It is not uncommon to see free web hosting providers being abused through phishing campaigns. IBM X-Force Exchange, in fact, released three indicators of compromise (IoCs) related to such an incident, namely:
- Url: http[:]// direct7890[.]mypressonline[.]com
- E-mail address: [emailÂ protected][.]com
- IP adress: 185[.]176[.]43[.]106
As part of our work to make internet use transparent and protect users from digital threats, we used a combination of WHOIS, IP, and DNS intelligence sources and found:
- 1460 subdomains under the mypressonline domain[.]com, including nine malicious.
- 805 domains sharing the same registrant organization identified as part of a mypressonline WHOIS history[.]com, including three malicious.
- At least 300 domains sharing mypressonline[.]com’s IP address, two of which are malicious.
Read on to find out how we got the artifacts and additional IoCs in the following sections. For a list of all the data collected, download the threat research papers here.
How big is Mypressonline[.]the digital footprint of com?
We have used a variety of WHOIS, IP and DNS tools to determine the size of mypressonline[.]com’s digital footprint can be.
Discovery of domains and subdomains
We turned to Discovery of domains and subdomains to discover subdomains containing the string “mypressonline”. We have found 1460 subdomains. Examples include:
- back links[.]mypressonline[.]com
- dancing kiss[.]mypressonline[.]com
- long ago[.]mypressonline[.]com
- icon line[.]mypressonline[.]com
A significant portion of these subdomains could be owned by legitimate people or businesses who have used mypressonline[.]the offer of com. As such, only some may have been part of malicious campaigns.
Threat Intelligence Platform
Subject all 1460 subdomains to mass malware checking through the Threat Intelligence Platform (TIP) showed that nine of them were labeled “dangerous” by various malware engines. These malicious subdomains are:
- be ready[.]mypressonline[.]com
- tv june[.]mypressonline[.]com
Whois history and reverse whois search
We wanted to see if there were any more potentially abused properties owned by a former owner of mypressonline.[.]com could be identified, so we took a closer look at the domain’s WHOIS history. We found that:
- The estate’s ownership history dates back to March 30, 2011.
- It has 31 historical WHOIS records. The 15 most recent have been redacted.
- Its WHOIS record dated January 12, 2018 showed a reporting organization (i.e. ATTRACTSOFT GMBH), which, like the current registrant, is based in Germany.
Using Reverse WHOIS Lookup, we then found 805 domains that listed ATTRACTSOFT GMBH as their registrant organization. Examples include:
- 007 GB[.]com
- hack virus[.]com
Of these, three were rated as “dangerous” by various malware engines, according to a mass malware check via TIP. These malicious domains are:
xripton[.]com ## Search screenshot
We subjected all 805 domains owned by ATTRACTSOFT GMBH to bulk screenshot search and found that many of them had to do with various content related to website development. Examples include:
These three sites hosted the same content:
Do other domains resolve to the same host as mypressonline[.]com?
To determine the answer, we used the IP address 185[.]176[.]43[.]106 to perform a reverse IP lookup and discovered at least 300 domains sharing http host[:]// direct7890[.]mypressonline[.]com /. We subjected these domains to a mass malware check and found that access to two of them (duolpall111[.]mypressonline[.]com and gestionarcreditobp[.]com) should be avoided.
Overall, our analysis led us to the conclusion that part of mypressonline[.]The com subdomain fingerprint has likely been abused in phishing campaigns, possibly alongside other ATTRACTSOFT GMBH-owned domain properties that we have identified through WHOIS history searches.
If you would like to know more about the conduct of a similar investigation, please feel free to Contact us. We can provide you with access to a variety of sources of information and are always ready to collaborate with other researchers.