Summary:
Threat actors exploit high-profile events, such as the 2024 Summer Olympics, to launch cyberattacks, including phishing and scams. Proactive monitoring of event-related domain abuse is essential for cybersecurity teams to mitigate risks. Key metrics to watch include domain registrations, DNS traffic, and URL patterns. #CyberThreats #EventExploitation #DomainAbuse
Threat actors exploit high-profile events, such as the 2024 Summer Olympics, to launch cyberattacks, including phishing and scams. Proactive monitoring of event-related domain abuse is essential for cybersecurity teams to mitigate risks. Key metrics to watch include domain registrations, DNS traffic, and URL patterns. #CyberThreats #EventExploitation #DomainAbuse
Keypoints:
Threat actors frequently exploit trending events for cyberattacks.
Proactive monitoring of event-related domain abuse is crucial.
High-profile events attract cybercriminals registering deceptive domains.
Metrics to watch include domain registrations, textual patterns, DNS traffic, and URL traffic.
Over 200,000 newly registered domains (NRDs) are detected daily.
16% of Olympic-related domains were flagged as suspicious during the event weeks.
Attackers use keywords related to events to register deceptive domains.
DNS traffic anomalies can indicate unusual activities.
Scams leveraging the Olympics include fake ticket sales and fraudulent investment schemes.
Malicious gambling websites exploit Olympic-related keywords to lure victims.
MITRE Techniques
Domain Generation Algorithms (T1483): Attackers utilize algorithms to generate multiple domain names for command and control.
Phishing (T1566): Threat actors send deceptive emails to trick users into revealing sensitive information.
Credential Dumping (T1003): Attackers harvest credentials from compromised systems to gain unauthorized access.
Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
Malicious Link (T1203): Attackers use malicious links to exploit vulnerabilities in user applications.
IoC:
[domain] 2024olympicslive[.]com
[domain] 2024parisolympicathletes[.]com
[domain] olympicparis2024[.]com
[domain] paris-olympics2024[.]com
[domain] paris24olympics[.]com
[domain] parisolympic24[.]com
[domain] parisolympicgames2024[.]com
[domain] parisolympicgames2024official[.]com
[domain] parisolympicgamesevents[.]com
[domain] parisolympicgamesofficial[.]com
[domain] parisolympicgamestickets[.]com
[domain] parisolympicsphotographe[.]com
[domain] parisolympictickets[.]com
[domain] 2024olympics-shop[.]com
[domain] climbolympic[.]com
[domain] allolympic[.]com
[domain] olympiarealestate-online[.]com
Full Research: https://unit42.paloaltonetworks.com/suspicious-domain-registration-campaigns/