Investigating More Look-a-Like Domains

Scammers often use look-a-like domains in their phishing attacks, and so far in this blog I've looked at several websites impersonating the Guild of Guardians website.  Here I'll show you how to use a tool like dnstwist to generate a list of domains names and look for ones that are potentially hosting phishing sites.  This is part of scam hunting, as opposed to waiting for scams to be reported.  Many companies offer this service under the name "brand monitoring", and a number of them base their techniques on the dnstwist tool.

You can find dnstwist, and instructions for installing it on the Github page:

https://github.com/elceef/dnstwist

Since I'm on a Mac I used brew install.

Running the tool is very straight forward, and to start I just ran it with the --registered argument to output any domain variations that the tool found with a .com tld.

% dnstwist --registered guildofguardians.com


The tool checked 27987 variations, and out of those it found 20 with DNS records (21 if you include the original site).  You can see from the output that it's attempting a few different techniques such as omitting letters, replacing, breaking it into subdomains, transposition, etc...

14 of those 20 all point to the same IP address, which I found odd at first, but it doesn't look malicious.  Turns out some enterprising individual registered all those domains and is using them as referral links.  If anyone makes a typo when attempting to reach the legit Guild of Guardians site there's a chance they'll still arrive there... or at Coinbase... through a referral from muelle_761 (https://www.coinbase.com/join/muelle_761), who appears to be associated with the public wallet 0x9A773a0C1710a5afD9D25eb5b0d2DcA2239663e6.



What about the other 6?  These might be more interesting.

In order to investigate these sites I didn't want to navigate to them directly.  Instead I have a Kali Linux virtual machine connected to a virtual private network.  I don't want to risk landing on a sophisticated phishing site and have my machine compromised.

Let's look at each one in turn:

  • guildofguardlians[.]com
  • guildof-guardians[.]com
  • guildof.guardians[.]com
  • guildofgu.ardians[.]com
  • giuldofguardians[.]com
  • guildofguardains[.]com

guildof.guardians[.]com redirects to a marketplace for registering domains... going to set this one aside.


guildofgu.ardians[.]com is much more interesting.  This site comes with a warning from antiphishing.org and Firefox really doesn't want me to go to this site.  If you see this warning from Firefox you know you should turn back... but I'm curious...


After ignoring the warnings and throwing caution to the wind I continued to the site and found... whatever was there is gone and Epik is offering to put me in contact with the domain owner to purchase it...  Well that was anti-climatic.


Next up how about giuldofguardians[.]com.  Looks like it has an MX record and hosted by Namecheap.


Again, looks like whatever was there is gone now.  However, the MX record is still there, and this one might be worth a revisit to see if there's anything hiding on the server.

Looks like guildofguardains[.]com is parked.

guildof-guardians[.]com is interesting, as it seems to be setup with cloudflare, and it's timing out with a 522 error.


Something must be there, and now I want to know what.  However, that's going to have to wait till next time as it's already getting late.  Later this week I'll finish looking at these domains and use dnstwist again with a much larger set of top level domains.

Until then, stay safe out there, and if you see anything suspicious you can always reach me @gogscamtracker on Twitter or email report@gogscamtracker.com.

Comments

Post a Comment

Popular posts from this blog

Down MetaMask Impersonation Rabbit Hole

Image
It's Friday night.  I should be doing something else.  I have a VR headset literally two feet away from me collecting dust, and what I am I doing?  I'm scouring the internet for more sites that have implemented a specific MetaMask impersonation technique. I created a short video demonstrating the technique, and if you're curious you can check it out here: https://youtu.be/OJu9HlJ2wsc At first it was just a few Guild of Guardians sites that I found and managed to get taken down, but shortly after I decided to leverage dnstwist to find some additional look-a-like domains, and after adding the tld swap option I uncovered even more. I noticed a pattern though, two IP addresses kept coming up in connection with this particular MetaMask impersonation: 5.61.58.93 and  45.136.50.34 If you want to know what all is hosted on a particular server you can leverage tools like VirusTotal.  In some cases you'll come across IP addresses used by shared hosting providers, in other words y
Read more

NameSilo Abuse Reporting

Image
On Sunday I sent a message to NameSilo (abuse@namesilo.com) regarding the following token scam websites: guildofguardianes[.]com guildofguardians[.]net guildofguardian[.]net guildofguardians[.]cc It's hard to predict the response for any given domain registrar.  Some are really responsive, but in my experience if you want to get something done quickly you need some kind of pre-existing relationship with the registrar in question.  This is where companies like Phishlabs (https://www.phishlabs.com/) shine with their brand protection services as they automate the process of requesting takedowns for their clients and invest in maintaining strong relationships with registrars. As an independent researcher, my success with getting sites taken down varies. In this case I received an automated response directing me to their "Report Phishing Form" hosted at https://new.namesilo.com/phishing_report. I can only imagine the volume of phishing reports this registrar gets, and there
Read more

More Sites Taken Down

 Last week I received responses from NameSilo confirming they took action on the following domains: zerions[.]info zerions[.]com guildofguardians[.]org guildsofguardians[.]me guildofguardians[.]top I'm very impressed with NameSilo's response time, they've been very cooperative.  If anyone from NameSilo happens to read this article, thank you so much! I still have several domains to work my way through hosted on the same servers.  It's easy to drown in the amount of scams around crypto, so I try to focus on Guild of Guardians related scams, but it's difficult to leave the others hanging.  I'm hoping to get through reporting the rest of the domains soon. A bit of a short update, but it's been a bit of a crazy week last week.  Will write up a more comprehensive update this week. Stay safe out there, and if you see anything suspicious you can always reach me @gogscamtracker on Twitter or email report@gogscamtracker.com.
Read more