Threat Reports | WXA Research Center | WhoisXML API

WXA Research Center

Access our latest research and insights on WHOIS, IP, and DNS data for cybersecurity, data science, and other business purposes through our webinars, podcasts, white papers, threat reports, and videos from the WXA Academy.

Have questions?

Contact us at

Threat Reports

Uncovering Signs of Internet Fraud with WHOIS, DNS, and IP Data

The FTC Consumer Sentinel Network1 reported US$3.5 billion in losses due to different types of fraud as of the third quarter of 2021. Clearly, fraud is an imminent threat that needs to be detected and prevented as early as possible to avoid further losses to individuals and the global economy.

Continue reading

Facebook Is Now Meta, Will Threat Actors Ride the Wave?

Company rebranding efforts are always a big deal, as they usually translate to expanding a known brand’s portfolio. That’s why many such events are announced during some of the world’s biggest conferences. The same could be said of Mark Zuckerberg’s introduction of Meta in Connect 2021.1

Continue reading

Are Banks and Their Customers Once Again at Risk of Typosquatting Woes?

Banks and other financial institutions have always been a top-of-mind attack target.1 We analyzed an ongoing cybersquatting campaign targeting U.S. Bancorp using four malicious domains and their corresponding IP resolutions that IBM X-Force Exchange identified.2

Continue reading

Insurance Companies Are The Target of Recent Cybersquatting Campaigns

We analyzed an ongoing cybersquatting campaign targeting MetLife, Inc., using 12 malicious domains that IBM X-Force Exchange identified.1

Continue reading

Are Cybersquatting Campaigns Targeting Airlines Taking Off?

Any company that serves thousands if not millions of users is considered ripe for threat actor picking. Threats and attacks often start with the simple act of typosquatting. Such was the case for an ongoing cybersquatting campaign targeting Turkish Airlines.1

Continue reading

Exposing the Connection between a Most Wanted Cybercriminal and the BlackEnergy DDoS Attack

Oleksandr Vitalyevich Ieremenko1 is a Ukrainian national charged with several fraud-related and cybercrime cases in August 2015. Barely a year after the allegation, Ieremenko joined a cybercrime group led by Artem Viacheslavovich Radchenko and gained unauthorized entry into the U.S. Securities and Exchange Commission (SEC) network.

Continue reading

A Most Wanted Cybercriminal Runs a Profitable Android Malware Enterprise

Danil Potekhin,1 a Russian national, managed to steal approximately US$17 million from users of several digital currency exchange platforms by defrauding several cryptocurrency exchange sites. Potekhin was then indicted2 in September 2020 for conspiracy to commit computer fraud, unauthorized access to a protected computer, and aggravated identity theft, among other crimes.

Continue reading

Exposing Hundreds of Rogue VPN Domains Potentially Connected to the NSA

WhoisXML API DNS Threat Researcher Dancho Danchev identified domain intelligence related to several bogus free VPN service providers. Those bogus entities could seemingly be traced back to the National Security Agency (NSA) as part of an effort to monitor the online activities of suspicious Iran-based users. 

Continue reading

IoC Report Exposing an Active WannaCry Ransomware Domain Portfolio

WannaCry ransomware made waves as part of a global cyber attack detected in 2017, which resulted in around US$4 billion1 in financial losses. The ransomware campaign targeted organizations in various industries, including the telecommunications, airline, and medical services sectors.

Continue reading

IoC Report Exposing a Currently Active Cyber Jihad Campaign’s Domain Portfolio

Cyber jihad, a term that loosely describes using the Internet as a communication, fundraising, recruitment, training, and planning tool in cyber attacks[1], gained traction over the years. It has become a force to reckon with for many government institutions tasked to battle cyberterrorism. In fact, at the end of 2020 alone, three cyber-enabled campaigns targeting government institutions worldwide were brought down[2].

Continue reading

Exposing Thousands of Active Kaseya Ransomware C&C Domains

About 1,500 small and medium-sized businesses (SMBs)1 may have been affected by the ransomware attack targeting Kaseya, an IT solutions developer catering to managed service providers (MSPs) and enterprises. The attack, which occurred in July 2021, exploited a vulnerability in the company’s remote monitoring and management software. The threat actors behind the attack reportedly asked for US$70 million2 in exchange for a decryption tool.

Continue reading

Domain Squatting Analysis of the Gaming Industry: Thousands of Online Gaming-Related Web Properties

The video gaming industry is among the highest-earning entertainment sectors, outperforming1 the movie industry in the past year. It has also become a favorite of cyber attackers.

We analyzed thousands of gaming-related domains and subdomains to see how prevalent threats are in the industry. Aside from analyzing the overall e-sports sector, our analysis targeted four of the most popular gaming companies—Bandai Namco, Epic Games, Electronic Arts, and Ubisoft.

Continue reading

CEO Impersonation Alert: A Look into the Top 100 CEOs of 2021

Total losses from BEC scams and CEO impersonation are estimated at tens of US$billion[1][2] over the past years. In 2021, Elon Musk’s impersonators were able to amass about US$2 million[3] from numerous victims. 

Continue reading

A Look at Thousands of Credential Phishing-Related Domain Names

Cofense researchers found that more than half of the millions of emails they analyzed were credential phishing emails.1 To see how prevalent these are in the domain world, we extracted domains that contain account-related text strings, such as “login,” “signin,” and “password.” When used alongside popular company names like PayPal and Amazon, these account-related text strings can make phishing emails appear more credible.

Continue reading

Exposing 1,100+ NSO Spyware Group’s Domains, IP Addresses, and MD5 Hashes

The NSO Spyware Group’s spyware dubbed “Pegasus” is known for its ability to be covertly installed on mobile phones running different versions of Android and iOS and spy on their owners’ activities.

Pegasus was created to allow government agencies to monitor possibly illegal activities performed by citizens on their watchlists. Pegasus, however, has been widely criticized for violating people’s right to privacy and potentially targeting journalists and heads of state.1

Given the risks that Pegasus poses, WhoisXML API Security Researcher Dancho Danchev investigated 28 email addresses used by known registrants tied to the NSO Spyware Group. Danchev’s in-depth look also uncovered:

Continue reading

Exposing 100+ Domains Possibly Belonging to the Ashiyane Digital Security Team

The Ashiyane Digital Security Team is known to be a gray hat network security company based in Iran.1 It has been allegedly connected to several state-sponsored attacks against various countries over the years. 

Continue reading

IoC Report Exposing Potential Actors behind the Conficker Botnet

Conficker, which infected millions of systems in its heyday in 2008, continues to infect tens of thousands of devices. Dubbed as the “worm that nearly ate the Internet1,” Conficker targets computers running on Microsoft operating systems (OSs), creating a colossal botnet that can be used to launch large-scale cyber attacks.

Continue reading

Analyzing “Brian Krebs” Typosquatting Domains to Spread Malware

Brian Krebs1, an American journalist and investigative reporter, is best known for his coverage of cybercrime & cybersecurity news—notably through his blog KrebsOnSecurity.com.

Continue reading
Try our WhoisXML API for free
Get started