantimcke, 365coinmode., and 365graphiccoin., however, were found. Also, only one—walletmetacoin[.]trade—turned out to be a malware host so far. Like two of the original IoCs, it also contained the string coin.

Hunting for Malicious Social Media Pages

According to Infoblox, the cryptocurrency scams targeted Facebook and LinkedIn users. In addition to uncovering other domains that could be part of the threat actors’ infrastructure, we also wanted to see if they possibly compromised social media pages apart from those mentioned in the report.

Our search led to the discovery of 529 Facebook and LinkedIn subdomains that began with either facebook.com or linkedin.com and were created from 1 January 2023 onward. Thirteen of them were tagged as malicious, all pointing to Facebook pages. Three of the malicious supposedly Facebook pages had the string kinderramadan.com.

Apart from identifying 2,490 additional threat artifacts via DNS connections, our analysis also uncovered 13 possibly compromised Facebook pages that could already have figured in scams. That goes to show that IoC expansion is a great addition to any organization’s threat discovery toolset.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.