SecuritySnacks

200+ registrations in concert with financial or credential phishing

We see over 200+ billing-oriented TEPCO domains created in the last month with the same host. We suspect it’s a mass domain registration in concert with financial or credential phishing.

The domains and historical passive DNS records for the two IPs involved can be found in the GitHub link below. The pDNS may or may not include uninvolved domains, but many appear to be part of the same cluster or campaign.

If the community has any additional input, please let us know.

https://github.com/DomainTools/SecuritySnacks/tree/main/2024/TEPCO

195 domains registered and used for credential phishing pulled from a phish impersonating DocuSign using a click thru URL obfuscator.

Potential phishing on reregistering old, inactive vmware-related domains.

Suspicious campaigns registering thousands of domains across cheaper TLDs

We observed multiple suspicious campaigns recently auto-registering thousands of domains across cheaper TLDs such as .cfd and .bond. While their purpose is not yet apparent, and the two sets of events appear unconnected, here's what we've observed so far:

More than 10k domains in 3 days across .cfd registered through Aceville Pte. Ltd. with higher-than-average Iris risk scores fitting several pseudorandom-looking/DGA patterns. Examples:

388aqo001[.]cfd
4qwljn001[.]cfd
8hgsxe001[.]cfd

adix348002[.]cfd
adpzfsn002[.]cfd
aerx7v9002[.]cfd

91-yongjiudizhi-f19q4x8j-dpq[.]cfd
91-yongjiudizhi-q8hkazxp-sij[.]cfd

And several thousand .bond domains newly registered through Key-Systems fitting one of the following patterns:

security-jobs-#####
cyber-security-degree-#####
cyber-security-jobs-#####
homeland-security-jobs-#####
cyber-security-#####
security-surveillance-cameras-#####
home-security-#####
password-manager-#####

Barbie & Barbenheimer domains list

While fans are still flocking to Barbie for the second week in a row, bad actors are flocking to register barbie and barbenheimer domains. See the full list here:

https://github.com/DomainTools/SecuritySnacks/blob/main/2023/Barbie/barbie-domains.txt

79 newly registered domains to "help"

CISOs - worried about getting an SEC notice? Looking for an attorney? 79 domains were recently registered to "help" you find one no matter where you are in the US. (we're kidding, of course, you probably want to avoid all of these)

https://github.com/DomainTools/SecuritySnacks/blob/main/2023/securitylawyer/security-lawyer-domains.txt

Down to only a few thousand

We continue to monitor the drop of active .GA domains as part of their move away from FreeNom. Since late March we saw a drop from ~9M to ~1.5M domains, and now down to a few thousand.

200+ newly registered domains likely targeting beta users

200+ new domains were registered this weekend regarding Starbucks’ NFT Membership program likely targeting beta users and prospective members. See the full list on GitHub:

https://github.com/DomainTools/SecuritySnacks/blob/main/2023/Starbucks-NFT/starbucks-nft-campaign.csv

New suspected fraud domain registrations from the SVB collapse

Monitoring Circle USDC Stablecoin new suspected fraud domain registrations from the SVB collapse:
circle-svb/.com
claims-circle/.app
circle-cashback/.com
circle-usdc/.net
circlefund/.us
circle/.claims
claimcircle-usdc/.com
circle-refund/.com
circleswap/.finance
reserve-circle/.com

Newly registered domains, some could be phishing

New domain registrations relating to Silicon Valley Bank are emerging. Some could be phishing campaigns. Listed below is what we’re seeing now. Keep in mind not all are scammy, and not all scammy domains targeting SVB will have SVB-related terms:

https://github.com/DomainTools/SecuritySnacks/blob/main/2023/SVB-Related-Domains/SVB-Related-Domains.csv

Likely adserving typosquats

We’re seeing more typosquats targeting popular Mastodon servers lately. Most look like simple adserving typosquats for now, but some of these are protected by Cloudflare, which raises our suspicions about upcoming malicious activity.

Ex:
matodon[.]online
mastoon[.]online

Likely target, user credentials

In investigating possible infrastructure related to the recent breach of MailChimp, we’ve identified an unrelated set of coordinated sites likely targeting user credentials. Enterprises using MailChimp should monitor the situation carefully.

Registrar: TUCOWS
Host: Grnasy s.r.o.
Nameservers: njalla
ex: mailchimp-taskus[.]com
mailchlmp[.]com
mailchimp-admin[.]comma