Profiling a Portfolio of Cybercriminal Email Addresses By Using WhoisXML API's Historical WHOIS Search and Maltego - An Analysis
We’ve recently decided to map and research various domain registrations made by well-known and established online cybercriminals. We took several hundred emails known to belong to well-known cybercriminals and decided to cross-check them for related domain registrations by using Maltego and WhoisXML API’s vast and in-depth real-time and historical WHOIS records database.
In this article, we’ll thoroughly discuss the relevant findings for this study based on several hundred email addresses known to be owned and operated by known cybercriminals and checked them for related domain registrations. Then we will provide actionable intelligence on the online infrastructure of these newly discovered domains known to be managed and registered by known cybercriminals.
Sample screenshot of Maltego in combination with WhoisXML API’s integration offering an in-depth peek inside a well-known portfolio of cybercriminal email addresses in terms of related domain registrations
Sample screenshot of Maltego in combination with WhoisXML API’s integration offering an in-depth peek inside a well-known portfolio of cybercriminal email addresses in terms of related domain registrations
Sample screenshot of Maltego in combination with WhoisXML API’s integration offering an in-depth peek inside a well-known portfolio of cybercriminal email addresses in terms of related domain registrations
Sample screenshot of Maltego in combination with WhoisXML API’s integration offering an in-depth peek inside a well-known portfolio of cybercriminal email addresses in terms of related domain registrations
Sample screenshot of Maltego in combination with WhoisXML API’s integration offering an in-depth peek inside a well-known portfolio of cybercriminal email addresses in terms of related domain registrations
Sample screenshot of Maltego in combination with WhoisXML API’s integration offering an in-depth peek inside a well-known portfolio of cybercriminal email addresses in terms of related domain registrations
Currently and historically registered domains registered by well-known cybercriminals currently include:
- discoverazerbaijan[.]az
- dnblinks[.]com
- zpburners[.]com
- berneckersigns[.]com
- rubiofamily[.]com
- briancallanan[.]com
- shiprisks[.]fr
- sergiomion[.]us
- azcity[.]net
- p8p[.]com
- sfvgroup[.]ge
- wah4m[.]com
- fpib[.]az
- climazone[.]az
- tibidabo[.]az
- sdmcneill[.]com
- sd-mcneill[.]com
- carloseslava[.]pro
- troop76[.]us
- miguel-huertas[.]net
- heled[.]net
- spyeye-trojan[.]com
- kellytoys4u[.]com
- utc[.]az
- vineandocean[.]com
- wineandocean[.]com
- soft[.]az
- jeyran[.]az
- jrun[.]az
- corepro[.]az
- rastite[.]com
- carbonoffset[.]gq
- anyad[.]is
- shadyscape[.]biz
- hilltoppk[.]com
- dotnetstreamer[.]net
- scoreglass[.]com
- armpure[.]com
- whopitch[.]com
- scoreschick[.]com
- hamegas39[.]com
- imamer63[.]com
- bottompride[.]com
- ultradoes[.]com
- copywinter[.]com
- hurryquick[.]com
- behindplace[.]com
- rollthose[.]com
- capitalprivates[.]com
- al-zamalek[.]net
- westernunion-web[.]com
- mike-waals[.]com
- winbtcdaily[.]com
- magetradestar[.]net
- abduldjalilz[.]com
- lumia2014[.]com
- www--mail-yahoo[.]com
- apps-mail-yahoo[.]com
- nabsikkim[.]org
- viplending[.]us
- climbinginsikkim[.]com
- epijobs[.]us
- accounts-mail-yahoo[.]com
- account-mail-yahoo[.]com
- usadisasterreliefcorps[.]us
- gewe[.]us
- cbb-mail-yahoo[.]com
- open-mail-yahoo[.]com
- mail-yahoo[.]com
- mg6-mail-yahoo[.]com
- gravywire[.]com
- freshtools[.]us
- katnito[.]com
- internationa1feed[.]com
- sgha11ous[.]com
- sidhhratha[.]com
- obitosus[.]com
- de1ongcompany[.]com
- sup1t[.]com
- gathixtools[.]com
- mylionjewel[.]com
- thehackcrack[.]com
- sikkimviklang[.]org
- paypal-instant[.]online
- trekkinginsikkim[.]info
- modernresidency[.]com
- abhmarket[.]com
- sikkimhomestayatdarap[.]com
- perfecitmoney[.]com
- dialsikkim[.]com
- ccvmarket[.]com
- sikkimcareers[.]com
- sikkimtourisminfo[.]com
- rumtekinfo[.]com
- hotelmisttreemountain[.]com
- good4host[.]com
- nayumaonline[.]com
- renewalvisa[.]com
- jayanthsystems[.]com
- 943theshark[.]net
- budgethotelsinsikkim[.]com
- thesharkrocks[.]net
- srkw[.]net
- chinamediaconsulting[.]com
- hslung[.]com
- patroitfeed[.]com
- b1umenpack[.]com
- maxismoton[.]com
- gagathai[.]com
- securelly-marketing[.]com
- pjsmartair[.]com
- kaitln-scheidel[.]com
- adebowale-harcker[.]net
- b4tibati[.]net
- ashraerp[.]com
- atlasjennate[.]com
- keybiscaynehardware[.]com
- kingging[.]com
- glambleclub[.]com
- faran-company[.]com
- givehaiti[.]com
- bodmaxs[.]com
- internalver[.]com
- dpa-payroll[.]net
- bodmaxs[.]net
- picook[.]com
- asperics[.]com
- zonabeat[.]com
- granazac[.]com
- quikinickspruckts[.]com
- myspanishtask[.]com
- vivezacatecas[.]com
- sexmo-vis-2012[.]com
- erovideo-mob[.]com
- concursoenloquecer[.]com
- forumi-ks[.]com
- free-progames[.]com
- vip-world-football[.]com
- kgc-gamepanel[.]com
- albania-autoliker[.]com
- news-game-everything[.]com
- leesphotosplus[.]com
- coopernickerson[.]com
- ericprivateloanfirm[.]com
- agoal[.]us
- hackanarchy[.]com
- img-ks[.]net
- qartmuu-host[.]com
- holysh0p[.]club
- spam-market[.]club
- richex[.]club
- hdporn247[.]com
- freshdown[.]info
- arttriton[.]website
- abo5atwa[.]com
- ngarko-al[.]com
- wicked-network[.]com
- 1-4[.]co
- zaheer-abbas[.]com
- woodcontest[.]com
- clubids[.]com
- cityofpetaluma[.]net
- guitaraddict[.]net
- bristolcompanies[.]net
- afritec[.]net
- 1better[.]net
- shortcut-adv[.]com
- rrkassociates[.]net
- pulsedesignstudio[.]com
- banas[.]us
- pulsedesignstudio[.]net
- planetbroker[.]us
- shortcut-adv[.]net
- craig-jensen[.]com
- thefirmament[.]us
- tabernaclebookshop[.]org
- 3rmp[.]com
- citizensbnk-online[.]com
- onlinebanking-bankofamerica[.]com
- woori-america[.]com
- asd-asd-asd-asd[.]com
- one-asd-asd-asd-asd[.]com
- hong-leong[.]com
- asd-asd[.]com
- nightdanceclubs[.]com
- 2-scp[.]com
- citizenfederalsl[.]com
- dominionlimiteds[.]com
- lajme-shqiponline[.]com
- polygropsgh[.]com
- lajme-shqiponline[.]net
- pyramidfcu-us[.]com
- sassiin[.]com
- onlinebarclaysbnk[.]com
- shayonacements[.]com
- astaire-partners[.]com
- neilhumphryservice[.]com
- royal1bank[.]info
- tdrestore[.]com
- rajakalom[.]net
- ltkrepsinis[.]com
- djeuro[.]us
- lithyimports[.]com
- xrumerforums[.]com
- alsbucketchallenge[.]com
- saemusic[.]com
- empireko[.]com
- albanianeditors[.]com
- aht-cr3w[.]com
- annonyh4ck[.]com
- ahtcr3w[.]com
- waridfranchisebannu[.]com
- news-al[.]net
- bannucommunication[.]com
- all-aboutgames[.]com
- h1nk[.]com
- bigentertainmentfinder[.]com
- realtywork[.]net
- allglobesales[.]com
- all-aboutgames[.]net
- worldpc-games[.]net
- amusementgamereal[.]com
- findallnow[.]net
- getallnow[.]net
- thenewcar[.]net
- beinhome[.]com
- strongbodys[.]net
- clichcservicecenter[.]com
- chaseon[.]us
- virtest2[.]com
- allaboutfreshoffers[.]com
- servicehomedtion[.]com
- xb-live[.]com
- wow-verification[.]com
- isbaku[.]net
- vbaku[.]net
- littlehairdressing[.]com
- federal-reservebnk[.]us
- izbaku[.]net
- izbaku[.]org
- vbaku[.]org
- isbaku[.]org
- ikedonbalokc[.]com
- olenimejoor[.]com
- olenimijoor[.]com
- webadminservernet[.]com
- dswarbrick[.]com
- ircarmy[.]com
- dascolawconsultant[.]com
- mohdazha[.]com
- virtest[.]com
- seguridadvenez[.]com
- applehalfprice[.]com
- remy90[.]com
- srnice[.]com
- canshop[.]us
- pptvpojie[.]com
- kb-fff[.]com
- o3jouba[.]net
- siwashe[.]us
- mzyuanye[.]com
- raybanoffoutlet[.]com
- oakleyoffoutlet[.]com
- cheapchinajerseyswholesale[.]org
- nfljerseyschinawholesale[.]org
- lcwkitchenware[.]com
- outxml[.]com
- mercantilvene[.]com
- berkshirefm[.]com
- radio-berkshire[.]com
- marinaardente[.]com
- antilllephone[.]com
- 7grehov[.]net
- editorial[.]kz
- blurredbuzz[.]com
- yerd20[.]com
- drgrad[.]us
- ebusywireless[.]com
- soccerplus1[.]net
- albozzimages[.]com
- prospectoilandgas[.]net
- citibnkukonline[.]com
- donux[.]pw
- royalservicesltd[.]com
- mactlogistics[.]com
- prudentialexpressdelivery[.]com
- usexpressservice[.]com
- royaloilandgasinternational[.]com
- tippersexchange[.]com
- fmof-ng[.]com
- get-freemusic[.]com
- transcolimited[.]com
- myflowproduction[.]com
- actionsmap[.]com
- actionsoncloud[.]com
- plumper-plumper[.]com
- asm-auto[.]com
- ivankudashkin[.]com
- toggiwoods[.]com
- hosted[.]fun
- lingostar[.]kz
- vamdodoma-pavlodar[.]kz
- sibforum[.]online
- worldlzt[.]xyz
- epistaffing[.]us
- dpexpservices[.]net
- projectlogisticsinternational[.]net
- ultgame[.]net
- mumadness[.]com
- mujex[.]com
- hamotz[.]com
- infectedream[.]net
- armandesign[.]net
- deal-serv[.]com
- elihaii[.]com
- dalil-ar[.]com
- raym0n[.]com
- ovh-proof[.]net
- chakibo[.]com
- h4lim[.]com
- yassin-challal[.]com
- team-sec[.]com
- aruitcity[.]net
- team-sec[.]net
- strategyoncloud[.]com
- redberryrealty[.]com
- futureoncloud[.]com
- sharedactions[.]com
- sharedstrategy[.]net
- autoclouds[.]com
- gamehosting[.]biz
- galhhh[.]com
- irhabbo[.]com
- cakeypaint[.]com
- ourhabbo[.]com
- irhabbo[.]net
- damnphp[.]net
- hungryhabbo[.]com
- habtropolis[.]com
- xenfun[.]com
- candmhotshotdelivery[.]info
- habbobabble[.]com
- boonfansite[.]com
- localvn[.]net
- habshout[.]net
- nhokpy[.]net
- 12t2-pbc[.]com
- licenses-store[.]com
- biaobank[.]net
- umudimboy[.]com
- mhmedical[.]net
- pxjvbeats[.]com
- hackshqipalbaniacommunity[.]net
- karidulesalajkue[.]com
- silver-root[.]com
- my-msn-space[.]com
- priv8darkshop[.]com
- zyngacheaters[.]com
- magicsystem[.]info
- d-kiz[.]com
- giolanh[.]com
- vietcasher[.]com
- vnwsrv[.]us
- license-store[.]biz
- tqths[.]net
- festivaldesoasisdetozeur[.]org
- ifoasiens[.]org
- forum-oasiens[.]org
- rakib[.]org
- bathroomknowledge[.]com
- dentondonuts[.]com
- adelantoinsurance[.]com
- gh0stmarket[.]net
- greatthorworld[.]com
- libarteyreserve[.]com
- blockchane[.]info
- api-web0[.]com
- dp-vandal[.]com
- freshdump[.]cc
- api-web8[.]com
- bitcointoinvest[.]com
- api-web9[.]com
- supervpn[.]us
- api-web9[.]net
- onlineid-uk[.]net
- onlineid-uk[.]com
- id-eu[.]com
- api-web8[.]net
- id-eu[.]net
- ahggpanel[.]com
- hairbuyit[.]com
- rarestuff[.]net
- eaglegraph[.]com
- 99funs[.]com
- virtuz-host[.]net
- profitnew[.]com
- profit-new[.]com
- files4money[.]com
- shkupi[.]biz
- sylwesterwpolsce[.]com
- royalwebcam[.]xyz
- ptconfire[.]net
- shopccard[.]online
- play65-download[.]com
- adoffertslead[.]com
- ptchannels[.]com
- iptvbit[.]com
- xgeeksal[.]com
- lml-inc[.]com
- scascacsa[.]net
- debit-crew[.]net
- timada[.]net
- iicicisign[.]org
- demsolng[.]com
- demsolng[.]net
- epbfi[.]bid
- doratex[.]com[.]ng
- samenerve[.]org
- chlenixblog[.]net
- dibanasyl[.]com
- tibumuqel[.]com
- gipupeceta[.]com
- platinumsol[.]com
- darwinperformance[.]com
- mena2ratlif[.]com
- 9263[.]net
- standardcharteredvault[.]net
- topjobdirect[.]us
- spammercorner[.]com
- accountstore[.]us
- thepolelife[.]com
- imagesofdetroit[.]com
- milffarts[.]com
- doucheisloose[.]com
- fathusband[.]com
- virus-host[.]net
- mydickpicissick[.]com
- virus-host[.]info
- unpuntodesal[.]com
- tdgjdgdfg[.]com
- thebeautifulpublic[.]com
- utotyi[.]com
- michaelpaniagua[.]com
- akl-serv[.]com
- shallowbitches[.]com
- sdgsdhgsdf[.]com
- alabasterdisaster[.]com
- faokasd[.]com
- fantasycamgirls[.]com
- virus-host[.]biz
- check-pp[.]net
- eslamsweb[.]com
- dkstec[.]com
- dantech-leader[.]com
- bestbargainmobiles[.]com
- buysalebooks[.]com
- toptabletlaptop[.]com
- construcorpo[.]com
- buysalesoftwares[.]com
- nireti[.]com
- sufivpn[.]com
- miguelmerelli[.]com
- mfaizanlabs[.]net
- mabunar[.]com
- 123movieshub[.]mn
- anandks[.]com
- fokaiiptv[.]com
- svsiptv[.]com
- kskiptvweb[.]com
- yasamgida78[.]com
- asd-asd-asd[.]com
- viviendasdonromualdo[.]com
- aylakarasoy[.]com
- digitalvast[.]com
- baba-stars[.]com
- chakerz[.]com
- 4lsec[.]com
- girlfriendprank[.]us
- customer-accounts[.]com
- gateway2pk[.]com
- muslims4kingdom[.]com
- megacookies-up[.]com
- iglesiaevangelicadelprincipedepaz[.]com
- firstcitygroup-nig[.]com
- analog74[.]com
- adventureamigo[.]com
- dataigy[.]com
- azurecrop[.]com
- codetect[.]com
- babbleney[.]com
- amberhold[.]com
- azuretory[.]com
- babbleinero[.]com
- babblenote[.]com
- babbleloot[.]com
- car-ebay[.]com
- casualamigo[.]com
- adventurekin[.]com
Sample malicious MD5s known to have phoned back to the domains registered by the cybercriminals:
2a24a7adf55264fee9e7bc85e606a8036f74b4d0c3d01afce6bbdc4a0d4aab8d
ad1381a5aaefdc76bbec4ee8e40d06fee8403a00cd3ec71c17734e2fea1f7c2b
49f68ca08377497ffdf3488b5d99396a3d8781352a00f43af4f291583cde5333
7bc68aff0b3b38f28ef039b01d9381a697ef0000e3bf2924b876d0644786d19e
f16c4168dd1bc38763a12a7489266c785b7b1d9ff4b010375a1a0eab4d11055a
17cc1c083662ce4568756332da34b87484f12c00ca86ec4fd0688b76c024e33f
aefada96d052a4e19600c3715488fb481470a6a0dbc210780b6569959152feae
2abd1e7f6682524bd8dd727febf391691a28dfc567b824cd86107fca56d73fe4
3be27a5128e0c91d409ebacf8802cec2fa109301a806180a93992cf170f07553
a87afc988ef24641296b67385af6d3354e9c8d7ca86b68ed99ae0c51b6319eef
f76fdfee849477265455fecd235bec19965b8ec649831445bd90346670379446
b96ce242ef559684036437bcee19ba916aa88ecca9bddb9256fda72daf17fb17
5dbf20a5216ac8b41989f116613150be3df78b8c80d7b41ea5148fe699976fbf
824bef26cbd1682a113d78f8e7c1f50779439db8cebc814d5c676ecdc51bcf06
0889289d0d258a7eede2b7a83ec46c17b710eee390f9601f56382ddab27371d7
69b16dcbe6b33462f32288744d8d8d77c960039318ddcae33a1e2fe89111433d
dc07227ac2946ad5de3b02bced2c47f130086d5b2d7944a47a0a9501712e2b2b
50b7c4a767ee3061711830d6e75ff3c98b4129b0ee6161c9087d2fa0b503a5fb
80a42c4e5d1b1cd36b16a564543c027276a6d6a04e6b6e3f130896ad29894762
8c06cde248080f2ea8cf881680c5ca1f72a7dbee2ad0e6630cfe613a235bbe4a
0ba56ae835fba57bb53edd8794172c9a36ae7b97dce67eeaa4c96f7946c54479
We’ll continue monitoring these newly discovered domain registrations performed by the bad guys for fraudulent and malicious purposes by means of well-known and personal email addresses and post updates as soon as new developments occur.
Read other articles