In the past years, threat actors have made it a point to prey on U.S. taxpayers using phishing emails supposedly from the Internal Revenue Service (IRS). The goal is often to trick victims into giving their login credentials to various platforms. This year is no different.

IBM X-Force Exchange publicized indicators of compromise (IoCs) for such a campaign identified by Cofense on 10 March 2021. The scam used a spoofed sender email address and name matching those of a legitimate IRS tax representative.

Expanding the List of IoCs

Two URLs have been provided as IoCs for this threat—https[:]//quip[.]com/9IvtAsTmnGGb and

https[:]//basecet[.]com/w3ffvs/0q23he4/nriaokghnry1ky1p8r7uu0d5[.]php.

The owners of the two domains—quip[.]com and basecet[.]com—are both privacy-protected based on WHOIS API results.

Quip[.]com

Quip[.]com is an old domain, created way back in 1994. It is registered in the U.S. under Amazon Registrar, Inc. A WHOIS History Search query for the domain gave us this screenshot:

It looks to be a legitimate business website and may have been compromised to host one of the phishing pages used in the campaign. Since it is a relatively old domain owned by an enterprise, its historical WHOIS records may have contact names.

A subdomain lookup query for quip[.]com revealed 391 subdomains, 268 of which have not been updated with a fresh pDNS record this year. These subdomains could have dangling DNS records that may make them ripe for subdomain takeover.

To dig deeper, we did a reverse WHOIS search using quip[.]com’s public data points as identified in historical WHOIS records. That gave us a list of three other domains—c-quip[.]com, compotool[.]com, and novolok[.]com—that threat actors could have also considered targeting.

C-quip[.]com, based on its screenshot, seems to be a site for those looking for yacht equipment designers and manufacturers. Compotool[.]com, meanwhile, looks like a mold tooling system website. Finally, novolok[.]com is a parked domain.

A DNS lookup query for quip[.]com revealed that it resolved to three IP addresses—35[.]166[.]68[.]240, 54[.]148[.]159[.]133, and 34[.]210[.]32[.]22. While none of them is tagged malicious, they may be worth monitoring due to their connection to quip[.]com, which is a malicious domain according to VirusTotal.

Basecet[.]com

Basecet[.]com, meanwhile, is a relatively new domain created in 2020. It is registered in Panama under NameCheap, Inc. and privacy-protected by WhoisGuard, Inc.

The domain is currently unreachable, even though its registration is not set to expire until 31 August 2021. A passive DNS check via a DNS lookup API call showed it does not seem to resolve to any IP address at this time either. It has 13 subdomains, none of which have been updated with a fresh pDNS record this year.

Organizations and individuals alike who want to protect themselves from this attack can also watch out for the related domains, subdomains, and IP addresses mentioned in this post for added security. And if an email supposedly comes from the IRS, note that their domain is irs[.]gov. In your network logs, such communications would come from IP addresses that include 152[.]216[.]7[.]110 and 152[.]216[.]11[.]110.

If you are interested in the complete list of artifacts we uncovered for this post or would like to collaborate on similar research, feel free to contact us.