Summary:
Threat actors exploit high-profile events, such as the 2024 Summer Olympics, to launch cyberattacks, including phishing and scams. Proactive monitoring of event-related domain abuse is essential for cybersecurity teams to mitigate risks. Key metrics to watch include domain registrations, DNS traffic, and URL patterns. #CyberThreats #EventExploitation #DomainAbuse
Threat actors exploit high-profile events, such as the 2024 Summer Olympics, to launch cyberattacks, including phishing and scams. Proactive monitoring of event-related domain abuse is essential for cybersecurity teams to mitigate risks. Key metrics to watch include domain registrations, DNS traffic, and URL patterns. #CyberThreats #EventExploitation #DomainAbuse
Keypoints:
- Threat actors frequently exploit trending events for cyberattacks.
- Proactive monitoring of event-related domain abuse is crucial.
- High-profile events attract cybercriminals registering deceptive domains.
- Metrics to watch include domain registrations, textual patterns, DNS traffic, and URL traffic.
- Over 200,000 newly registered domains (NRDs) are detected daily.
- 16% of Olympic-related domains were flagged as suspicious during the event weeks.
- Attackers use keywords related to events to register deceptive domains.
- DNS traffic anomalies can indicate unusual activities.
- Scams leveraging the Olympics include fake ticket sales and fraudulent investment schemes.
- Malicious gambling websites exploit Olympic-related keywords to lure victims.
MITRE Techniques
- Domain Generation Algorithms (T1483): Attackers utilize algorithms to generate multiple domain names for command and control.
- Phishing (T1566): Threat actors send deceptive emails to trick users into revealing sensitive information.
- Credential Dumping (T1003): Attackers harvest credentials from compromised systems to gain unauthorized access.
- Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
- Malicious Link (T1203): Attackers use malicious links to exploit vulnerabilities in user applications.
IoC:
- [domain] 2024olympicslive[.]com
- [domain] 2024parisolympicathletes[.]com
- [domain] olympicparis2024[.]com
- [domain] paris-olympics2024[.]com
- [domain] paris24olympics[.]com
- [domain] parisolympic24[.]com
- [domain] parisolympicgames2024[.]com
- [domain] parisolympicgames2024official[.]com
- [domain] parisolympicgamesevents[.]com
- [domain] parisolympicgamesofficial[.]com
- [domain] parisolympicgamestickets[.]com
- [domain] parisolympicsphotographe[.]com
- [domain] parisolympictickets[.]com
- [domain] 2024olympics-shop[.]com
- [domain] climbolympic[.]com
- [domain] allolympic[.]com
- [domain] olympiarealestate-online[.]com
Full Research: https://unit42.paloaltonetworks.com/suspicious-domain-registration-campaigns/