DNS-focused analysis expands the tax scam IoCs beyond Malwarebytes’ initial three domains, revealing nine email-connected domains, one malicious IP, and nine domains sharing a common string. The findings highlight ESTA-related scam vectors and a broader DNS infrastructure that could support phishing against U.S. taxpayers. #IRS #ESTA #GoogleLLC
Keypoints
- Expanded IoCs: nine email-connected domains, one malicious IP, and nine domains sharing a common string linked to the tax scam infrastructure.
- Only one IoC domain (irs-ein-gov[.]us) had a current WHOIS record; it was created on 4 March 2024 and registered under Tucows, with seemingly crafted registrant details.
- Historical data reveal 10 email addresses in WHOIS records, with 8 publicly available; reverse WHOIS surfaced nine email-connected domains after de-duplication.
- Two of the email-connected domains contained the string “esta” (ESTA), suggesting possible targeting of ESTA applicants.
- DNS lookups identified IP 35.206.97.71, geolocated to Google LLC and flagged as phishing/suspicious; reverse IP indicated a shared IP.
- A broader DNS scan found 135 string-connected domains using tax/irs-related terms, with 13 tied to phishing; a larger set (1,243 domains) contained “tax + preparer” patterns, hinting at broader scam trends.
MITRE Techniques
- [T1583.001] Domain Registration – Using WHOIS data and history to map scam infrastructure. ‘bulk WHOIS lookup for them revealed that only one domain IoC—irs-ein-gov[.]us—had a current WHOIS record.’
- [T1583.002] Acquire Infrastructure: IP Addresses – DNS lookups revealed a specific IP address tied to the infrastructure. ‘DNS lookups that uncovered one IP address resolution—35[.]206[.]97[.]71.’
- [T1583.003] Domains & Subdomains Discovery – Discovery of related domains via string patterns and subdomain exploration. ‘Only one string—irs-ein-gov—appeared in other web properties, specifically nine domains.’
- [T1566] Phishing – Observed phishing activity associated with string-connected domains. ‘Threat Intelligence API checks for the 135 string-connected domains revealed that 13 of them were associated with various threats. All of them, in fact, were connected with phishing.’
Indicators of Compromise
- [Domain] IoCs – irs-ein-gov[.]us, and 8 more domains
- [IP Address] 35.206.97.71 – Associated with phishing/suspicious activity
- [Domain] Nine domains containing the string ‘irs-ein-gov’ – such as irs-ein-gov[.]us, and 8 more
- [Email] Email addresses derived from WHOIS history – 10 addresses (8 public), and 2 more not disclosed
- [Domain] 135 string-connected domains containing tax/irs keywords – examples include strings like ‘tax + payment + irs’ and ‘tax + preparer’