Threat Research

Exploring the Rise of Deepfake Scams

CircleID

Summary:

Deepfakes pose significant risks, as demonstrated by a recent incident where a finance worker was scammed out of $25 million. Research by Palo Alto Networks Unit 42 revealed extensive networks of malicious domains and IP addresses linked to deepfake scams, highlighting the need for vigilance in cybersecurity.

Keypoints:

  • Deepfakes can lead to substantial financial losses, as shown by a $25 million scam.
  • Palo Alto Networks Unit 42 identified 416 domains involved in deepfake scams.
  • Analysis revealed over 1,000 registrant-connected domains and numerous malicious IP addresses.
  • Majority of identified domains were created in 2023, indicating a surge in deepfake-related activities.
  • Research emphasizes the importance of thorough investigations in cybersecurity to mitigate threats.

MITRE Techniques

  • Impersonation (T1071): Utilizes deepfake technology to impersonate individuals in video calls, leading to financial fraud.
  • Domain Generation Algorithms (T1483): Employs a network of malicious domains to facilitate deepfake scams.
  • Credential Dumping (T1003): Targets organizations to harvest credentials for impersonation in deepfake scenarios.

While deepfakes may sometimes be perceived as amusing, their potential for harm is significant and far-reaching. One finance worker for a multinational firm, for example, was tricked into paying out US$25 million to a deepfake scammer who pretended to be their company’s chief financial officer (CFO) in a video call just this February.

Palo Alto Networks Unit 42 dove deep into various deepfake scams that have plagued users over time and in the process uncovered 416 domain names that played a part in them. The WhoisXML API research team believes there could be more behind the indicators of compromise (IoCs) that have already been made public. Our analysis specifically uncovered:

  • 1,070 registrant-connected domains
  • Six email-connected domains
  • 316 IP addresses, 285 of which turned out to be malicious
  • 515 IP-connected domains, three of which turned out to be associated with various threats
  • 3,056 string-connected domains, 12 of which may have already figured in malicious campaigns

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Facts about the IoCs

We kicked off the investigation by performing a bulk WHOIS lookup for the domains identified as IoCs, which revealed that only 241 had current WHOIS records. The lookup also yielded other results, namely:

  • They were spread across 16 registrars led by Dynadot, Inc., which accounted for 101 domain IoCs. Sav.com LLC came in second place with 70 while Namecheap, Inc. placed third with 34. NameSilo LLC (20 domain IoCs); GoDaddy.com LLC and Hostinger Operations UAB (three domain IoCs each); and 101domain GRS Limited, 123-Reg Limited, Communigal Communications Ltd., Eranet International Limited, Hosting Concepts B.V., IONOS SE, PDR Ltd., Squarespace Domains II LLC, Tucows, Inc., and Wild West Domains LLC (one domain IoC each) completed the list.

  • While a majority of the domain IoCs, 171 to be exact, were created just this year, the oldest was created way back in 2013. Take a look at a timeline that sums up their creation dates below.

  • They were registered in seven countries led by the U.S., which accounted for 200 domain IoCs. Iceland took the second spot with 33 domain IoCs while Ukraine placed third with four domain IoCs. Afghanistan, Cyprus, Macedonia, and the U.K. completed the list with one domain IoC each.

  • Three domain IoCs also had public registrant details, specifically organization names that can be useful in uncovering registrant-connected domains later on.

The Hunt for Connected Web Properties

We began our search for connected web properties with Reverse WHOIS Search queries for the three public registrant organizations found in the current WHOIS records of the 241 domain IoCs with current WHOIS records on our list. Using the tool’s Advanced feature, we looked for exact matches of the registrant organizations in historical WHOIS records. We found 1,070 registrant-connected domains after duplicates and the IoCs were filtered out.

Next, we performed WHOIS History API queries for the 241 domain IoCs, which allowed us to obtain 32 email addresses from their historical WHOIS records after filtering out duplicates. A closer look at them showed that 10 were public email addresses that we then used to look for email-connected domains.

Reverse WHOIS API queries for the 10 public email addresses further showed that one email address could belong to a domainer (given the high number of connected domains), so it was excluded from the final list. The nine public email addresses appeared in the current WHOIS records of six email-connected domains after duplicates, the IoCs, and the registrant-connected domains were filtered out.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

Source: Original Post

Tags: TOOL, EMAIL, CREDENTIAL, full, SCAM, HUNT, FINANCIAL