Are’s free subdomain creation services being abused?


It is not uncommon to see free web hosting providers being abused through phishing campaigns. IBM X-Force Exchange, in fact, released three indicators of compromise (IoCs) related to such an incident, namely:

  • Url: http[:]// direct7890[.]mypressonline[.]com
  • E-mail address: [email protected][.]com
  • IP adress: 185[.]176[.]43[.]106

The mypressonline domain[.]com leads to a website that offers users a way to easily add related subdomains to their projects. Screen capture search led us to this particular conclusion.

Image 1: Screenshot search result for mypressonline[.]com

As part of our work to make internet use transparent and protect users from digital threats, we used a combination of WHOIS, IP, and DNS intelligence sources and found:

  • 1460 subdomains under the mypressonline domain[.]com, including nine malicious.
  • 805 domains sharing the same registrant organization identified as part of a mypressonline WHOIS history[.]com, including three malicious.
  • At least 300 domains sharing mypressonline[.]com’s IP address, two of which are malicious.

Read on to find out how we got the artifacts and additional IoCs in the following sections. For a list of all the data collected, download the threat research papers here.

How big is Mypressonline[.]the digital footprint of com?

We have used a variety of WHOIS, IP and DNS tools to determine the size of mypressonline[.]com’s digital footprint can be.

Discovery of domains and subdomains

We turned to Discovery of domains and subdomains to discover subdomains containing the string “mypressonline”. We have found 1460 subdomains. Examples include:

  • 0x32[.]mypressonline[.]com
  • abctaxi[.]mypressonline[.]com
  • back links[.]mypressonline[.]com
  • cajid[.]mypressonline[.]com
  • dancing kiss[.]mypressonline[.]com
  • long ago[.]mypressonline[.]com
  • faizaturk[.]mypressonline[.]com
  • g2rss[.]mypressonline[.]com
  • half[.]mypressonline[.]com
  • icon line[.]mypressonline[.]com

A significant portion of these subdomains could be owned by legitimate people or businesses who have used mypressonline[.]the offer of com. As such, only some may have been part of malicious campaigns.

Threat Intelligence Platform

Subject all 1460 subdomains to mass malware checking through the Threat Intelligence Platform (TIP) showed that nine of them were labeled “dangerous” by various malware engines. These malicious subdomains are:

  • be ready[.]mypressonline[.]com
  • ieguillermovalencia[.]mypressonline[.]com
  • tv june[.]mypressonline[.]com
  • creativtrening[.]mypressonline[.]com
  • phoenixparties[.]mypressonline[.]com
  • spain[.]mypressonline[.]com
  • vamsipavan[.]mypressonline[.]com
  • veed[.]mypressonline[.]com
  • wyrokipolskie[.]mypressonline[.]com
Whois history and reverse whois search

We wanted to see if there were any more potentially abused properties owned by a former owner of mypressonline.[.]com could be identified, so we took a closer look at the domain’s WHOIS history. We found that:

  • The estate’s ownership history dates back to March 30, 2011.
  • It has 31 historical WHOIS records. The 15 most recent have been redacted.
  • Its WHOIS record dated January 12, 2018 showed a reporting organization (i.e. ATTRACTSOFT GMBH), which, like the current registrant, is based in Germany.

Using Reverse WHOIS Lookup, we then found 805 domains that listed ATTRACTSOFT GMBH as their registrant organization. Examples include:

  • 007 GB[.]com
  • a2zfilms[.]com
  • balcondeodonnell[.]com
  • caamore[.]report
  • stamp[.]com
  • e-dys[.]com
  • f-gauthier[.]com
  • gabrielvivas[.]com
  • hack virus[.]com
  • i8it[.]report

Of these, three were rated as “dangerous” by various malware engines, according to a mass malware check via TIP. These malicious domains are:



xripton[.]com ## Search screenshot

We subjected all 805 domains owned by ATTRACTSOFT GMBH to bulk screenshot search and found that many of them had to do with various content related to website development. Examples include:

  • 00sites[.]report
  • agilityhoster[.]com
  • batcave[.]report

These three sites hosted the same content:

Image 2: Screenshot search results for example domains owned by a former mypressonline owner organization[.]com

Do other domains resolve to the same host as mypressonline[.]com?

To determine the answer, we used the IP address 185[.]176[.]43[.]106 to perform a reverse IP lookup and discovered at least 300 domains sharing http host[:]// direct7890[.]mypressonline[.]com /. We subjected these domains to a mass malware check and found that access to two of them (duolpall111[.]mypressonline[.]com and gestionarcreditobp[.]com) should be avoided.

Overall, our analysis led us to the conclusion that part of mypressonline[.]The com subdomain fingerprint has likely been abused in phishing campaigns, possibly alongside other ATTRACTSOFT GMBH-owned domain properties that we have identified through WHOIS history searches.

If you would like to know more about the conduct of a similar investigation, please feel free to Contact us. We can provide you with access to a variety of sources of information and are always ready to collaborate with other researchers.


Comments are closed.