Keypoints
- One finance worker was tricked into a $25 million payout via a deepfake impersonation of their CFO.
- Palo Alto Networks Unit 42 identified 416 domain names tied to deepfake scams used in the analysis.
- WhoisXML API’s follow-up analysis found 1,070 registrant‑connected domains, six email‑connected domains, and 3,056 string‑connected domains after filtering.
- The investigation enumerated 316 IP addresses (285 flagged malicious) and 515 IP‑connected domains linked to the activity.
- A bulk WHOIS lookup showed only 241 of the 416 domain IoCs had current WHOIS records; many domains were registered in 2023, indicating recent proliferation.
MITRE Techniques
- [T1071] Impersonation – Deepfake technology was used to impersonate an executive in a video call, enabling fraud (‘was tricked into paying out US$25 million to a deepfake scammer who pretended to be their company’s chief financial officer’).
- [T1483] Domain Generation Algorithms – A network of malicious domains was leveraged to support deepfake scams and infrastructure (‘uncovered 416 domain names that played a part in them’).
- [T1003] Credential Dumping – Attackers targeted organizations to harvest credentials to facilitate impersonation in deepfake scenarios (‘targets organizations to harvest credentials for impersonation in deepfake scenarios’).
Indicators of Compromise
- [Domains] research-identified domain IoCs – examples: unit42.paloaltonetworks.com, main.whoisxmlapi.com, and 414 additional domain IoCs reported.
- [IP addresses] infrastructure IPs – 316 IPs associated with the investigation (285 flagged malicious); article lists counts but no specific IP strings.
- [Email addresses] WHOIS-derived emails – 32 email addresses extracted from WHOIS history (10 public addresses used to find email-connected domains); specific addresses not published in the article.
- [Registrant/Registrar names] registration metadata used for linkage – examples: Dynadot, Inc.; Sav.com LLC; Namecheap, Inc. (used to map registrant-connected domains).
The technical investigation began with a bulk WHOIS lookup of the 416 domains identified in Unit 42’s report. That lookup found only 241 domains with current WHOIS records and produced metadata used to map registrar distribution (led by Dynadot, Sav.com, and Namecheap), domain creation dates (171 domains created in 2023), and country of registration (U.S., Iceland, Ukraine, etc.). The WHOIS results and timelines established a baseline for which domains were active and which had historical records worth pursuing.
Using the three public registrant organization names found in current WHOIS records, investigators ran Reverse WHOIS searches (with exact-match and historical features) to discover registrant-connected domains, yielding 1,070 additional domains after filtering duplicates and known IoCs. WHOIS History API queries on the 241 domains returned 32 historical email addresses; after deduplication and screening (removing likely domainer emails), researchers identified six email-connected domains tied to the set. These steps show a layered approach: start from known IoCs, expand via registrant and email linkages, then filter for relevance.
Parallel enrichment covered network and string-based linkages: lookups uncovered 316 IP addresses (285 flagged malicious), 515 IP-connected domains, and 3,056 string-connected domains (12 of which appeared malicious). The methodology—bulk WHOIS, WHOIS history, reverse WHOIS by registrant and email, plus IP/domain linkage—provides a repeatable process to expand and triage IoCs from an initial seed list and prioritize artifacts for further investigation or takedown efforts.
Read more: https://circleid.com/posts/20241104-investigating-the-proliferation-of-deepfake-scams