This blog originally appeared in July 2020 on the Area 1 Security website, and was issued in advance of Cloudflare's acquisition of Area 1 Security on April 1, 2022. Learn more.
Each day, hundreds of thousands of new domains are registered by users around the world. Unfortunately, the simplicity of domain registration makes it simple for attackers to register fraudulent domains for use in phishing campaigns. In fact, according to ICANN, nearly 5.45% of newly registered domains per day are malicious (including phishing, botnets, and malware). This means there are 25,070 newly registered malicious domains per day on average.
On July 16th, 2020, an email appearing to be from the Bill & Melinda Gates Foundation was sent to numerous recipients, seeking donations for the Foundation in Bitcoin. The email enticed potential donors by offering to double any donations received within seven days. The sender domain of the email was strikingly similar to the legitimate foundation’s domain, gatesfoundation.org.
Aside from one letter, the malicious sender domain could easily pass for one belonging to the Gates Foundation. The attacker cleverly employed typosquatting when creating the domain name, just minutes before sending the email. Without close scrutiny, the domain’s typo is indistinguishable from the legitimate domain. The attacker also set up an SPF record for the domain in order to ensure reliable delivery of their attack. Interestingly, this phish was sent just a day after Bill Gates’ Twitter account was hacked and used to tweet a message nearly identical to this email.
Benign Domain: gatesfoundation.org Malicious Domain: gatesfoundatlon[.]com Malicious Domain Age: 2020-07-16 17:00:54 +0000 UTC SPF Record: gatesfoundatlon[.]com. 1759 IN TXT "v=spf1 include:spf.privateemail.com ~all" Bitcoin address: 18XJzrgPqYhKKeR2j4vz6wPQorK3sNuNxs
Whois Record for gatesfoundatlon[.]com
Domain name: gatesfoundatlon[.]com Registry Domain ID: 2546450570_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 0001-01-01T00:00:00.00Z Creation Date: 2020-07-16T17:00:54.00Z Registrar Registration Expiration Date: 2021-07-16T17:00:54.00Z Registrar: NAMECHEAP INC Registrar IANA ID: 1068 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.6613102107 Reseller: NAMECHEAP INC Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: addPeriod https://icann.org/epp#addPeriod Registry Registrant ID: Registrant Name: WhoisGuard Protected Registrant Organization: WhoisGuard, Inc. Registrant Street: P.O. Box 0823-03411 Registrant City: Panama Registrant State/Province: Panama Registrant Postal Code: Registrant Country: PA Registrant Phone: +507.8365503 Registrant Phone Ext: Registrant Fax: +51.17057182 Registrant Fax Ext: Registrant Email: [email protected] Registry Admin ID: Admin Name: WhoisGuard Protected Admin Organization: WhoisGuard, Inc. Admin Street: P.O. Box 0823-03411 Admin City: Panama Admin State/Province: Panama Admin Postal Code: Admin Country: PA Admin Phone: +507.8365503 Admin Phone Ext: Admin Fax: +51.17057182 Admin Fax Ext: Admin Email: [email protected] Registry Tech ID: Tech Name: WhoisGuard Protected Tech Organization: WhoisGuard, Inc. Tech Street: P.O. Box 0823-03411 Tech City: Panama Tech State/Province: Panama Tech Postal Code: Tech Country: PA Tech Phone: +507.8365503 Tech Phone Ext: Tech Fax: +51.17057182 Tech Fax Ext: Tech Email: [email protected] Name Server: dns1.registrar-servers.com Name Server: dns2.registrar-servers.com DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2020-07-15T23:22:34.80Z <<<
Twitter Message From July 15, 2020:
Area 1 uses multiple analysis techniques that leverage insight gained from proactive web crawling and early identification of attacker campaign infrastructure, to detect and stop email from spoofed domains and accounts. Using preemptive threat hunting and a broad set of proprietary analysis techniques, Area 1 identifies phishing campaigns, including malicious newly registered domains, that other defenses miss.