“If it looks too good to be true, it most likely is.” This is a mantra I live by when sifting through email, social media, or surfing websites. In my experience, if the text is odd, or poorly structured, that is a clue; and most importantly, if there’s a suspicious structure to the domain, specifically the subdomain—it is likely malicious. So the other day, when I came across several Kohl’s coupons with strange subdomains on my social media feed, I felt it would make a great example to help highlight my process when I see domains that appear malicious.
Before we dive into this example, it’s necessary to have a foundational understanding of domain names (if you already know about DNS then skip this paragraph). In the domain name system there are several things you should know. The real domain name is what you will find between the last two periods to the right (in the first example, the domain is “.com-customer”). The last part, .COM, is referred to as the Top Level Domain, or TLD. Other common TLDs include .org, .net, .edu, .gov, etc. The part before the domain is the subdomain, and is used to take the user to a specific part of the web site. As an example, support.blank.com would take you to the support landing page of the blank.com domain. So, in scammy domains, subdomains would take you to a falsely branded landing page (in this case, Kohl’s) hosted on their domains.
Now that you have some background knowledge on subdomains, let’s dive deeper into the Kohl’s example. I came across Kohl’s coupons on social media that clearly leveraged Kohl’s logo and URL, but that is where the goodness ended, and the evil began. Here is a list of the links that I could find in the news:
- kohls.com-customer[.]com
- khols.com-ar[.]com
- kohls.com-70[.]com
- Kohls.com-usaonly[.]com
Using DomainTools Iris, I started to dive deeper into these malicious domains to see if I could uncover more information about them and see if their infrastructure is tied together, or just possibly several scammers leveraging the same tactic.
My initial approach was to input the domains used in the scams into Iris. I found three of the four domains were hosted by a single ISP: “TALMUD TORAH” (they host ~360,000 domains). The ISP is just the company that leases out the IP address to the domain owner, therefore, the fact that three of the four domains (“com-customer[.]com”, “com-ar[.]com”, and “com-70[.]com”) shared this attribute is an indicator that they are most likely owned by the same person. They are all currently privacy protected and in the Domain Tools Whois history, so I expanded my investigation and found concrete ownership details about com-ar[.]com. This particular domain is owned by a “Sophie Ward”, who registered under the email: sophiewarrett[at]gmail[.]com, and also uses the name “Sophie Warrett” on some of the other domains registered with that email address.
Sophie Warrett could be the former identity used by this threat actor, or just the identity before hiding behind privacy. The email address is registered to 34 other domains all of suspicious/spammy/phishing nature, including wwwspamfighter[.]com.
As a threat hunter, I would proactively set alerts for any domains/emails featured in this spammer’s infrastructure and block them from my network.
The bottom line is that you and your information are a threat actor’s end goal. Campaigns similar to the one above are leveraged to infect your machine, hack your accounts, or even acquire proprietary assets from your business. By taking these simple steps to attribute an attack (even if that means just finding an email address, etc.) and blocking connected infrastructure, you can help protect your assets.
For more information on this example, there is a great article by Hoax Slayer that also references the spammy nature of these techniques.
