Crypto News relayed widespread social media reports of Web3-related domain takeovers of Squarespace-held domains.
Domain takeovers of Squarespace-held domains
Crypto News relayed widespread social media reports of Web3-related domain takeovers of Squarespace-held domains. Using 0xngmi’s list as a guidepost, we are releasing passive DNS records for the listed sites observed since 2024-07-01 to allow for further analysis (please note two sets of data, one in epoch time, one set in a subfolder with human-readable time). Inclusion in this list does NOT necessarily indicate compromise.
Russian-based Prospero hosting & Squarespace as a registrar
Wester European targeted SMS campaigns that are phishing for credentials and banking information.
Western European targeted SMS campaigns that are phishing for credentials and banking information
We have been following a threat actor since at least November targeting western European countries with SMS campaigns, leading to the phishing of account credentials and banking information. Targets thus far include government benefits agencies, e-commerce giants, and video-on-demand services. This actor favors Russian-based Prospero hosting, and has now been detected using Squarespace as a registrar.
This actor often uses phrases like ‘facturacion’ (which translates into ‘billing’ or ‘invoice in several European languages) as well as ‘service,’ moncompte (my account), ‘suscripcion,’ and similar generic terms combined with specific brands or agencies to lure targets in for account takeover or bank fraud. Previously targeted countries include Norway, Sweden, Finland, and Austria; the Squarespace-registered batch appears to be targeting Germany, France, and Spain as well.
We advise network administrators consider blocking Prospero’s IPspace in its entirety and allow-listing elements on a case-by-case basis, if possible.
End-users should be wary of SMS-related banking alerts, and only input their banking credentials into known or verified websites and application. We advise users to never download banking applications from third-party app stores, and to always navigate to their bank’s website manually in order to avoid unknowingly entering credentials into cloned or fraudulent banking websites.
Visualization of 49 likely associated domains first seen or newly active from 2024-06-01 forward utilizing Squarespace registration and Prospero hosting, also showing commonalities among server type and risk score.
1600+ were registered between 2024-06-19 and 2024-06-20.
1600+ were registered between 2024-06-19 and 2024-06-20
We observed a massive bloom of newly active domain registrations including the word “airdrop” between 2024-06-19 and 2024-06-20. Instead of the usual 40-60 domains per day, 1600+ were registered. 1549 of those domains appear to be by a single actor, with a common profile across MX, registrar, registrant, TLD, and more. The 1549 domains have an average risk score of 90, on a 0-100 scale of increasing risk.
Passive DNS (see screenshot from DNSDB Scout) shows an example domain moving from Dynadot to Onamae nameservers prior to expiration, and then moving to parked NS, possibly indicative of enforcement action, but not necessarily. Whois shows registrar moving from Dynadot to Onamae at the same time.
While not declarative of malicious activity, this massive renewal of activity in the number of “airdrop” domains is notable due to the regularity of airdrop scams in the cryptocurrency space – scams which often involve leading targets to malicious websites.
We encourage all cryptocurrency users and services to warn others of the possibility of a wave of airdrop scams.
Domain profile: First Seen/newly-active and re-registered: 2024-06-19 or 2024-06-20 Registrar: GMO Internet Group, Inc. d/b/a Onamae[.]com MX domain: h-email[.]net ISP: Team Internet AG (ASN206834) IPs: 104.247.81.50, 104.247.81.51, 104.247.81.52, 104.247.81.53, 104.247.81.54 TLD: xyz
200+ registrations in concert with financial or credential phishing
We see over 200+ billing-oriented TEPCO domains created in the last month with the same host. We suspect it’s a mass domain registration in concert with financial or credential phishing.
The domains and historical passive DNS records for the two IPs involved can be found in the GitHub link below. The pDNS may or may not include uninvolved domains, but many appear to be part of the same cluster or campaign.
If the community has any additional input, please let us know.
Potential phishing on reregistering old, inactive vmware-related domains.
Potential phishing on reregistering old, inactive vmware-related domains
Using some monitors, @neurovagrant observed an actor creating or reregistering old, inactive vmware-related domains and spinning them up for likely phishing purposes.
vmware-shop[.]store Registrar: Gname Host: Alibaba First seen: 2023-03-11 (today) Screenshot of landing page below taken today, appears to be directly impersonating vmware/Broadcom, probably phishing for creds.
vmwareshop[.]com also reregistered today, Gname registration and NS but no hosting yet.
Suspicious campaigns registering thousands of domains across cheaper TLDs
We observed multiple suspicious campaigns recently auto-registering thousands of domains across cheaper TLDs such as .cfd and .bond. While their purpose is not yet apparent, and the two sets of events appear unconnected, here's what we've observed so far:
More than 10k domains in 3 days across .cfd registered through Aceville Pte. Ltd. with higher-than-average Iris risk scores fitting several pseudorandom-looking/DGA patterns. Examples:
While fans are still flocking to Barbie for the second week in a row, bad actors are flocking to register barbie and barbenheimer domains. See the full list here:
CISOs - worried about getting an SEC notice? Looking for an attorney? 79 domains were recently registered to "help" you find one no matter where you are in the US. (we're kidding, of course, you probably want to avoid all of these)
We continue to monitor the drop of active .GA domains as part of their move away from FreeNom. Since late March we saw a drop from ~9M to ~1.5M domains, and now down to a few thousand.
200+ new domains were registered this weekend regarding Starbucks’ NFT Membership program likely targeting beta users and prospective members. See the full list on GitHub:
