A Fake ID Marketplace under the DNS Lens | WhoisXML API

Threat Reports

A Fake ID Marketplace under the DNS Lens

Fake IDs have become a commodity for those who wish to travel or migrate to another country but do not necessarily have the necessary legal documents to do so. That is probably the reason for the growth in volume of fake ID marketplaces.

WhoisXML API threat researcher Dancho Danchev got hold of an email address belonging to a fake ID seller. Our research team subjected the indicator of compromise (IoC) to an expansion analysis to further determine the extent of the threat actor’s operation.

Our DNS deep dive led to the discovery of:

  • Nine domains that contained the email address identified as an IoC anywhere in their historical WHOIS records
  • Seven IP addresses that played host to the nine email-connected domains
  • One domain that shared the seemingly dedicated IP host of an email-connected domain
  • 231 domains that contained text strings typically related to fake ID marketplaces
  • 777 subdomains that contained text string typically related to fake ID marketplaces

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

Try our WhoisXML API for free
Get started