Home / Industry

Expanding the List of Artifacts for the Recent JPMorgan Chase Squatting Campaign

On 13 March, IBM X-Force Exchange published nine artifacts — three domain names and six IP addresses — related to a squatting campaign targeting JPMorgan Chase and its stakeholders. We dug deeper into the list in hopes of publicizing additional artifacts that users may need to be wary of.

IoC List Expansion

We obtained a list of 79 domains that resolved to two of the IP addresses on IBM's list — 192[.]64[.]119[.]61 (resolved to chaselocked23[.]com)

and 192[.]64[.]119[.]166 (resolved to secure07o-chase[.]com) via reverse IP/DNS searches. We compared the WHOIS record details of these domains with those of the two on IBM's list aided by Bulk WHOIS Lookup. The chart below shows their similarities.

A total of 52 domains shared the two IoCs' registrant country and privacy protection service provider. Only one domain name shared the year the IoCs were created but 11 were updated the same year the IoCs were. Finally, 65 domains shared the same registrar as the two IoCs.

Of the 79 domains identified with the help of passive Domain Name System (pDNS) and WHOIS data, seven each were registered in the U.S. and Canada, while the registrant countries of the remaining 13 were undisclosed.

While a majority of the 79 domains shared the same privacy protection service provider (WhoisGuard, Inc.) with the IoCs, seven were under Contact Privacy, Inc., two had a publicly viewable registrant name or organization, while the remaining 18 did not include their providers, if any.

Of the 79 domains, only one shared the IoCs' creation year. The rest were spread across years between 2006 and 2020. A total of 22 domains were created in 2020; 16 in 2019; 10 in 2018; eight in 2014; three each in 2017 and 2015; two in 2016; and one each in 2013, 2012, 2011, 2007, 2006, and 2001. The remaining eight domains' creation years were undisclosed.

While only 11 of the 79 domains shared the IoCs' update year (2021), they had one more thing in common with the campaign identifiers. A majority (42 domains) were updated in 2020, two in 2019, and three in 2018. The remaining 21 domains did not disclose their update dates.

As a final step to expanding the list of published IoCs, we consulted typosquatting data feeds for January and February 2021 since the campaign used newly registered domains (NRDs), a common threat actor tactic to evade detection, blocking, and identification. We wanted to see how many more JPMorgan Chase domain look-alikes were bulk-registered and could figure in future similar attacks.

A search for the string "chase" in the January enriched data feed led us to a total of 69 bulk-registered domains. Of these, only 12 are publicly attributable to JPMorgan Chase. The rest were spread across various privacy-protection service providers, including WhoisGuard, Inc. (8) and Contact Privacy, Inc., PrivacyGuardian.org, and Whoisprotect.cc (4 each). The remaining 37 left their registrants undisclosed.

For the month of February, we saw 140 domains, none of which are publicly attributable to JPMorgan Chase. They were spread across eight privacy-protection service providers, namely, 1&1 Internet Limited (23 domains); Whoisprotection.cc (19); Contact Privacy, Inc. (16); WhoisGuard, Inc. (9); Domain Euy (6); Private by Design LLC (5); and Whois Privacy Service (1). Two publicly disclosed their registrants, while the remaining 59 did not disclose their registrants.


It is common practice for domain squatters and threat actors to prey on big brands and reputable institutions for their gain. Looking at typosquatting data feeds and WHOIS and pDNS records can be good starting points to identify domains warranting further investigation.

If you are interested in the complete list of artifacts we uncovered for this post or would like to collaborate on similar research, feel free to contact us.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider – Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.  Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Brand Protection

Sponsored byAppdetex

IPv4 Markets

Sponsored byIPXO

Threat Intelligence

Sponsored byWhoisXML API

Domain Management

Sponsored byMarkMonitor

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign