Catching Messenger Phishing Footprints Using a DNS Net
A new phishing campaign dubbed “MrTonyScam”1 is currently targeting Facebook business accounts aided by password-stealing malware. The attackers were seen using a massive network of fake and compromised Facebook accounts to send out millions of Messenger phishing messages.
WhoisXML API researchers found a publicly available list of indicators of compromise (IoCs) related to the ongoing malicious campaign. We analyzed the digital infrastructure of 63 domains identified as IoCs2 and traced the DNS footprints they left behind. Our analysis uncovered:
- 15 personal email addresses historically used to register the IoCs with less than 50 connected domains each
- 155 email-connected domains
- 924 artifacts containing similar strings found among the IoCs, such as movies-, office- and 2023, and x-album
- 18 IP-connected domains that also share contained text strings found among the IoCs
Download a sample of the threat research materials now or contact us to access the complete set of research materials.
-  https://labs.guard.io/mrtonyscam-botnet-of-facebook-users-launch-high-intent-messenger-phishing-attack-on-business-3182cfb12f4d
-  https://otx.alienvault.com/pulse/64ffc7f2521362ddc3bd798d