SecuritySnacks
200+ newly registered domains likely targeting beta users
200+ new domains were registered this weekend regarding Starbucks’ NFT Membership program likely targeting beta users and prospective members. See the full list on GitHub:
New suspected fraud domain registrations from the SVB collapse
Monitoring Circle USDC Stablecoin new suspected fraud domain registrations from the SVB collapse:
circle-svb/.com
claims-circle/.app
circle-cashback/.com
circle-usdc/.net
circlefund/.us
circle/.claims
claimcircle-usdc/.com
circle-refund/.com
circleswap/.finance
reserve-circle/.com
Newly registered domains, some could be phishing
New domain registrations relating to Silicon Valley Bank are emerging. Some could be phishing campaigns. Listed below is what we’re seeing now. Keep in mind not all are scammy, and not all scammy domains targeting SVB will have SVB-related terms:
Likely adserving typosquats
We’re seeing more typosquats targeting popular Mastodon servers lately. Most look like simple adserving typosquats for now, but some of these are protected by Cloudflare, which raises our suspicions about upcoming malicious activity.
Ex:
matodon[.]online
mastoon[.]online
Likely target, user credentials
In investigating possible infrastructure related to the recent breach of MailChimp, we’ve identified an unrelated set of coordinated sites likely targeting user credentials. Enterprises using MailChimp should monitor the situation carefully.
Registrar: TUCOWS
Host: Grnasy s.r.o.
Nameservers: njalla
ex: mailchimp-taskus[.]com
mailchlmp[.]com
mailchimp-admin[.]comma
Redirects to a cloned page with malicious download
We detected a suspicious LastPass-related domain at lastpass[.]shop which resolves to an unrelated, innocuous food wholesaler site, but contains complex redirects to a LastPass clone page offering a probable malicious download at lastpass[.]shop/en/
The suspicious lastpass[.]shop is registered with namecheap and protected by Cloudflare, compared to the legitimate lastpass[.]com site registered with Name and hosted on Akamai.
Additionally, the download offered at lastpass[.]shop is a zip containing multiple files 10x the size of the official LastPass exe download.
Newly created domains targeting student loans
With the prevalence of student loans in the news, one thing is for certain: opportunists will build scams to capitalize on the attention. Read more of what Tim Helming had to say about threat actors and forgiveness programs in SCMagazine: https://www.scmagazine.com/analysis/fraudsters-aim-to-capitalize-on-student-loan-forgiveness-confusion
Here are the newly created domains we've seen over the past few days:
getstudentloanrelief[.]net
getstudentloanreliefnow[.]com
getstudentloanreliefnow[.]org
getstudentloanrelief{.]org
studentloanrepay[.]org
citizesstudentloans[.]com
citiznsstudentloans[.]com
getstudentloan[.]top
didstudent[.]loan
astudentloan[.]net
studentloanforgivenesspro[.]site
relief4studentloans[.]com
infostudentloan[.]com
studentloansavvy[.]com
myfederalstudentloanchangednamesdoistillbebifitforthestudent[.]loan
studentloan-forgivenesseligibility[.]site
studentloanlawyers[.]org
getstudentloanreliefnow[.]net
studentloanforgivenessform[.]com
Phishing Attacks for Microsoft Credentials and MFA codes
Her Majesty, Queen Elizabeth II has passed away at age 96. As with other major world events, we unfortunately expect to see questionable related domain registrations. Please be mindful when visiting news or commemoration sites relating to this.
We anticipated questionable domain registrations in relation to this event and ThreatInsight now has corroborating reports that threat actors are using phishing attacks to steal Microsoft account credentials and MFA codes: https://x.com/threatinsight/status/1570092339984584705
Instagram Campaign
The allure of the blue badge can be too much! A new Instagram phishing campaign using the domain teamcorrectionbadges[.]com shares host infrastructure with several other questionable domains:
- Teambluebadge[.]com
- Badgescorrectioncase[.]com
- Adminbadgessystem[.]shop
While many of these domains are already on blocklists, not all are, suggesting the bad actors might still be performing this attack. Via a predictive Domain Risk Score for these domains ranges from 88 to 99. We cannot confirm all these domains are attributable to the same actor, however.
Additional questionable domains to monitor:
truebadgeteamscase[.]com
objectionsfromcloud[.]com
casebadgeclods[.]com
badgeteamclouds[.]shop
badgecaseteam[.]com
teamcloudsbadges[.]com
teamscorrectbadge[.]com
teamcorrectionbadges[.]com
correctlybadgesteam[.]com
badgecaseteam[.]shop
Watch for this IP
We’re seeing a cluster of domains (mostly associated with phishing) targeting the retail sector. Keep an eye on any traffic traversing to/from this IP.
A small list of domains we are seeing registered
We're seeing what could be a precursor to a phishing attack on T-Mobile's Okta instance. The domains we're seeing are registered through CSC Global and Namecheap, hosted on Linode and DigitalOcean We'll keep you posted on updates, in the meantime, here are the domains:
okta-tmobiie[.]net
t-mobile-okta[.]us
okta-oath[.]com
t-mobile-okta[.]com
okta-tmobile[.]org
okta-tmo[.]org"
A free threat intelligence feed of newly observed or registered Ukraine-related domain names
If you haven’t yet seen it, the FBI issued a PSA regarding scams relating to donations (both monetary and cryptocurrency) to the crisis in Ukraine. Read the full announcement here: https://www.ic3.gov/Media/Y2022/PSA220531
As a reminder, the free threat intelligence feed of newly observed or registered Ukraine-related domain names is still available to help organizations monitor threats. Learn more and download here: https://ukraine-domains.domaintools.com/
