Uncovering Potential Black Friday and Thanksgiving Threats with DNS Data

Summary:
As Thanksgiving approaches, cyber threat actors exploit holiday-related domains to lure victims. Recent research uncovered numerous malicious domains and IP addresses linked to Black Friday and Thanksgiving-themed cyber attacks, highlighting the need for vigilance during this shopping season.
#ThanksgivingThreats #BlackFridayScams #CyberAwareness

Keypoints:

318 email-connected domains identified, with one deemed malicious.

786 IP addresses discovered, 635 of which were malicious.

1,975 IP-connected domains found, with two classified as malicious.

3,521 string-connected subdomains analyzed.

Bulk WHOIS lookup revealed 2,091 blackfriday domains and 233 thanksgiving domains.

Majority of domains were created from 2023 onward, indicating recent registration trends.

Threat Intelligence API flagged four domains as associated with various threats.

Geolocation analysis showed malicious IP addresses spread across 32 countries, predominantly in the U.S.

76 different ISPs managed the identified malicious IP addresses, with Cloudflare leading the count.

MITRE Techniques

Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.

Phishing (T1566): Employs deceptive emails and websites to trick users into revealing sensitive information.

Malware (T1203): Distributes malicious software through various means, including email attachments and compromised websites.

Exploitation of Public-Facing Application (T1190): Targets vulnerabilities in publicly accessible applications to gain unauthorized access.

IoC:

[domain] blackfriday-best-deals[.]com

[email] feiraochevro[.]com

[ip address] 103.169.142.0

[ip address] 216.239.32.21

[ip address] 3.13.222.255

[ip address] 44.227.65.245

[ip address] 51.91.236.255

Full Research: https://circleid.com/posts/uncovering-potential-black-friday-and-thanksgiving-threats-with-dns-data

Tags: EXPLOIT, PHISHING, EMAIL, DNS