NordVPN Promotion

Home / Industry

Investigating the Proliferation of Deepfake Scams

While deepfakes may sometimes be perceived as amusing, their potential for harm is significant and far-reaching. One finance worker for a multinational firm, for example, was tricked into paying out US$25 million to a deepfake scammer who pretended to be their company’s chief financial officer (CFO) in a video call just this February.

Palo Alto Networks Unit 42 dove deep into various deepfake scams that have plagued users over time and in the process uncovered 416 domain names that played a part in them. The WhoisXML API research team believes there could be more behind the indicators of compromise (IoCs) that have already been made public. Our analysis specifically uncovered:

  • 1,070 registrant-connected domains
  • Six email-connected domains
  • 316 IP addresses, 285 of which turned out to be malicious
  • 515 IP-connected domains, three of which turned out to be associated with various threats
  • 3,056 string-connected domains, 12 of which may have already figured in malicious campaigns

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Facts about the IoCs

We kicked off the investigation by performing a bulk WHOIS lookup for the domains identified as IoCs, which revealed that only 241 had current WHOIS records. The lookup also yielded other results, namely:

  • They were spread across 16 registrars led by Dynadot, Inc., which accounted for 101 domain IoCs. Sav.com LLC came in second place with 70 while Namecheap, Inc. placed third with 34. NameSilo LLC (20 domain IoCs); GoDaddy.com LLC and Hostinger Operations UAB (three domain IoCs each); and 101domain GRS Limited, 123-Reg Limited, Communigal Communications Ltd., Eranet International Limited, Hosting Concepts B.V., IONOS SE, PDR Ltd., Squarespace Domains II LLC, Tucows, Inc., and Wild West Domains LLC (one domain IoC each) completed the list.
  • While a majority of the domain IoCs, 171 to be exact, were created just this year, the oldest was created way back in 2013. Take a look at a timeline that sums up their creation dates below.

  • They were registered in seven countries led by the U.S., which accounted for 200 domain IoCs. Iceland took the second spot with 33 domain IoCs while Ukraine placed third with four domain IoCs. Afghanistan, Cyprus, Macedonia, and the U.K. completed the list with one domain IoC each.

  • Three domain IoCs also had public registrant details, specifically organization names that can be useful in uncovering registrant-connected domains later on.

The Hunt for Connected Web Properties

We began our search for connected web properties with Reverse WHOIS Search queries for the three public registrant organizations found in the current WHOIS records of the 241 domain IoCs with current WHOIS records on our list. Using the tool’s Advanced feature, we looked for exact matches of the registrant organizations in historical WHOIS records. We found 1,070 registrant-connected domains after duplicates and the IoCs were filtered out.

Next, we performed WHOIS History API queries for the 241 domain IoCs, which allowed us to obtain 32 email addresses from their historical WHOIS records after filtering out duplicates. A closer look at them showed that 10 were public email addresses that we then used to look for email-connected domains.

Reverse WHOIS API queries for the 10 public email addresses further showed that one email address could belong to a domainer (given the high number of connected domains), so it was excluded from the final list. The nine public email addresses appeared in the current WHOIS records of six email-connected domains after duplicates, the IoCs, and the registrant-connected domains were filtered out.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

BLACK FRIDAY DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

DNS

Sponsored byDNIB.com

NordVPN Promotion