Threat Reports | WXA Research Center | WhoisXML API

WXA Research Center

Access our latest research and insights on WHOIS, IP, and DNS data for cybersecurity, data science, and other business purposes through our webinars, podcasts, white papers, threat reports, and videos from the WXA Academy.

Have questions?

Contact us at

Threat Reports

Uncovering a Large Footprint of Fake NordVPN Sites

NordVPN isn’t new to being the target of various scammers. Over the years, we’ve seen malicious campaigns that start with luring users to a fake NordVPN site.1, 2

Anyone looking to subscribe to a VPN service could easily land on a fake site and get a malware infection.

Eternity’s LilithBot, Soon Available to Regular Internet Users?

Eternity has been wreaking havoc by making malware-as-a-service (MaaS) offerings available to any interested would-be cyber attacker since January 2022.1 And at very low prices (US$70–90),2 even novice hackers could launch destructive campaigns.

Alleviating BlackEnergy-Enabled DDoS Attacks

BlackEnergy was originally sold as a crimeware toolkit when it first surfaced in 2007. Since then, it has undergone modifications that have made it one of advanced persistent threat (APT) actors’ go-to attack tools. Used in the Ukraine power grid attack in 2015, the malware effectively used a distributed denial-of-service (DDoS) attack to hide their true goal—data stealing.1 

Should We Consider the Maze Ransomware Extinct?

The Maze Ransomware Group announced in 2020 that it would shut down its operations after stealing and exposing sensitive data of several high-profile targets. But have they really ceased their operations?

Who Could Be Behind the Latest GitHub-Hosted Malware Infrastructure?

While GitHub has built-in security measures1 to prevent users from using its infrastructure to host malware code, wily cyber attackers may be looking for ways to bypass them. We’ve seen that happen with a cryptocurrency miner2 and several malicious projects.3

DIY Web Attacks Might Still Live on via WebAttacker

WebAttacker can be considered an aged threat, but it may not be out of the cybercrime game just yet.1 While it has been in business since 2006, what WhoisXML API threat researcher Dancho Danchev discovered recently seems to indicate its operators could still be up to no good.

From Counterfeiting to Phishing: Cybersquatting Properties Target Network Device Makers

Fake network devices are being sold online, some of which can bypass security functions.1 Recently, a CEO was arrested for allegedly selling about a billion dollars’ worth of counterfeit Cisco devices.2

Is Monkeypox Following COVID-19’s (Digital) Footsteps?

Monkeypox was recently declared a public health emergency1 so it’s bound to gain even more attention in the coming weeks or months. Even before then, it has already been used as a phishing campaign lure,2 are we set to see more of this?

Beauty and the Beast: Possible Vehicles for Cosmetic Products Counterfeiting

Fake beauty products have proliferated through illicit websites and social platforms1, putting people and brands in danger. Counterfeit products may contain harmful products, and victims may end up suing the impersonated brands, according to Cosmetics Business2.

Are Threat Actors Intercepting Your OTPs? These Cyber Resources Might Be Helping Them

A recently discovered banking Trojan1 that can restart its malicious routine was delivered using two cybersquatting domains targeting BBVA, a Spanish multinational financial services firm. The malware is aptly named “Revive” and can intercept one-time passwords (OTPs) and all other messages received on the infected device.

Luxury Jewelry, Anyone? Watch Out for Scams

Cartier recently decided to beef up its efforts in hopes of taking down sites and pages selling knock-offs of its products.1

Are other luxury jewelers2 and their customers at risk of the same threat? We sought to answer this and more with our in-depth analysis of potential look-alike domains and subdomains peddling counterfeit goods.

NotPetya: Not Quite Dead, as Recent IoCs Show

NotPetya first saw light in June 2017, shortly after Petya’s emergence. NotPetya was believed to have caused organizations worldwide US$10 million in damages.1

Both Aged and New Domains Play a Role in the NDSW/NDSX Malware Campaign

The threat actors behind the NDSW/NDSX malware campaign1 used both newly registered and aged domains, likely to get the best of both worlds. But the digital breadcrumbs they left behind could help investigators get a step closer to catching them.

Phishers Are Impersonating Maersk: What Other Container Shipping Companies Are Targeted?

The supply chain attack on Toyota1 last February 2022 is only one example of how such an attack could be detrimental to an organization. Therefore, a phishing and impersonation campaign2 targeting one of the largest container shipping lines is quite concerning.

In the Market for a New Car? Beware Not to Get on the Phishing Bandwagon

Anything sold on the market, especially necessities, are fair game to phishers as campaign hooks. And that’s just what we saw happening with an ongoing phishing campaign targeting German car dealership companies.1

Online Shopping Danger? We Discovered 13K+ Cybersquatting Properties Targeting the Top E-Commerce Sites

Online shoppers have always been prone to cybercrime, such as financial scams, hacking, and credential theft. Domains and subdomains are common vehicles for these criminal activities, but more compelling are those that imitate major e-commerce sites.

A Look into Cybersquatting and Phishing Domains Targeting Facebook, Instagram, and WhatsApp

Meta’s infringement and cybersquatting case against Namecheap was dismissed1 last 25 April 2022 following a settlement2. While the details of the settlement were private, the registrar ended up transferring 61 domains to Meta. 

In line with this, WhoisXML API researchers decided to monitor the cybersquatting activity related to three Meta applications covered in the dismissed case—Facebook, Instagram, and WhatsApp. Our findings include:

Beware of Frappo and Related Cybersquatting Domains

Phishing-as-a-service (PaaS) solutions like the recently discovered Frappo,1 make brand impersonation campaigns easy to instigate and automate. Among those targeted by the new toolkit were large companies in the financial, e-commerce, and entertainment sectors, namely, Amazon, ATB Financial, Bank of Montreal (BMO), Bank of America (BOA), Chase, CIBC, Citibank, Citizens Bank, Costco, Desjardins, M&T Bank, Netflix, Royal Bank of Canada (RBC), Rogers, Scotia Bank, Tangerine Bank, TD Canada Trust, Uber, and Wells Fargo.

We Don’t Want to Spoil Mothers’ Day but These Domains Might

With Mothers’ Day just around the corner, threat actors may already be devising or have already deployed scams targeting mothers and children looking for Mothers’ Day gifts.

Expanding the Conti Ransomware IoCs Using WHOIS and IP Clues

Conti ransomware continues to gain traction via the ransomware-as-a-service (RaaS) business model, with threat actors launching more than 1,000 attacks against various organizations worldwide. In March 2022, the Cybersecurity and Infrastructure Security Agency (CISA) updated its Conti ransomware alert page with close to 100 domain indicators of compromise (IoCs).1

HermeticWiper: Another Threat Targeting Ukraine at Large

Ukraine users have reportedly been targeted by a malware known as HermeticWiper.1 Known for wiping out data on victims’ computers, the malware has affected hundreds of systems since it emerged.

Be Wary of Bogus Web Properties This Tax Season

The tax season is not only for taxpayers. Threat actors also flock to the Internet, baiting individuals and entities through different types of tax frauds.1 WhoisXML API trailed their sights on possible vehicles for malicious activities this tax season by uncovering domains and subdomains that contain tax-related terms.

Digital Spillovers of Russia’s Invasion Of Ukraine

The war between Ukraine and Russia has become a global crisis like no other. The situation has spillovers beyond humanitarian, physical, and economic effects, including increased activity on the Domain Name System (DNS).

The Oscars and Suspicious Web Activity: What's the Link?

Hollywood’s popularity extends beyond providing entertainment. Like last year1, threat actors seemingly used sites dedicated to this year’s Oscar nominees2 as malware hosts. We looked at thousands of domains and subdomains containing the best picture titles and best actor/actress names to identify how many of them are actually malicious.

The Irony: Data Privacy Sites Bring Risks Instead of Protection

It’s ironic to think that sites hinting at promoting data privacy awareness and/or protection are serving malware instead, but that’s a sad truth. We found thousands of web properties through WHOIS, IP, and DNS searches to identify malicious data privacy-related sites.

Illegally Streaming “Spider-Man: No Way Home” Could Be Hazardous to Your Computer

While watching ‘Spider-Man: No Way Home’ in movie theaters could pose health risks considering the ongoing pandemic, downloading torrents of or illegally streaming the movie can be hazardous to your computer’s health too. Researchers discovered that torrent files could be XMR Miner malware in disguise1.

65,000+ NFT-Related Domains and Subdomains: Possible Vehicles for NFT Scams?

As non-fungible tokens (NFTs) become increasingly popular and valuable, related scams are also on the rise. Since these scams utilize domain names and websites, WhoisXML API examined the registration of NFT-related domain names, fortifying our findings with WHOIS and IP intelligence. Our analysis revealed:

Gift Cards, Anyone? Watch Out for Fraud and Malware Hosts

The Federal Trade Commission (FTC) maintains a page dedicated to gift card scams1, and there’s a good reason for that. Each year, consumers who succumb to lures end up losing thousands2 instead of getting gifts for their loved ones. We found thousands of web properties through IP and DNS searches to identify IoCs and other artifacts possibly tied to gift card scams and phishing.

Log4j Vulnerability: What Do the IoCs Tell Us So Far?

A new vulnerability called “CVE-2021-44228” or “Log4Shell” was detected on 9 December 2021, alerting the cybersecurity community to possible remote code execution (RCE) attacks. WhoisXML API analyzed initial IoC lists to shed light on possible artifacts and connections. Among our findings are:

Are Mypressonline[.]com’s Free Subdomain Hosting Services Being Abused?

We were alerted to the ongoing mypressonline[.]com phishing campaign1 and sought to uncover the site’s complete domain footprint and potential evidence of hosting abuse.

Digging Up Zombie Domains: What WHOIS History Reveals about 3,800+ Verified Phishing Hosts

As phishing remains an imminent attack vector leading to costly and damaging campaigns, WhoisXML API researchers dug up the WHOIS history of 3,800+ domain names and subdomains associated with verified phishing URLs. We present our key findings and analyses in a white paper and associated threat research materials covering:

Telcos Are on Phishers’ Radar, Who Is at Risk?

The telecommunications sector has been identified by PhishLabs as phishers’ top 3 target in a November 2021 report.1 We looked at the newly registered domains (NRDs) and subdomains containing the strings “broadband,” “mobile,” and “telecom” to determine who among the 10 biggest telcos in the world are at risk of getting phished.

Locky Ransomware: Still a Threat as List of IoCs Grows

Despite its age, Locky ransomware, which first made headlines in 2016,1 is still making the rounds. We obtained 61 IP addresses connected to the threat and used these as jump-off points to uncover other web properties that users need to avoid accessing.2

Uncovering Signs of Internet Fraud with WHOIS, DNS, and IP Data

The FTC Consumer Sentinel Network1 reported US$3.5 billion in losses due to different types of fraud as of the third quarter of 2021. Clearly, fraud is an imminent threat that needs to be detected and prevented as early as possible to avoid further losses to individuals and the global economy.

Facebook Is Now Meta, Will Threat Actors Ride the Wave?

Company rebranding efforts are always a big deal, as they usually translate to expanding a known brand’s portfolio. That’s why many such events are announced during some of the world’s biggest conferences. The same could be said of Mark Zuckerberg’s introduction of Meta in Connect 2021.1

Are Banks and Their Customers Once Again at Risk of Typosquatting Woes?

Banks and other financial institutions have always been a top-of-mind attack target.1 We analyzed an ongoing cybersquatting campaign targeting U.S. Bancorp using four malicious domains and their corresponding IP resolutions that IBM X-Force Exchange identified.2

Insurance Companies Are The Target of Recent Cybersquatting Campaigns

We analyzed an ongoing cybersquatting campaign targeting MetLife, Inc., using 12 malicious domains that IBM X-Force Exchange identified.1

Are Cybersquatting Campaigns Targeting Airlines Taking Off?

Any company that serves thousands if not millions of users is considered ripe for threat actor picking. Threats and attacks often start with the simple act of typosquatting. Such was the case for an ongoing cybersquatting campaign targeting Turkish Airlines.1

IoC Report Exposing an Active WannaCry Ransomware Domain Portfolio

WannaCry ransomware made waves as part of a global cyber attack detected in 2017, which resulted in around US$4 billion1 in financial losses. The ransomware campaign targeted organizations in various industries, including the telecommunications, airline, and medical services sectors.

Exposing Thousands of Active Kaseya Ransomware C&C Domains

About 1,500 small and medium-sized businesses (SMBs)1 may have been affected by the ransomware attack targeting Kaseya, an IT solutions developer catering to managed service providers (MSPs) and enterprises. The attack, which occurred in July 2021, exploited a vulnerability in the company’s remote monitoring and management software. The threat actors behind the attack reportedly asked for US$70 million2 in exchange for a decryption tool.

Domain Squatting Analysis of the Gaming Industry: Thousands of Online Gaming-Related Web Properties

The video gaming industry is among the highest-earning entertainment sectors, outperforming1 the movie industry in the past year. It has also become a favorite of cyber attackers.

We analyzed thousands of gaming-related domains and subdomains to see how prevalent threats are in the industry. Aside from analyzing the overall e-sports sector, our analysis targeted four of the most popular gaming companies—Bandai Namco, Epic Games, Electronic Arts, and Ubisoft.

A Look at Thousands of Credential Phishing-Related Domain Names

Cofense researchers found that more than half of the millions of emails they analyzed were credential phishing emails.1 To see how prevalent these are in the domain world, we extracted domains that contain account-related text strings, such as “login,” “signin,” and “password.” When used alongside popular company names like PayPal and Amazon, these account-related text strings can make phishing emails appear more credible.

Analyzing “Brian Krebs” Typosquatting Domains to Spread Malware

Brian Krebs1, an American journalist and investigative reporter, is best known for his coverage of cybercrime & cybersecurity news—notably through his blog

Try our WhoisXML API for free
Get started