X-Force has identified a new squatting campaign

  • Giovedì, 12º Mag, 2022
  • 10:58am
Summary
X-Force has identified a new squatting campaign used by threat actors to target the finance and insurance sector. The campaign has a global scope assumingly luring users into giving away their login credentials.
Threat Type
Squatting Domain, Phishing Domain, Credential Theft
Overview
We observed 3 squatting domain registrations related to a victim in the finance and insurance sector. The campaign was identified starting with the registration on 2022-04-21 06:44:29 up to the latest registration on 2022-05-11 07:44:51.
For all registered domains we could identify Key-Systems GmbH as the registrar based in Germany. 
The registered domains could not be resolved to any hosting IPs throughout our analysis.
However the registrar Key-Systems GmbH covers a pool of 13.325.994 domains where at least 0.03% can be considered as potentially malicious.
The following list shows the name server that are configured as authoritative name servers for the domain and their malicious score which is the percentage of malicious domains with the same name server.

Domain: accountpaypal.fr
Name server: ns-cloud-e1.googledomains.com
Name server malicious score: 0.14%

Domain: accountpaypal.fr
Name server: ns-cloud-e2.googledomains.com
Name server malicious score: 0.11%

Domain: accountpaypal.fr
Name server: ns-cloud-e3.googledomains.com
Name server malicious score: 0.08%

Domain: accountpaypal.fr
Name server: ns-cloud-e4.googledomains.com
Name server malicious score: 0.11%

Domain: assistance-paypal.fr
Name server: ns-cloud-e1.googledomains.com
Name server malicious score: 0.14%

Domain: assistance-paypal.fr
Name server: ns-cloud-e2.googledomains.com
Name server malicious score: 0.11%

Domain: assistance-paypal.fr
Name server: ns-cloud-e3.googledomains.com
Name server malicious score: 0.08%

Domain: assistance-paypal.fr
Name server: ns-cloud-e4.googledomains.com
Name server malicious score: 0.11%

Domain: confirmation-client-paypal.fr
Name server: ns-cloud-b1.googledomains.com
Name server malicious score: 0.14%

Domain: confirmation-client-paypal.fr
Name server: ns-cloud-b2.googledomains.com
Name server malicious score: 0.11%

Domain: confirmation-client-paypal.fr
Name server: ns-cloud-b3.googledomains.com
Name server malicious score: 0.08%

Domain: confirmation-client-paypal.fr
Name server: ns-cloud-b4.googledomains.com
Name server malicious score: 0.11%
Not forgetting to mention the WhoIs Server: X-Force was able to retrieve the WhoIs server information where we were also able to determine the number of domains each WhoIs server manages and as well adding the malicious rating of the domains in the pool.

Domain: accountpaypal.fr
Whois server: whois.nic.fr
Whois server malicious score: 0.04%

Domain: assistance-paypal.fr
Whois server: whois.nic.fr
Whois server malicious score: 0.04%

Domain: confirmation-client-paypal.fr
Whois server: whois.nic.fr
Whois server malicious score: 0.04%
Recommendations
  • Do not click or open links in mails directly, instead type in the main URL in your browser or search the brand/company via your preferred search engine.
  • Ensure anti-virus software and associated files are up to date.
  • Search for existing signs of the indicated IOCs in your environment.
  • Block all URL and IP based IOCs at the firewall, IDS, web gateways, routers or other perimeter-based devices, a course of action, resources or applications to remediate this threat.
  • Keep applications and operating systems running at the current released patch level.
Reference
Proprietary IBM X-Force Threat Intelligence
« Indietro