Targeted attacks are considered insidious digital threats as they may lead to debilitating data breaches with substantial financial repercussions. Apart from money lost to theft, victims may shed even more resources as they face expensive lawsuits, hefty fines, and settlements for failing to comply with data privacy regulations in addition to reputational damage. But what most may not know is that 65% of targeted attacks begin with spear-phishing.

Indeed, spear-phishing was the beginning of an attack involving escrow[.]com. About a month ago, a hacker compromised escrow[.]com’s website by successfully tricking a GoDaddy (the domain’s registrar) employee into opening and biting the bait used in a spear-phishing email. As a result, the phisher gained entry to the accounts of several customers and changed their access settings. Among the accounts hacked was that of transaction brokering site, escrow[.]com.

According to escrow[.]com owner Matt Barrie, the attacker managed to obtain access to a private note that should have only been available to GoDaddy employees. That particular message states that any critical modifications to escrow[.]com requires authorization, which can be obtained by calling a number and going through a verbal authentication—a process followed by the hacker as part of the scheme. Doing so allowed the threat actor to change some domain settings of escrow[.]com and even deface the site’s homepage.

Based on the details found on KrebsonSecurity, we decided to expand the analysis and bring some more context in the aftermath of the attack with several cyber threat intelligence tools.

A Follow-Up Deep Dive into the Attack

Two IoCs stood out in the KrebsonSecurity investigation:

• 111[.]90[.]149[.]49 – A Malaysian-based IP address, which escrow[.]com’s domain name system (DNS) records pointed to.
• Servicenow-godaddy[.]com – A domain name that can be obtained from a reverse IP/DNS lookup for 111[.]90[.]149[.]49 using a passive Domain Name System (DNS) database or a reverse IP lookup tool.

We started off our follow-up analysis by running servicenow-godaddy[.]com on Threat Intelligence Platform (TIP), which indicates that the domain name is considered a malware host according to VirusTotal. It, therefore, remains advisable not to allow interactions with the domain from any network-connected system.

We then queried servicenow-godaddy[.]com on WHOIS Lookup to see what could be said from its WHOIS records. Overall:

• Having appeared on the DNS database on March 20, the domain name is considered recently registered.
• The domain name’s WHOIS details were also heavily masked, though displaying the organization name “Shinjiru MSC Sdn Bhd” as a clue.

A quick Web search using the organization name showed two websites—www[.]shinjiru[.]com[.]my and www[.]shinjiru[.]com—both referring to a Malaysian hosting provider. Interestingly, this coincides with KrebsonSecurity’s earlier findings that the IP address, in fact, has Malaysian origins.

Another look at the IP address using IP Netblocks API corroborates this further, as the first IP range shows Shinjiru Technology as the netblock owner. The Malaysian hosting provider also appears as the contact in case of abuse as indicated by the email address abuse@shinjiru[.]com[.]my.

To our understanding, Shinjiru is a legitimate service provider that has been operating in Malaysia for several years now.

In light of the incident involving escrow[.]com, all findings seem to indicate that someone abused Shinjiru’s services to register servicenow-godaddy[.]com and used both the domain and IP address 111[.]90[.]149[.]49 as part of the spear-phishing attack.

Our follow-up analysis further dispels any legitimate connection between the malicious domain and GoDaddy. After all, if the registrar wanted to register a domain name containing its brand, it certainly wouldn’t require the help of a third-party registrar.