Like many security researchers, I not only run my own mail servers, but I generally do not have spam filtering on many of them so I can see the interesting attacks that come in. Then, dig into them as time allows. Yesterday, I got an interesting take on the ever-present invoice maldocs campaign, this time it was spoofing a DocuSign email suggesting I had an invoice to sign.
Clicking on the “See Document” link would take you to frederickwiseman[.]info, a domain that’s been registered since 2014. However, the domain owner got a Valentine’s Day surprise, it seems.
By the time I got looking at it, it was already pointing to GoDaddy’s typical parking page with no evidence of maliciousness. However, checking both passive DNS and WHOIS, I saw that for a brief period, the nameservers were points to DNSPOD in China, and it resolved to 49[.]51[.]154].]22. What’s interesting is that about a dozen domains pointed there from about 1200 to 1700 GMT. There are some other domains also on that IP, but all relatively newly registered.
In the light of the ongoing DNS hijacking concerns, this seemed to be an interesting development, not necessarily because of the DocuSign phish, but due to the apparently use of hijacking for these kinds of attacks now. The phish itself was broadly seen, so it's safe to assume it’s not obviously part of a targeted attack.
The domains themselves have already been returned to their owners (and blocking them would only block innocent and non-infected websites), but blocking the IP address these domains were pointing to when under apparent hostile control would protect against this and future attacks from this adversary.
ThreatSTOP users are protect against the threat this phishing email brings, as well as any threats from the related infrastructure as part of our Core Threats – Tier 1 target.
Want to learn more about our research into domain names and the importance of DNS security? Check it out below.