This article explores the analysis of spam domains targeting Australian users, particularly regarding fraudulent toll payments. By utilizing passive DNS analysis, the investigation reveals 226 domains impersonating the EastLink toll service and other toll-related entities through social engineering tactics. Affected: Australian users, EastLink toll service
Keypoints :
- Analysis of spam messages aimed at Australian users regarding fictitious toll payments.
- Passive DNS analysis was employed to investigate a suspicious domain linked to spam.
- The identified domain was east.tollsvau[.]info, which targeted Australian toll service users.
- 226 unique domains were discovered, impersonating the EastLink toll service.
- Two unique IP addresses were primarily associated with the spam domains: 185.106.96[.]184 and 91.92.251[.]193.
- A bulk analysis was performed to uncover additional related toll-themed domains.
- Lookalike searches were utilized to identify additional suspicious domains following similar naming conventions.
- The research highlighted the importance of identifying patterns and infrastructure related to phishing campaigns.
MITRE Techniques :
- Phishing (T1566): Utilized social engineering in spam messages to trick users into clicking links.
- Domain Generation Algorithms (T1483): Created multiple domains to support phishing campaigns.
- Remote System Discovery (T1018): Resolved IP addresses to identify associated malicious domains.
Indicator of Compromise :
- [IP Address] 185.106.96[.]184
- [IP Address] 91.92.251[.]193
- [IP Address] 45.82.244[.]205
- [Domain] east.tollsvau[.]info
- [Domain] link.eastlinkau[.]click
Full Story: https://www.validin.com/blog/revealing-spammer-infrastructure-with-passive-dns-au-toll-smishing/