<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p style="font-weight: bold;">Update (August 17):&nbsp;</p> <p style="font-weight: normal;">While reading our new post, one of our coworkers recognized that their wife had just gotten a smishing text from this campaign the day before! The text body is:<br><em>"EDD- Your account is pending review after an attempt at FOOTLOCKER, CO, CA. If this was not you, verify at <span style="font-weight: bold;">https://my-eddprotection643.duckdns[.]org</span> to block. If this was you please ignore this message"</em></p> <p style="font-weight: bold;"><img src="https://www.threatstop.com/hubfs/duckdns_smish.jpg" alt="duckdns_smish" width="464" loading="lazy" style="width: 464px;"></p> <p style="font-weight: bold;">Original Post:</p> <p>Though most of our indicator of compromise database is powered by hundreds of automated threat intelligence feed sources, last week our team discovered a phishing campaign through... a blog post? Yep, that's right. While sifting through searches that led hundreds of readers to one of our <a href="/blog/duckdns-malicious-typosquats" rel="noopener" target="_blank">most popular blog posts</a> last month, a ThreatSTOP analyst came across many web searches for what seems to be text from a <a href="/blog/preventing-phishing-smishing-and-vishing" rel="noopener" target="_blank">smishing</a> SMS message:</p> <!--more--> <p><em>"εdd- your primary one-time transfer account has been updated, if this was not you visit <span style="font-weight: bold;">https://protection-eddhelpcenter538.duckdns[.]org/</span> to cancel this update. if this was you, please ignore this message."</em></p> <p>While the text body is the same in every email, the DuckDNS domain changes.</p> <p><img src="https://www.threatstop.com/hubfs/duckdns_phishing.png" alt="duckdns_phishing" width="1584" loading="lazy" style="width: 1584px;"></p> <p style="font-size: 12px;"><em>Image: Hubspot</em></p> <p>The domains seen in the search query history that leads to our blog are:</p> <ul> <li>protection-eddhelpcenter538.duckdns[.]org (34.85.242.103)</li> <li>safe-eddcenter9209.duckdns[.]org (34.85.242.103)</li> <li>center-eddprotect3320.duckdns[.]org (34.85.242.103)</li> <li>center-eddprepaid792.duckdns[.]org (186.2.166.143)</li> </ul> <p>Looking into these domains, our team found that they are being used as DGAs. Since the email is trying to trick victims into investigating a supposed fund transfer, and since duckdns is not the most impressive parent domain, we see that the subdomains include a variety of secure-related words - protection, safe, help, secure and more.</p> <p>The domains seen in our lists were hosted on two distinct IPs:</p> <ul> <li>34.85.242[.]103</li> <li>186.2.166[.]143</li> </ul> <p>Their resolve history, known as Passive DNS, shows that they were used in this campaign for a while. Although they may have been missed by security vendors, (they are not flagged by any of them on VT), these IPs definitely should not be communicated with.</p> <p><img src="https://www.threatstop.com/hubfs/duckdns_vt.png" alt="duckdns_vt" width="1256" loading="lazy" style="width: 1256px;"></p> <p>Phishing and Smishing attacks can be hard to detect, clever threat actors are practiced and polished at slipping them into inboxes using language and imagery meant to avoid detection and get us to click and interact with them. ThreatSTOP provides users with automated threat protection for hundreds of threat types, including these hard-to-detect phishing campaigns. Our system also aggregates active DGA lists from multiple sources into our indicator of compromise DB and operational blocklists. The result? Automated proactive protection against these, and other, modern and sophisticated attacks.</p> <p>&nbsp;</p> <div> <p>Not a ThreatSTOP customer yet? Want to see ThreatSTOP instantly eliminate attacks on your network?</p> <p></p> <p>&nbsp;</p> </div> <aside> <div> <div>&nbsp;</div> <div>&nbsp;</div> </div> </aside> <p>Here's the full domain list from ThreatSTOP's analysis:</p> <p>center-eddprepaid792.duckdns[.]org<br>center-eddprotect3320.duckdns[.]org<br>citi-helpsecure00.duckdns[.]org<br>cpanel.protect-eddcenter9573.duckdns[.]org<br>cpanel.protection-eddhelpcenter538.duckdns[.]org<br>cpanel.safe-eddcenter9209.duckdns[.]org<br>cpcalendars.protect-eddcenter9573.duckdns[.]org<br>cpcalendars.safe-eddcenter9209.duckdns[.]org<br>cpcontacts.protect-eddcenter9573.duckdns[.]org<br>cpcontacts.safe-eddcenter9209.duckdns[.]org<br>e-d-d-safety009.duckdns[.]org<br>e-d-d-safety022.duckdns[.]org<br>e-d-d-safety090.duckdns[.]org<br>help-centeredd312.duckdns[.]org<br>help-citicenter032.duckdns[.]org<br>help-safetyeddsupport9568.duckdns[.]org<br>mail.protect-eddcenter9573.duckdns[.]org<br>mail.protection-eddhelpcenter538.duckdns[.]org<br>mail.safe-eddcenter9209.duckdns[.]org<br>manage-eddsecure54.duckdns[.]org<br>my-eddprotection643.duckdns[.]org<br>protect-eddcenter9573.duckdns[.]org<br>protect-eddcentersupport452.duckdns[.]org<br>protection-centeredd479.duckdns[.]org<br>protection-eddcenter9409.duckdns[.]org<br>protection-eddhelpcenter538.duckdns[.]org<br>safe-e-d-d-center001.duckdns[.]org<br>safe-e-d-d-center0253.duckdns[.]org<br>safe-e-d-d-center042.duckdns[.]org<br>safe-e-d-d-center079.duckdns[.]org<br>safe-e-d-d-center9485.duckdns[.]org<br>safe-edd-center032.duckdns[.]org<br>safe-eddcenter9209.duckdns[.]org<br>safe-processoredd939.duckdns[.]org<br>support-eddprepaid336.duckdns[.]org<br>support-eddsecurity870.duckdns[.]org<br>support-prepaidedd4432.duckdns[.]org<br>webdisk.protect-eddcenter9573.duckdns[.]org<br>webdisk.protection-eddhelpcenter538.duckdns[.]org<br>webdisk.safe-eddcenter9209.duckdns[.]org<br>webmail.protect-eddcenter9573.duckdns[.]org<br>webmail.protection-eddhelpcenter538.duckdns[.]org<br>webmail.safe-eddcenter9209.duckdns[.]org<br>www.protect-eddcenter9573.duckdns[.]org<br>www.protection-eddhelpcenter538.duckdns[.]org<br>www.safe-eddcenter9209.duckdns[.]org</p></span>
