Summary
X-Force has identified a new squatting campaign used by threat actors to target the finance and insurance sector. The campaign has a global scope assumingly luring users into giving away their login credentials.
Threat Type
Squatting Domain, Phishing Domain, Credential Theft
Overview
We observed 3 Squatting Domain registrations related to a victim in the finance and insurance sector. The campaign was identified starting with the registration on 2020-03-07 01:15:57 up to the latest registration on 2020-03-12 11:13:30.
For all registered domains we could identify NameCheap, Inc. as the registrar based in Panama. The email address used for registering the domains was anonymized.
The registered domains could not be resolved to any hosting IPs throughout our analysis.
However the registrar NameCheap, Inc. covers a pool of 38.312.478 domains where at least 0.43% can be considered as potentially malicious.
The following list shows the nameserver that are configured as authoritative nameservers for the domain and their malicious score which is the percentage of malicious domains with the same nameserver.
Domain: mobil-support-wells-fargo.work
Name server: dns1.registrar-servers.com
Name server malicious score: 0.98%
Domain: mobil-support-wells-fargo.work
Name server: dns2.registrar-servers.com
Name server malicious score: 0.98%
Domain: support-team-wells-fargo.work
Name server: dns1.registrar-servers.com
Name server malicious score: 0.98%
Domain: support-team-wells-fargo.work
Name server: dns2.registrar-servers.com
Name server malicious score: 0.98%
Domain: support-wells-fargo-team.work
Name server: dns1.registrar-servers.com
Name server malicious score: 0.98%
Domain: support-wells-fargo-team.work
Name server: dns2.registrar-servers.com
Name server malicious score: 0.98%
Not forgetting to mention the WhoIs Server: X-Force was able to retrieve the WhoIs server information where we were also able to determine the number of domains each WhoIs server manages and as well adding the malicious rating of the domains in the pool.
Domain: mobil-support-wells-fargo.work
Whois server: whois.namecheap.com
Whois server malicious score: 0.44%
Domain: support-team-wells-fargo.work
Whois server: whois.namecheap.com
Whois server malicious score: 0.44%
Domain: support-wells-fargo-team.work
Whois server: whois.namecheap.com
Whois server malicious score: 0.44%
Recommendations
Do not click or open links in emails directly, instead type in the main URL in your browser or search the brand/company via your preferred search engine.
Ensure anti-virus software and associated files are up to date.
Search for existing signs of the indicated IOCs in your environment.
Block all URL and IP based IOCs at the firewall, IDS, web gateways, routers or other perimeter-based devices, a course of action, resources or applications to remediate this threat.
Keep applications and operating systems running at the current released patch level.
Reference
Proprietary IBM X-Force Threat Intelligence
