Posted
ThreatConnect Research builds out a network of domains and subdomains spoofing organizations related to the entertainment industry, most likely used in credential harvesting efforts.
To be frank, if we were going to give out an award for this acting, we don’t know who it would go to. Following a partner tip identifying IP addresses hosting entertainment industry spoofed domains hosting credential harvesting sites, we identified over 50 domains and 320 subdomains most likely associated with a single actor or group. These domains were registered between 2017 – 2019 and suggest a widespread, ongoing campaign as of early March of this year, but we have yet to identify the actor’s motivations, whether they are targeting the spoofed organizations, and what they intend to use stolen credentials for.
In this case, we were able to build out an understanding of this actor’s infrastructure using a variety of capabilities from DomainTools, Farsight DNSDB, and Censys. Notably, this actor had a penchant to reuse SSL certificate common names and domain name strings across their other domains’ subdomains. Exploiting these crossovers helped us identify connections where WHOIS or hosting co-location research failed. We then reviewed the network and screenshots of identified infrastructure for notable themes in an attempt to better understand how the actor was operating or who they were targeting. Finally, we explored methods to proactively monitor for new infrastructure possibly related to this activity based on registration and hosting consistencies.
Research and Findings
An industry contact tipped us to the presence of several domains spoofing entertainment organizations at IP addresses 142.11.205[.]49 and 185.175.208[.]217. While they didn’t mention specific domains, the IPs and context they shared were significantly valuable and enabled our own research efforts. We considered those IPs our starting point for this investigation and began the investigation by reviewing them.
142.11.205[.]49
Reviewing this IP address using DomainTools Iris, we note that, as of February 20 2019, only five domains are hosted there. Of those domains, four of them — adfs-amcnetworks[.]com, adfs-sony[.]com, sts-warnerbros[.]com, and umgconnect-umusic[.]com — spoof organizations in the entertainment industry. The final domain — common-oauth[.]com — is consistent with other domains that would surface during the course of this research.
While only one of these domains leads us to an actor-owned email address — heckman1243@gmail[.]com — the small number of domains hosted at this IP and the fact that most of them spoof an organization in the entertainment industry lead us to believe that this IP address is dedicated to a single user. Based on this IP and the aforementioned registrant email address, we identify the following domains:
185.175.208[.]217
Similarly reviewing the IP 185.175.208[.]217 in Iris, we see that over 280 domains are hosted at this IP as of February 20.
There was no single, discernible theme or registrant that we could identify from the domains hosted at this IP address. Several domains and subdomains hosted here spoof entertainment organizations, many contain strings referencing cryptocurrencies or gift cards, and others seem general or aren’t immediately discernible. Searching for this IP against our Technical Blogs and Reports source identifies a Proofpoint report on a cryptocurrency giveaway scam.
The WHOIS for this IP from DomainTools indicates that it is part of a subnet used by HostSlick customers in London, suggesting that it is a multi-tenant IP. To that end, all domains hosted at this IP address are not associated with the same actor or activity. Ultimately, this means we’ll have to conduct a more manual review of the domains hosted at this IP to assess whether or not they may be associated with the entertainment industry activity we were alerted to.
Manual Review
We initially started by enumerating the domains hosted at 185.175.208[.]217 and manually reviewing them to identify the ones that appear to spoof organizations in or related to the entertainment industry, or are similar to those previously identified. This identified the following additional domains currently hosted at 185.175.208[.]217:
However, further reviewing resolutions for this IP address using our Farsight DNSDB integration, we identified older domains from 2017 like press-amcnetworks[.]com, gettyimages-okta[.]com, harpercollins-okta[.]com, harpercollinsokta[.]com, and login-hulu[.]com that also fit the theme.
More interestingly, in some cases, strings specific to domains we had already identified showed up in subdomains for other parent domains we had not yet identified.
In other cases the opposite was true — subdomains for the domains we identified showed strings specific to other domains at 185.175.208[.]217 that we had not identified. Some of the identified subdomains were also suggestive of technologies — like Microsoft, Okta, and GoDaddy — that the actors were spoofing for probable credential harvesting efforts.
We also note similar crossovers and repetitions in the SSL certificates used for these sites. Reviewing the below SSL certificate in Censys, we see that it was used across multiple domains specifically related to the entertainment industry, as well as subdomains for serverdata[.]tech.
Iterating this research through pDNS and SSL certificates for these domains and subdomains based on these crossovers, we can ultimately identify over 380 domains and subdomains most likely associated with this activity. We have shared the identified infrastructure in various incidents associated with Campaign 2017 – 2019 Credential Harvesting and Spoofed Domains Related to the Entertainment Sector.
Themes in Infrastructure
After identifying all of the associated domains and subdomains, we saved and reviewed these sites in the Internet Archive. This ultimately revealed some interesting themes in the infrastructure this actor used and the different services or organizations they spoofed.
Picturesmaxx Infrastructure
While the domain and subdomain string crossovers may be suggestive of a less sophisticated adversary, this actor may have put in the leg work and thoroughly researched one of the organizations they planned to impersonate.
As of early February 2019, the domain picturesmaxx[.]com redirected to the domain for PictureMaxx — a service that provides media asset management and “provides entry to the world’s largest network of professional content portals and empowers users to access, organize and distribute content more efficiently.” Dozens of subdomains for picturesmaxx[.]com lead to spoofed login pages for various organization, many of which are photography studios or agencies.
As it turns out, most of the organizations spoofed with these picturesmaxx[.]com subdomains are also listed customers of the legitimate PictureMaxx company.
Further suggesting that this actor did their due diligence in preparing for this role, many of the subdomains are consistent in naming convention when compared with the legitimate domains for PictureMaxx. As an example — the spoofed login page brauerphotos.wg.picturesmaxx[.]com and the legitimate brauerphotos.wg.picturemaxx.com.
We also considered the possibility that picturesmaxx[.]com was legitimate and actually owned by PictureMaxx; however, the registration and hosting information for picturesmaxx[.]com are inconsistent with other legitimate domains registered by PictureMaxx.
Authentication Spoofing Infrastructure
As of March 3 2019, this research has identified seven domains associated with this activity that spoof authentication infrastructure:
- mscommonauth[.]com
- auth-owa[.]com
- common-oauth[.]com
- common-auth[.]com
- commonoauth[.]com
- commonoauth2[.]com
- common-oauth2[.]com
Dozens of hosted subdomains for these domains indicate that the actor behind this activity is spoofing Microsoft, GoDaddy, Okta, Hulu, and public relations firms associated with the entertainment industry as part of their operations. For subdomains spoofing organizations related to the entertainment industry, like those with PR firm strings, we do not know if those organizations were targeted directly or spoofed to pursue other organizations. Examples include the following:
- microsoftonline.com.common-oauth2[.]com
- godaddy.external.revalidation.common-oauth[.]com
- revalidate.external-site.commonoauth2[.]com
- hulusso.revalidate.external-site.commonoauth2[.]com
- publiceye.revalidate.sso.microsoftonline.auth-owa[.]com
- ledecompany.revalidate.sso.microsoftonline.auth-owa[.]com
- okta.revalidate.external-site.commonoauth2[.]com
In some cases, these authentication-spoofing subdomains hosted the probable credential harvesting sites and indicate that the actor used a variety of spoofed sites that are specific to various organizations. Beyond the site’s URL, these pages appear legitimate and were most likely created by scraping those organizations’ actual login pages.
In one case that we were able to identify, the actor behind this activity set up a spoofed authentication site with a pre-populated email address, most likely suggestive of an individual targeted in this operation.
WeTransfer Spoofed Domains
The third notable theme among the domains and subdomains we identified indicate that the actors are spoofing the file transfer service site WeTransfer. In most cases, the identified parent domains suggest this actor is spoofing WeTransfer in conjunction with a photography studio. While we don’t know if these studios are being targeted or their likeness is just being used to target larger organizations, one of the identified subdomains suggests that the latter may be the case.
- wetransfer[.]plus
- xn--wetransfr-2f7d[.]com
- austinhargrave-wetransfer[.]com
- ellenvonunwerth-wetransfer[.]com
- peterlindbergh-wetransfer[.]com
- bbsphoto-wetransfer.picturesmaxx[.]com
- spaces-hightail.seligerstudio-wetransfer[.]com
- foxgroup-okta.seligerstudio-wetransfer[.]com
None of the WeTransfer spoofing infrastructure we identified and reviewed were hosting login pages directly. Some of the identified domains did redirect to a legitimate WeTransfer subdomain hosting a file upload page with a pre-populated “studio” email address.
Considering that the WeTransfer file transfer service is inconsistent with what an actor would mimic to conduct credential harvesting, at this time we are not sure how this spoofed infrastructure is being used. Additionally, we are not aware of the extent to which the actor has control over the legitimate WeTransfer subdomain site shown above.
Monitoring for Similar Registrations
As more and more infrastructure related to this activity shows up on a seemingly daily basis, it’s important to call out some avenues for proactively identifying new infrastructure, potentially before it is used in operations.
There are two actor-specific email addresses that we saw used to register the domains in this activity — heckman1243@gmail[.]com and grabowskiedwin@gmail[.]com. New domains registered using these email addresses probably will be related to this activity and should be scrutinized as such. In ThreatConnect, our DomainTools-powered Tracks can be used to monitor for new domains where these email addresses are in the WHOIS.
Reviewing the name servers being used for the domains in this activity we identify ns1.hostslick[.]com and ns1.anons[.]io. As of early March, these name servers are used by about 180 and 250 domains respectively, so while they are relatively small, domains unrelated to this activity almost certainly use these name servers. To that end, reviewing newly registered domains using these name servers for entertainment-related spoofs may help identify new infrastructure associated with this activity. A similar ThreatConnect Track to the one above can be used to look for new domains with the name server in the WHOIS.
Finally, monitoring passive DNS for IP addresses hosting the aforementioned domains can help identify newly hosted domains. Specifically, the IP addresses 142.11.205[.]49 and 31.148.220[.]196 host relatively few domains and possibly are dedicated to the actor behind this activity. New domains and subdomains resolving here have a good chance of being related to this activity. In ThreatConnect, clicking Follow Item on an IP address will alert you to new domains resolving to that IP address when DNS is enabled.
Similar to the research that we went through in the beginning, while 185.175.208[.]217 hosts many domains related to this activity, it hosts many seemingly unrelated domains as well. Monitoring passive DNS resolutions for this IP may help identify new infrastructure, but additional research into those new resolutions would be required.
Conclusion
As more of this infrastructure turns up, we’ll continue to share new intelligence in this Campaign Group. To date, we’ve identified about 390 domains, subdomains, and IPs associated with this activity by monitoring name servers, passive DNS resolutions, and specific email address registrations. Despite having identified a significant amount of infrastructure related to this activity, there are still a number of things that we don’t know or have the necessary insight to answer and hope to assess with future intelligence. Those include the following:
- Who is behind this activity?
- Who specifically is being targeted?
- Has any of this activity actually been successful?
- What is the end goal of this effort?
- How operations leveraging this infrastructure unfold.
- Whether other domains at the IP 185.175.208[.]217, and previously identified activity, are associated with the actor behind this entertainment industry activity.
This investigation highlights a couple of important points that bear mentioning. First, knowing who or which threat group is behind activity isn’t necessary to build out your understanding of their network. Further, knowing the who isn’t necessary to exploit their registration and hosting tactics to proactively identify new, related infrastructure and actionable intelligence. Finally, in cases where traditional WHOIS or DNS co-location research fails, reviewing infrastructure naming conventions may help identify additional domains and subdomains associated with an actor.