The November 2021 PhishLabs Quarterly Threat Trends & Intelligence Report indicated the finance, social media, and telecommunications industries as phishers’ most targeted sectors. Last month, we analyzed a squatting campaign targeting U.S. Bancorp to determine if other banks were at risk, this time we’ll look into the top 3 phishing industry target—telecommunications.
The key findings, which we’ll dive deeper into later on, include:
- A total of 290 newly registered domains (NRDs) and subdomains containing the strings “broadband,” “mobile,” and “telecom” made their way into the Domain Name System (DNS) between 26 October and 26 November 2021.
- Six of the 10 biggest telcos worldwide and their customers may be at risk of getting phished.
- The 290 NRDs and subdomains resolved to 186 IP addresses, which may be worth monitoring for signs of malicious activity.
- Five domains/subdomains should not be accessed, as these were tagged “dangerous” by various malware engines.
- A total of 21 IPv4 addresses should be included in company blacklists.
The complete list of suspicious and malicious domains identified in this post is available for download on our website.
Data Collection
To further ascertain if telcos are indeed on threat actors’ radar, we obtained lists of domains and subdomains containing the strings “broadband,” “mobile,” and “telecom.” We then went through these lists to determine which companies could become phishing targets and if campaigns might already be ongoing.
Our search for domains and subdomains led us to:
- 146 domains containing the string “broadband”
- 4,519 domains containing the string “mobile”
- 599 domains containing the string “telecom”
- 175 subdomains containing the string “broadband”
- 10,000 subdomains containing the string “mobile”
- 348 subdomains containing the string “telecom”
Note that these web properties were limited to those registered between 26 October and 26 November 2021. As such, thousands more are possibly already online and even more will potentially get added over time.
Analysis
To get our analysis going, we obtained a list of the 10 biggest telcos worldwide. We sought to find out how many of the NRDs and subdomains could be used to mimic them in phishing campaigns. Our findings showed that T-Mobile subscribers had the highest number of domains for our search strings.
AT&T, meanwhile, was the most prevalent when it comes to subdomains. Other telcos and their customers may also be at risk, including Verizon, NTT, Deutsche Telekom, Vodafone, and Orange. A total of 238 domains and 52 subdomains may be worth monitoring for signs of malicious ties, including the following:
DOMAINS | SUBDOMAINS |
---|---|
verizon-mobiles[.]com | mobile[.]attmycsp[.]com |
vertrieb-deutsche-fondsimmobilen[.]de | mobile[.]attwachtv[.]com |
tmobileusa[.]ws | mobile[.]attnowtv[.]com |
vodafonemobilebooster[.]com | mobile[.]a1att[.]com |
orange-espacemobile[.]app | mobile[.]livetheorangelifee[.]com |
None of the 290 domains and subdomains containing the names of the top 10 telcos worldwide appeared to be owned by the companies, according to a bulk WHOIS lookup, making the web properties suspicious.
Subjecting them to a bulk DNS lookup gave us a list of 186 IP addresses. Examples include:
- 103[.]159[.]36[.]180
- 2001[:]4860[:]4802[:]38[:]15
- 134[.]0[.]10[.]171
- 2001[:]4860[:]4802[:]36[:]15
- 185[.]101[.]158[.]246
- 2001[:]4860[:]4802[:]34[:]15
- 185[.]101[.]158[.]113
- 2001[:]4860[:]4802[:]32[:]15
- 23[.]227[.]38[.]32
- 2606[:]4700[:]6811[:]c549
A majority of the IP addresses (156 to be exact) are IPv4 addresses.
We also subjected the 290 domains and subdomains to a bulk malware check using the Threat Intelligence Platform and found that five of these were dubbed “dangerous” by various malware engines. Monitoring them may thus not be enough, blocking access to and from them is more advisable.
Checking the 156 IPv4 addresses for malware connections, meanwhile, revealed that 21 were tagged “malicious.” Examples include:
- 23[.]227[.]38[.]32
- 34[.]102[.]136[.]180
- 72[.]167[.]191[.]69
- 216[.]239[.]34[.]21
- 104[.]17[.]196[.]73
Blocking access to and from web properties that resolve to them may be necessary.
As our findings revealed, telcos are seemingly on cybersquatters’ sights and some domains and subdomains containing the names of the top 10 companies worldwide require blacklisting or at the very least monitoring. T-Mobile, AT&T, Verizon, NTT, Orange, Deutsche Telekom, and Vodafone subscribers should especially be wary.
If you wish to perform a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.