Select Page
Weekly Alert  |  November 9, 2022

The Problem is Worse Than We Thought At the very center of most of the scams and malicious threats that target the public online are domain names. And if you think about it a moment, this makes sense. It doesn’t matter whether you are targeted by a malicious text, email, fake Ad, or social media post. The vast majority of these threats rely on the use of a domain name as a part of their fraud. This is especially true if the threat is a malware trap. A website is usually set up where the malware is lying in wait and you are sent a trigger. That website is first set up with a domain name. Imagine what we could learn if we were to analyze the domain names that are routinely registered! With the right analysis, this information could be exceptionally valuable, and even proactively protective! Two weeks ago, we found a company that does exactly that! It is called WHOISXML API. We spoke with Alexandre Francois, Head of Marketing and part-time DNS researcher, and Anna Danilova, Senior Project & Contact Marketing Manager for WHOISXML API. What we learned from them was fascinating, shocking and confirmed many of the malicious patterns we’ve seen during the last ten years of our reporting. If you continue reading this story, we GUARANTEE that your online “safety smarts” will increase significantly once you understand the tricks cybercriminals use for the domain names they choose!

In mid-September, WHOISXML API published an article on CircleID called “Is Your Software a Top Impersonation Target?” (CircleID is a publication about Internet development and news.) Though we would argue that the article title was poorly selected, the article itself was eye-opening, and even shocking at times! The WHOISXML API research showed how severely we are all being targeted through domain abuse. For example, their recent analysis showed more than 20,000 domain names had been registered containing the names of seven well-known legitimate businesses, such as Microsoft Edge, Zoom and Whatsapp, BUT only 9 of these 20,000+ domains could be verified as legitimately associated with the businesses they seemed to represent. That’s less than five hundredths of a percent confirmed to be legitimate in their study!

The seven business names recently misused during domain registration were:
7-Zip, TeamViewer, CCleaner, Microsoft Edge, Steam, Zoom, and WhatsApp.

Security services confirmed that nearly 1000 of these 20,000+ registered domains were malicious. This is about 5% of the total number of domains. That means that the ratio of confirmed malicious domains to confirmed legitimate domains registered in the names of these businesses is approximately 100 to 1. Think about that for just a moment. The recent research by WHOISXML API found that for every one legitimate domain registered in the name of a well-known online service, there were approximately 100 confirmed malicious domains registered as well! This amount of domain registration abuse is insane! Also remarkable is what we learned from Alex Francois from WHOISXML API during our conversation.

WHOISXML API gathers, analyzes, and correlates domain, Internet protocol, and DNS (Domain name service) data to make the Internet more transparent and secure. Their research exposes many of the tricks and practices of criminals. For example, Alex Francois said that their research team often finds lots of domain names, or sub-domain names, with legitimate brands as a part of the name. However, these domains are not found to be associated with the businesses they seem to represent. For example, the domain amazon-payments[.]com WAS found to be legitimately registered to the company Amazon, Inc.  And yet, none of these other registered domains below were found to be attributable to Amazon, Inc…

Account-update1-amazon[.]com
Account-update2-amazon[.]com
Account-update3-amazon[.]com
Account-confirm-verification-amazon-sign2[.]com 

(Note: We routinely use brackets [ ] around the period of a DOT-com to prevent software from turning these domains into clickable links, and thereby possibly triggering security software to identify our articles as malicious.)

Twelve more variations of that last long domain name above were found but with a different number at the end after the word “sign.”  It is possible, Alex tells us, that some of these questionable domain names are registered by cybersquatters. Cybersquatting is the practice of purchasing a domain name, especially one that contains the name of well-known companies or brands, in the hope of reselling those domains at a profit down the road. But we argued that cybersquatting likely makes up just a fraction of the 20,000+ suspicious/malicious domains that were registered using the brand names of these 7 well-known companies in their recent study. Alex agreed.

WHOISXML API also uses a tool that looks at groups of domain names that are similar in various ways. This tool has helped them spot a practice known as “typosquatting” where multiple similar domains may be registered together on the same day and time.  The “account-update1, 2 and 3 above is an example of that.  Here is another example discovered by their investigations…..

  • Paypal-ticketid-158[.]com
  • Paypal-ticketid-173[.]com
  • Paypal-ticketid-174[.]com
  • Paypal-ticketid-178[.]com
  • Paypal-ticketid-179[.]com
  • Paypal-ticketid-183[.]com
  • Paypal-ticketid-185[.]com
  • Paypal-ticketid-186[.]com

What is interesting about this data, says Alex, is that a traditional malware-identifying engine may not identify all of these domain names as malicious at the same time. Look at the timeline of this small collection of domain names as evaluated by Google Safe versus Virus Total.

Additionally, when WHOISXML API looked at the WHOIS records of the people who registered these domains (called “Registrants”) in July, 2021, it is no surprise that they found other consistent information showing that these fraudulent domains were all registered by the same cybercriminals…

Alex says that WHOISXML API is often able to connect hundreds, and sometimes thousands of malicious domains back to the same people because they will often use the same registration information, such as a registrant name, email address, Registrar and physical address. Now, suppose that an email address has been used in the registration of 200 domain names and ten of these have been found to be malicious.  It is our contention that the remaining 190 should also be considered as malicious! From this author’s perspective, it doesn’t matter that the domain name has yet been weaponized or not. The public should be on guard if they see domains that appear similar to a domain that has been identified as malicious and avoid it like the plague!

The severity of this problem is even deeper once WHOISXML API expanded the way they looked at their data. For example, when they expanded the dates across which they searched and looked at registered domain names containing “paypal-ticketid” followed by any number, the total number of registered domains jumped from the eight shown above to more than 1200!  Furthermore, WHOISXML API has demonstrated that this serious weaponizing of domain names is even worse. By replacing the name “paypal” with other business names in the string “paypal-ticketid” they were able to find more than two hundred other suspicious domains, such as Chase-ticketID and Wellsfargo-ticketID.

Alex also told us that they have been able to find suspicious/malicious domains registered to email addresses that followed the same email pattern too (i.e, firstname.lastname@hotmail.com).  Alex added that the “threat actors” who register these malicious domains try to cover their tracks but it is very hard to do that when they are registering thousands of domain names for malicious purposes. Once criminals find a formula for registering their domain names, they generally stick to it.   From our perspective, if we see one format of a registered domain name being used for malicious purposes, we believe it is critically important to conclude that ALL subsequent similarly designed domain names are also very likely malicious and should be treated as such!

Given the fact that Alex is a researcher and representing a research company, it was no surprise when he told us that he would not call the other domain properties as suspicious/malicious until each could be verified as malicious. Remember, of the nearly 21,000 domains that were containing company brand names in their study, 1000 were confirmed as malicious, another 1000 contained subdomains that were misleading and could be tied to threats but ONLY 9 were confirmed as legitimate.  It is possible, Alex says, that many of these other (nearly) 19,000 domain names may never be used. Though we understood his position, our experience has taught us, for example, if account-update1-amazon[.]com is used for a phishing scam, update2 and update3 are also intended to be used for phishing scams.

Further exposing this firestorm, Alex said that the team at WHOISXML API have noticed certain words that are overwhelming used along with the names of legitimate companies for malicious purposes in registered domain names.  This included the words login, register, pay, authentication (auth), signin, recover and update.  When these words are used with a brand name, the risks are very high that the website is fraudulent.  Here are three made-up examples of what this fraud might look like:

  Register-amazon[.]com

  Bankofamerica-login[.]com
  Comcast-update-software[.]com

This is bad news! Alex made it a point of saying that malicious actors are very smart and very fast. They try to take advantage of every angle when perpetrating their fraud. We completely agree with him!  Another example of this masterful, but fraudulent opportunism, concerns the war in Ukraine. Shortly after the war began last February, WHOISXML API immediately spotted suspicious domain names that included the country name Ukraine, along with words like support, donate, and citizens. These newly registered domains turned out to be fraudulent sites used to trick people into giving money to scammers. (Check out two articles about this type of fraud: BBC and Newsweek.) This also happened immediately after Hurricane Ian struck Florida at the end of September, 2022. You can watch a short video published on WJHG in Panama City, Florida showing an interview with Crime and Safety Expert, Paul Vecker, talking about these scams.

There are many lessons to be learned here, not least of which is that we all need to be extremely mindful of the domain names we see used for websites and in links pointing to websites. If the names contain a brand name (company name), then we should do our due diligence and look more carefully at it. Should we see any of the patterns or constructive devices discovered by the research from WHOISXML API, don’t click!  

You can read more about some of the studies Alexandre Francois and Anna Danilova shared with us, and other resources from their company, via these links:

Mapping the Business Impersonation Landscape Though DNS
(2022 White Paper Edition)
WHOISXML API Threat Reports
WHOISXML API Podcasts

Is the T-Mobile/Kroll Settlement Legit? Received a text message from Kroll Settlement that says you’re eligible for benefits from a class action settlement relating to a T-Mobile data breach and not sure if it’s legit. Check it out with this FREE, all-in-one tool!

Facebook (Meta) Is Making the Problem Worse We’ve heard from two different people recently who’ve been hurt by Facebook’s policies, but for very different reasons. The first is a woman who is part of a group of people reporting fraudulent sales of parrots on Facebook. Like any fake pet scam, the buyer is asked to make a deposit, or pay in full in advance, but never receives their parrot.  Payment is made in such a way as to be unrecoverable. The problem has to do with sellers who are reported to Facebook as a fraud, but Facebook doesn’t take there accounts down (or takes a long time before they do). These scammers continue to victimize other people.  A scammer using the name “Joe Smith” kept pressuring people interested in a parrot to send a deposit in advance.  Here is a text exchange illustrating this point.

A woman named Rebecca reported one of these scammers to Facebook. The scam account used the name Christopher Shaun. This was the response she got…

    She told us that Facebook’s response was disappointing and not an isolated example. Rebecca wonders why the Internet Crimes Complaint Center doesn’t come down on Facebook for allowing these scams to easily continue on their site. Good point! Rebecca said that every scam she has reported to Facebook was denied, followed by Facebook saying they weren’t taking down the account because the account wasn’t a dangerous threat. Since when is financial loss due to fraud NOT a threat? We’re sure Facebook would feel differently about this IF THEY LOST MONEY to fraud!  

    Our second example, concerns very questionable advertising that appears on Facebook.  One of our more senior readers sent us this screenshot that appears to promote a site called SeniorAssistant[.]org. Seniors are invited to take a quiz on their website, though we’re not sure why.  We’re not calling SeniorAssistant[.]org a scam, BUT other people are. It has some very poor reviews. You can see the reviews page on their Facebook page for Senior Assistant. Though people are not providing details why, several have called this organization a scam. Last February, one person said that this organization is serving private insurance companies, and causing the elimination of a person’s Medicare benefits.  We cannot verify these claims. However, the point is that Facebook is allowing this organization to have a presence on their platform and doesn’t seem to care that people are calling them out as a fraud.  As of November 5, their account has 1 “like” and a total of 8 reviews which collectively give them a 1-star rating. Should Facebook have a threshold beyond which they boot a vendor from offering services or information?  We think so!  We believe that online services have a responsibility to protect the people that use their services.

      Onto a different subject, one of our honeypot email accounts was suddenly hammered by LOTS of malicious clickbait. We wanted to show you a few tricks for spotting this nasty clickbait before you even open an email. Check out the screenshot below. The left column is the sender and the right column is the start of the subject line. Each of the ten emails listed is 100% malicious. Check out the four tips we include on how to spot these hand grenades so you can delete without opening them!

        At the very end of October, our friend Rob received an email from Mrs. Jennifer L. Moore. She claimed to be a Special FBI Agent in charge of the Intelligence Division.  Of course, this was part of an advance-fee scam. Agent Moore’s email didn’t come from fbi.gov, it came from info[@]usa-federalbureau[.]org. We mention this because of a little funny detail that the scammers overlooked.  You see, “Agent Moore” included a photo of her U.S. Passport as proof that she was indeed “Jennifer L. Moore” along with other FBI documentation.  We peeked under the hood of that “U.S.” passport and discovered that the image was created by someone named “Onu Okechukwu.” According to Names.org, the name “Onu” means “mouth” and is most commonly used in Nigeria. Our onus are open in shock!

          For those interested to learn more how criminal gangs in Asia conscript people and force them to scam others, check out this excellent article from Channel News Asia titled Inside the Elaborate Set-up of a Scam HQ, Staffed by People Forced to Scam.

            Navy Federal Credit Union and Paypal Anyone using Google to search for Navy Federal Credit Union will discover that their legitimate domain is navyfederal.org. That fact will immediately discredit this email that came from a server call monasara[.]org. So, too, will a search for monasara[.]org using Firefox.  It shows that Monasara[.]org is a website hosted in Jordan, offering support and assistance to Palestinians in the West Bank, Gaza Strip and Jerusalem. It is certainly NOT the Navy Federal Credit Union.  Moreover, mousing over the link to view your “eMessage” shows that you’ll be sent to a website in Russia if you click.  It’s called serm-manager[.]ru.

            Delete!

            1. For about the last two weeks, we’ve seen a significant rise in a clever phishing scam that completely misuses Paypal’s legitimate services.  Phishermen use a legitimate Paypal account to send out fraudulent emails. The emails come FROM paypal.com and contain links pointing TO paypal.com.  However, the risk is in the notes section of the email where recipients are told that they can call the scammers phone number to refute the invoice! In this first example, the seller’s note invites you to call 888-436-9260. Paypal is actually trying to respond to this type of fraud.  Look at the very last paragraph of the email at the text automatically inserted by Paypal!  Also look below at what we found when we searched Google for that scammer’s phone number!

              1. A Google search for 888-436-9620 returned ONLY 1 link. That link pointed to a very questionable source on a server in Brazil that has NOTHING to do with Paypal! Also, when searching for phone numbers, NEVER, EVER click the links to visit these questionable websites, especially in foreign countries!  During past years, we’ve known criminals gangs to host malware on websites that contains lists of the phone numbers they use!

              1. Here is another similar example of this fraud disguised as an email from Paypal…

              Invest in Gold During challenging financial times, people will often invest in gold as a way to reduce financial losses in the stock markets. So it didn’t surprise us to see this email that seems to be from Gold Allied Trust, encouraging gold investing. Except that the email didn’t come from goldalliedtrust[.]com, it came from a free email service that uses company[.]com!  Anyone can create an email using the domain company[.]com, just like accountant[.]com, engineer[.]com and hundreds of other free email domain names. Also, it pays to read carefully! Look at the very bottom of this email at the place you are invited to “unsubscribe” from receiving future emails! Never click unsubscribe in suspicious/malicious emails!

                Stop Sending Me Your Nudes, Voicemail from Martin, and This Message Seems Dangerous –One of our readers sent us this VERY malicious clickbait that was a clever trick designed to manipulate you into clicking the link.  “Stop sending me your nudes. It is not okay!” says the subject line. We think that would likely get most people to open the email, thinking… “what the heck?”  Read this email and ask yourself, would you have clicked the link? If you had, you would have been hit with a malware attack!

                Another reader sent us this short, but sour, email with the subject line “MARTIN has left you a VM 20 seconds long.”  It is also very malicious clickbait because the attached “voice message” is another DOT-html file, and NOT a sound file! As our readers have heard over and over…. Files ending in html, htm or php are files that send instructions to your web browser to do whatever the sender wants, such as instructions to visit a website and download malware!

                Though it doesn’t happen often enough, sometimes email programs (like Gmail) actually recognize something as malicious and WARN you.  It’s important to pay attention to these warnings!  One of our readers sent us this email that contained such a warning.  The link points to a malicious website in Romania. (“.ro” = Romania) ‘Nuf said!

                Deeeeeleeeete!

                Free Book, Redeem More Space, Food Stamps and More –Our reader named Bobbie continues to get malicious texts but at a much reduced rate than the week before. They pretend to offer a free book, more online storage space, food stamps, a Walmart gift card, and even information about the Camp LeJeune Settlement for US Veterans.  Have a look, and keep in mind that each link is 100% malicious!

                Until next week, surf safely!

                Copyright © 2021 The Daily Scam and Scamadviser. All rights reserved. You are receiving this email because you
                have subscribed to it via Scamadviser.com or thedailyscam.com

                Keurenplein 41, UNIT A6311  |  1069CD Amsterdam, The Netherlands

                Contact Webmaster