X-Force has identified a new squatting campaign

  • Venerdì, 5º Agosto, 2022
  • 21:36pm
Summary
X-Force has identified a new squatting campaign used by threat actors to target the media sector. The campaign has a global scope assumingly luring users into giving away their login credentials.
Threat Type
Squatting Domain, Phishing Domain, Credential Theft
Overview
We observed 5 squatting domain registrations related to a victim in the media sector. The campaign was identified starting with the registration on 2022-07-27 12:48:09 up to the latest registration on 2022-08-05 05:54:02.
For all registered domains we could identify Cosmotown, Inc. as the registrar . 
 In addition we were also able to resolve the hosting IP 54.225.97.249 as well as the ASN AS14618 located in the United States to all registered domains.
However the registrar Cosmotown, Inc. covers a pool of 626.329 domains where at least 0.13% can be considered as potentially malicious.
The following list shows the name server that are configured as authoritative name servers for the domain and their malicious score which is the percentage of malicious domains with the same name server.

Domain: fm-whatsapp-download.com
Name server: dns1.cosmotown.com
Name server malicious score: 0.35%

Domain: fm-whatsapp-download.com
Name server: dns2.cosmotown.com
Name server malicious score: 0.35%

Domain: fm-whatsapp-download.com
Name server: dns3.cosmotown.com
Name server malicious score: 0.32%

Domain: fm-whatsapp-download.com
Name server: dns4.cosmotown.com
Name server malicious score: 0.32%

Domain: gbwhatsappapp.com
Name server: dns1.cosmotown.com
Name server malicious score: 0.35%

Domain: gbwhatsappapp.com
Name server: dns2.cosmotown.com
Name server malicious score: 0.35%

Domain: gbwhatsappapp.com
Name server: dns3.cosmotown.com
Name server malicious score: 0.32%

Domain: gbwhatsappapp.com
Name server: dns4.cosmotown.com
Name server malicious score: 0.32%

Domain: gbwhatsappnow.com
Name server: dns1.cosmotown.com
Name server malicious score: 0.35%

Domain: gbwhatsappnow.com
Name server: dns2.cosmotown.com
Name server malicious score: 0.35%

Domain: gbwhatsappnow.com
Name server: dns3.cosmotown.com
Name server malicious score: 0.32%

Domain: gbwhatsappnow.com
Name server: dns4.cosmotown.com
Name server malicious score: 0.32%

Domain: ogwhatsapp-download.com
Name server: dns1.cosmotown.com
Name server malicious score: 0.35%

Domain: ogwhatsapp-download.com
Name server: dns2.cosmotown.com
Name server malicious score: 0.35%

Domain: ogwhatsapp-download.com
Name server: dns3.cosmotown.com
Name server malicious score: 0.32%

Domain: ogwhatsapp-download.com
Name server: dns4.cosmotown.com
Name server malicious score: 0.32%

Domain: whatsappplusdescargar.com
Name server: dns1.cosmotown.com
Name server malicious score: 0.35%

Domain: whatsappplusdescargar.com
Name server: dns2.cosmotown.com
Name server malicious score: 0.35%

Domain: whatsappplusdescargar.com
Name server: dns3.cosmotown.com
Name server malicious score: 0.32%

Domain: whatsappplusdescargar.com
Name server: dns4.cosmotown.com
Name server malicious score: 0.32%
Not forgetting to mention the WhoIs Server: X-Force was able to retrieve the WhoIs server information where we were also able to determine the number of domains each WhoIs server manages and as well adding the malicious rating of the domains in the pool.

Domain: fm-whatsapp-download.com
Whois server: whois.ccdomain.co.kr
Whois server malicious score: 0.13%

Domain: gbwhatsappapp.com
Whois server: whois.ccdomain.co.kr
Whois server malicious score: 0.13%

Domain: gbwhatsappnow.com
Whois server: whois.ccdomain.co.kr
Whois server malicious score: 0.13%

Domain: ogwhatsapp-download.com
Whois server: whois.ccdomain.co.kr
Whois server malicious score: 0.13%

Domain: whatsappplusdescargar.com
Whois server: whois.ccdomain.co.kr
Whois server malicious score: 0.13%
Recommendations
  • Do not click or open links in mails directly, instead type in the main URL in your browser or search the brand/company via your preferred search engine.
  • Ensure anti-virus software and associated files are up to date.
  • Search for existing signs of the indicated IOCs in your environment.
  • Block all URL and IP based IOCs at the firewall, IDS, web gateways, routers or other perimeter-based devices, a course of action, resources or applications to remediate this threat.
  • Keep applications and operating systems running at the current released patch level.
Reference
Proprietary IBM X-Force Threat Intelligence
« Indietro