Why Domain Seizure Isn’t the End | WhoisXML API

Threat reports

Why Domain Seizure May Not Stop Money Mule Recruitment Campaigns

U.S. law enforcement agencies recently seized 18 domains believed to be part of money mule recruitment campaigns in a bid to put a stop to ongoing malware attacks. Bleeping Computer researchers published the indicators of compromise (IoCs) on their blog.1

Did the domain seizure thwart the ongoing malicious campaigns entirely? We sought to find out through an IoC expansion exercise that uncovered:

  • A single IP address to which all the seized domains resolved to
  • 60+ additional domains that resolved to the same IP address as the domain IoCs did
  • 400+ more domains that shared unique strings or string combinations found among the IoCs
  • Nine unredacted personal registrant email addresses from the artifacts’ historical WHOIS records
  • 100+ additional domains that shared some of the artifacts’ registrant email addresses, two of which were malicious

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

  • [1] https://www.bleepingcomputer.com/news/security/us-seized-18-web-domains-used-for-recruiting-money-mules/#.Y2_4y1-mshQ.linkedin
Try our WhoisXML API for free
Get started