Don’t Trust that Tweet…or that Email from Bill Gates

Late last week, we all saw a spate of celebrity Twitter account takeovers asking for Bitcoin payments. Twitter’s security team shared an update indicating that the breach was due to a coordinated social engineering attack targeting their internal employees and systems.

Social engineering remains the primary method of targeting organizations; large and small – and right on cue, the Area 1 team saw a spate of email phish messages, impersonating celebrities and requesting charity payments similar to the Twitter hack messages.

Area 1’s security team has been tracking these campaigns and our customers are protected against them. Information about the campaign and associated TTP (hint => almost always there’s a new domain behind these rapid campaigns) is available in our latest security bulletin here.

Each day, hundreds of thousands of new domains are registered by users around the world.

Unfortunately, the simplicity of domain registration makes it simple for attackers to register fraudulent domains for use in phishing campaigns. In fact, according to ICANN, nearly 5.45% of newly registered domains per day are malicious (including phishing, botnets, and malware). This means there are 25,070 newly registered malicious domains per day on average.   

On July 16th, 2020, an email appearing to be from the Bill & Melinda Gates Foundation was sent to numerous recipients, seeking donations for the Foundation in Bitcoin. The email enticed potential donors by offering to double any donations received within seven days. The sender domain of the email was strikingly similar to the legitimate foundation’s domain, gatesfoundation.org.  

Aside from one letter, the malicious sender domain could easily pass for one belonging to the Gates Foundation.The attacker cleverly employed typosquatting when creating the domain name, just minutes before sending the email. Without close scrutiny, the domain’s typo is indistinguishable from the legitimate domain. The attacker also set up an SPF record for the domain in order to ensure reliable delivery of their attack. Interestingly, this phish was sent just a day after Bill Gates’ Twitter account was hacked and used to tweet a message nearly identical to this email.

Benign Domain: gatesfoundation.org
Malicious Domain: gatesfoundatlon[.]com
Malicious Domain Age: 2020-07-16 17:00:54 +0000 UTC
SPF Record: gatesfoundatlon[.]com. 1759 IN TXT “v=spf1 include:spf.privateemail.com ~all”
Bitcoin address: 18XJzrgPqYhKKeR2j4vz6wPQorK3sNuNxs

Whois Record for gatesfoundatlon[.]com


Domain name: gatesfoundatlon[.]com
Registry Domain ID: 2546450570_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2020-07-16T17:00:54.00Z
Registrar Registration Expiration Date: 2021-07-16T17:00:54.00Z
Registrar: NAMECHEAP INC
Registrar IANA ID: 1068
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.6613102107
Reseller: NAMECHEAP INC
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: addPeriod https://icann.org/epp#addPeriod
Registry Registrant ID:
Registrant Name: WhoisGuard Protected
Registrant Organization: WhoisGuard, Inc.
Registrant Street: P.O. Box 0823-03411
Registrant City: Panama
Registrant State/Province: Panama
Registrant Postal Code:
Registrant Country: PA
Registrant Phone: +507.8365503
Registrant Phone Ext:
Registrant Fax: +51.17057182
Registrant Fax Ext:
Registrant Email: [email protected]
Registry Admin ID:
Admin Name: WhoisGuard Protected
Admin Organization: WhoisGuard, Inc.
Admin Street: P.O. Box 0823-03411
Admin City: Panama
Admin State/Province: Panama
Admin Postal Code:
Admin Country: PA
Admin Phone: +507.8365503
Admin Phone Ext:
Admin Fax: +51.17057182
Admin Fax Ext:
Admin Email: [email protected]
Registry Tech ID:
Tech Name: WhoisGuard Protected
Tech Organization: WhoisGuard, Inc.
Tech Street: P.O. Box 0823-03411
Tech City: Panama
Tech State/Province: Panama
Tech Postal Code:
Tech Country: PA
Tech Phone: +507.8365503
Tech Phone Ext:
Tech Fax: +51.17057182
Tech Fax Ext:
Tech Email: [email protected]
Name Server: dns1.registrar-servers.com
Name Server: dns2.registrar-servers.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.ne
>>> Last update of WHOIS database: 2020-07-15T23:22:34.80Z <<<

Twitter Message From July 15, 2020:

Area 1 uses multiple analysis techniques that leverage insight gained from proactive web crawling and early identification of attacker campaign infrastructure, to detect and stop email from spoofed domains and accounts. Using preemptive threat hunting and a broad set of proprietary analysis techniques, Area 1 identifies phishing campaigns, including malicious newly registered domains, that other defenses miss. 

To download a copy of our “Phishing for Philanthropy” report, click here.

Want to keep up to date with the latest phishing trends? 

Subscribe to our newsletter here!

 

How to replace your email gateway with Cloudflare Area 1

Leaders and practitioners responsible for email security are faced with a few truths every day. It’s likely true that their email is cloud-delivered and comes with some built-in protection that does an OK job of stopping spam and commodity malware.

Introducing email link isolation – Email gateway replacement playbook

This week was a big one for us at Cloudflare, one of our four innovation weeks which we hold annually, showcasing new developments, product news and reference architectures.

Superhero strategies for the Phish Fight

Today is National Superhero Day, and we would like to dedicate this day to you—the SOC teams and the security experts on the frontline of the phish fight.