Home / Industry

Looking for Traces of Social Media-Based Celebrity Scams in the DNS

Infoblox, in its Q4 2022 Cyber Threat Report, featured a “Meta” coin scam using fake celebrity endorsements targeting users in the European Union (EU). The analysis revealed several indicators of compromise (IoCs), specifically four domains and one IP address, that could help the public avoid the perils the scams posed. The IoCs identified in the report were:

  • 365coinmode[.]com
  • 365graphiccoin[.]com
  • spartan-trade[.]com
  • networkfsi[.]com
  • 45[.]63[.]119[.]177

In keeping with WhoisXML API’s mission to make the Internet a transparent and safe place for users, we expanded the list of IoCs in hopes of identifying social media pages that could already be serving or used to serve as fraud vehicles. Our analysis led to the discovery of:

  • Three additional IP addresses that played host to the domains identified as IoCs
  • 830 domains that shared the IoCs’ IP hosts, 26 of which turned out to be malicious
  • 1,657 domains that contained the same strings as those tagged as IoCs, one of which was dubbed a malware host
  • 529 Facebook and LinkedIn pages that made their way into the DNS from 1 January 2023 onward, 13 of which were found to be malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Expanding the Current List of IoCs

We began our analysis with WHOIS lookups for the domains identified as IoCs that allowed us to draw some similarities among them, namely:

  • All four domains were created in 2022 and could thus be considered newly registered when they were used in malicious campaigns.
  • Three of the domains—365coinmode[.]com, 365graphiccoin[.]com, and networkfsi[.]com—were registered in Iceland with Namecheap, Inc.
  • Two of the domains—365coinmode[.]com and 365graphiccoin[.]com—shared the same IP host—45[.]63[.]119[.]177, which Infoblox also identified as an IoC.

Next, DNS lookups for the four domains provided an additional three IP addresses, bringing the total number of IP hosts to four. We used these as reverse IP lookup search terms, which indicated that three were shared while 45[.]63[.]119[.]177 in the original IoC list was dedicated. Our search uncovered 830 additional domains that shared the IoCs’ IP hosts. Of these, 26 turned out to be malware hosts based on a bulk malware check.

Screenshot lookups for the malicious sites revealed that only one—bnzzl[.]net—continued to host live content that looks like a mobile phone directory.

It was also interesting to note that 11 of the malicious IP-connected domains bore a striking resemblance to two domains tagged as IoCs. Like 365coinmode[.]com and 365graphiccoin[.]com, they contained the strings 365 and coin.

  • 365coinedition[.]com
  • 365coinhtech[.]com
  • 365coinlibrary[.]com
  • 365coinpromarket[.]com
  • 365generatorcoin[.]com
  • 365packetcoin[.]com
  • 365procentercoin[.]com
  • 365profactorycoin[.]com
  • 365promotioncoin[.]com
  • 365smartcoin[.]com
  • 365workspacecoin[.]com

The Infoblox report identified brands and celebrities whose names may have been abused to serve malware through their Facebook and LinkedIn profiles. We named them in the table below and indicated the strings we used on Domains & Subdomains Discovery to search for potentially connected domains. We also included strings found among the IoCs in our search.

Brand/Celebrity NameDescriptionSearch String
MetacoinCryptocurrency used as lure in the scamsmetacoin
SoulCircuitDJ duo whose fake profile was used in the scamssoulcircuit
Tom MooreOne of SoulCircuit’s memberstommoore
Dan TimckeOne of SoulCircuit’s membersdantimcke
Kyriakos MitsotakisGreece’s Prime Minister whose fake profile was used in the scamskyriakosmitsotakis
Giorgia MeloniItaly’s Prime Minister whose fake profile was used in the scamsgiorgiameloni
Pedro S├ínchezSpain’s Prime Minister whose fake profile was used in the scamspedrosanchez
Rachelle YoungU.S.-based financial analyst whose fake profile was used in the scamsrachelleyoung
Mario DraghiSpanish public official whose fake profile was used in the scamsmariodraghi
Dietrich MateschitzAustrian businessman whose fake profile was used in the scamsdietrichmateschitz
365coinmode[.]comDomain identified as an IoC365coinmode.
365graphiccoin[.]comDomain identified as an IoC365graphiccoin.
spartan-trade[.]comDomain identified as an IoCspartan-trade.
networkfsi[.]comDomain identified as an IoCnetworkfsi.

Note that Metacoin is a cryptocurrency owned by Inblock. To date, no such thing as Meta coin, owned by Mark Zuckerberg’s Meta, exists.

Using the strings mentioned above, we found 1,657 string-connected domains. No domains containing dantimcke, 365coinmode., and 365graphiccoin., however, were found. Also, only one—walletmetacoin[.]trade—turned out to be a malware host so far. Like two of the original IoCs, it also contained the string coin.

Hunting for Malicious Social Media Pages

According to Infoblox, the cryptocurrency scams targeted Facebook and LinkedIn users. In addition to uncovering other domains that could be part of the threat actors’ infrastructure, we also wanted to see if they possibly compromised social media pages apart from those mentioned in the report.

Our search led to the discovery of 529 Facebook and LinkedIn subdomains that began with either facebook.com or linkedin.com and were created from 1 January 2023 onward. Thirteen of them were tagged as malicious, all pointing to Facebook pages. Three of the malicious supposedly Facebook pages had the string kinderramadan.com.


Apart from identifying 2,490 additional threat artifacts via DNS connections, our analysis also uncovered 13 possibly compromised Facebook pages that could already have figured in scams. That goes to show that IoC expansion is a great addition to any organization’s threat discovery toolset.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

Cybersecurity

Sponsored byVerisign