|
While deepfakes may sometimes be perceived as amusing, their potential for harm is significant and far-reaching. One finance worker for a multinational firm, for example, was tricked into paying out US$25 million to a deepfake scammer who pretended to be their company’s chief financial officer (CFO) in a video call just this February.
Palo Alto Networks Unit 42 dove deep into various deepfake scams that have plagued users over time and in the process uncovered 416 domain names that played a part in them. The WhoisXML API research team believes there could be more behind the indicators of compromise (IoCs) that have already been made public. Our analysis specifically uncovered:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
We kicked off the investigation by performing a bulk WHOIS lookup for the domains identified as IoCs, which revealed that only 241 had current WHOIS records. The lookup also yielded other results, namely:
While a majority of the domain IoCs, 171 to be exact, were created just this year, the oldest was created way back in 2013. Take a look at a timeline that sums up their creation dates below.
They were registered in seven countries led by the U.S., which accounted for 200 domain IoCs. Iceland took the second spot with 33 domain IoCs while Ukraine placed third with four domain IoCs. Afghanistan, Cyprus, Macedonia, and the U.K. completed the list with one domain IoC each.
We began our search for connected web properties with Reverse WHOIS Search queries for the three public registrant organizations found in the current WHOIS records of the 241 domain IoCs with current WHOIS records on our list. Using the tool’s Advanced feature, we looked for exact matches of the registrant organizations in historical WHOIS records. We found 1,070 registrant-connected domains after duplicates and the IoCs were filtered out.
Next, we performed WHOIS History API queries for the 241 domain IoCs, which allowed us to obtain 32 email addresses from their historical WHOIS records after filtering out duplicates. A closer look at them showed that 10 were public email addresses that we then used to look for email-connected domains.
Reverse WHOIS API queries for the 10 public email addresses further showed that one email address could belong to a domainer (given the high number of connected domains), so it was excluded from the final list. The nine public email addresses appeared in the current WHOIS records of six email-connected domains after duplicates, the IoCs, and the registrant-connected domains were filtered out.
This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.
Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.
Sponsored byRadix
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byCSC
Sponsored byIPv4.Global