As we’ve previously discussed, the transition to remote working and dramatic changes to business practices has corresponded with an increased threat of malicious phishing campaigns as attackers leverage this ‘new normal’. As a feature of our regular security monitoring activities, Kinetic IT continues to identify newly registered domains of interest that could be used for malicious purposes. These domains may contain threats to Australian workers, based on use in spearphishing campaigns. Take these two that we recently investigated and flagged as potentially suspicious:
Based on their names alone, it’s difficult to confirm how risky they might be. Without more investigation, it’s impossible to tell if they are intended for spearphishing or are legitimate sites for customers to access the latest Australia Post Online Catalogue offers.
Unfortunately, Google won’t – or didn’t at the time of writing – categorise these domains as malicious, likely due to how recently they were registered. Nevertheless, there are open source and freely available tools we can use to gain more insight into potential threats without having to interact directly with malicious infrastructure.
One popular service owned by Google is VirusTotal. Initially created as a central repository to test and collate malware samples, VirusTotal’s capabilities have grown beyond being a simple AV aggregator. Even VirusTotal’s entry tier Community Account provides metadata on the relationships between malware, hosted infrastructure, and associated URLs. This metadata helps investigators determine if domains contain threats (irrespective of whether they are legitimate, infected domains, or domains specifically set up by scammers).
Back to our examples, by entering one of the newly observed domains into VirusTotal, it reveals more information about possible threats. Firstly, the server IP address appears to be associated with several suspiciously-named domains, represented in the figure below as little blue world icons. Manually highlighting these icons will bring up the exact domain values, with whatsapp.com.statusupdate.top a specific example:
Diving deeper again, URLs attached to the same IP can be a regular occurrence, but it’s when names or values look suspicious that it should raise the red flag:
Based on a quick review, the domains exhibit the tell-tale signs of being part of a spam distribution network – similar to those used to entice victims via SMS text messages to collect the iPad they forgot they ordered.
Does this mean that we could safely ignore these domains? The simple review we’ve just conducted suggests the site is mostly innocuous and could be safely ignored from an enterprise perspective. But that doesn’t mean things won’t change. Like we’ve adjusted our lifestyles to meet the COVID-19 challenges, so too will attackers. Their industry requires continual evolution and innovation to stay ahead of security defences, so they are adept at adjusting their tactics.
Occasionally, spammers reuse infrastructure to make their lives easier, so keeping track of innocent-looking historical data can prove fruitful when investigating more advanced threats. Remember, today’s spammers breed tomorrow’s spearphishers, so stay alert and keep a watchful eye on malicious domains. It could save your business.
Written by: Will Campbell