Ghost Domain Registrants: A Pile of Unknown Identities
Phishing is a long-standing attack technique adopted by cybercriminals, majorly used in Scam Campaigns. This is most fruitful for adversaries targeting Banking/Financial Institutes where the scammers purchase typo-squatted domains (look-alike) and tailoring the contents suitable for the targeted victims which get delivered via email. The resultant will be obtaining sensitive information such as Login Credentials or drive Ransomware Extortion.
We have witnessed numerous incidents where Help Desk Management is being compromised by Phishing links or Emails that lead to whole system compromise. Colonial Pipeline Attack Use Case (of June 2021) is one of the most successful attacks carried out by DarkSide Ransomware Group which halted the entire operations for 6-days reaping $5M. Another remarkable fraudulent activity was spotted in 2016 when Belgian Bank Crelan lost $75M to BEC Scammers. This sheds light on the lack of knowledge on Phishing Attacks among the public.
While tracing back the malicious domains, it reaches a dead-end to the investigation as most of the offensive services are shielded by Privacy Advocates such as WhoisGuard, CloudFlare, or Njalla, which is a safe haven for criminals to conceal their identity from public WHOIS Searches.
It is important to note that the attackers rely on such services before kickstarting their offensive campaigns, as a better OpSec. Some inexperienced fraudsters give up their original identity while registering for such domains. They get easily busted when the feds demand the same upon any legal crackdowns.
Here come the Ghost Registrars who do not leave a single trace while registering malicious domains.
INTRODUCTION
The cases of Opsec Failure had increased over the last few years such as the compromise of North Korean Hackers (Lazarus) in 2018 by using the same email address for Personal and Hacking Campaigns and the busting of various Darkweb Marketplaces in a similar fashion.
As Identity became an inevitable factor while registering for Anonymous Services like Hosting, the attackers turned to use Pseudo Identities or register themselves as Ghost Registrants.
More often, the Privacy advocated services do not cross-check the identities submitted by the applicant for any domains (except a few) during registration. The detail in the Registration Form is a norm to follow. Hence, this became a Threat Vector for Attackers/Scammers to register Malicious/Phishing Domains with Fake Identities.
Here, we are going to discuss few popular Ghost Identities used by Attackers for various Attack and Scam Campaigns:-
CASE STUDIES
Ghost: Alexander Volosovik
Region: Russia, China
Known for: Bulletproof Hosting
Hosts: Ransomware, Banking Trojans, Malware, Botnet, Exploits, SPAM
Popular Sites: Maze Ransomware, Magecart InfrastructureGhost: Yong Duan
Email: gaoddaw@gmail.com
Region: Philippines, China
Known for: Genuine Sites, Fake Services(Financial)
Popular Service: 2pipfixed.com
Registered #: <100 SitesGhost: Yin Jun
Email: domain789@126.com
Region: China
Known for: Phishing Sites of BOA, Alibaba, Expedia, Sephora, CapitalOne
Popular Service: amaozn.co, vnetflix.com, wwwnaliexpress.com
Registered #: 200+ SitesGhost: Wiet Lee
Region: China
Known for: Specialized in Microsoft Phishing/Fake Sites, TA505 Group Campaign Involvement, Spreading FlawedAmmy Loader
Popular Service: 365online-reactivate.com, onedrive-download-en.com, windows-several-update.com, microsoft-online-en-us.com
Registered #: 50+ SitesGhost: Julio Jaime
Region: United States
Known for: Magecart Attacks, Microsoft Office 365 Phishing Domains, Bank of Ireland Landing Page
Popular Service: manage-365online.com, online365-app.com, boisecurity.com
Registered #: 120+ SitesGhost: Artak Gasparyan
Email: whois-agent@gmx.com
Region: Armenia
Known for: Spreading FlawedAmmy Loader, Specialized in MS Windows Update /Google Drive Phishing, TA505 Group Campaign Involvement
Popular Service: windows-msd-update.com, windows-update-02-en.com, googledrive-en.com
Registered #: >50 SitesGhost: Anton Housed
Email: rentahouseanton@gmail.com
Region: Russia
Known for: CosmicDuke, Glupteba (Malware), Cryptomining
Popular Service: pilotsandflys.com, fastsamsungus.com, financialtimesguru.com
Registered #: >10 Sites
The above-provided image is an example for the Threat Actor to go anonymous. It is evident from the image that the possibility of Threat Actor may be from Poland (or proxy), but had relied on a service that uses the Chinese Registrant Profile to conceal the original registrant’s identity.
NOTE: There are many identities lurking around like this on Surface Web where active phishers are still scamming a large number of netizens on daily basis.
Criminal Modus Operandi: Obscuring Identity
There are various methods found during this investigation, in which Attackers obscure their identity. Some of them are:-
- There is a common practice found among Ghost Registrants that the adopted identity is either a Fictional character or using popular personalities.
- Any genuine Registrant’s identity is taken so that they can get blended with the real ones without raising a red flag.
- A group of genuine unpopular sites get compromised and make it as a launchpad for various Malware/Botnet Attacks against the targets, hence nullifying the WHOIS Registrant.
- Phone Numbers provided by the Attackers/Scammers also pose a fake identity, where the mentioned phone number is either a burn-out or constant contact for malicious purposes.
It is important to note that the Phishing Campaigns span over cyberspace, segregating each division such as Banking, Crowd Funding, COVID Tracking, Business Duping, etc. Hence, always check for the sources before clicking on untrusted links.
NOTE: Not including IOCs as there are multiple incidents overlapping. You can get it from OTX or VirusTotal for free for the above said Domains/Ghost Registrants on Domain Big Data.
Follow me on Twitter for interesting DarkWeb/InfoSec Short findings! ;-)
NOTE:- The Article is purely an Individual Research and is not subjected to be used/published anywhere without the Author’s consent.
