Home / Industry

Given a Malicious Email Address, What Can You Discover with Maltego's WhoisXML API Transforms?

Thanks to Dancho Danchev, WhoisXML API's DNS Threat Researcher, for the original investigations available here, which led to the creation of this post.

On any given day, most of us get more emails that we won't read than those that we would. Many of these messages will remain unread and sent to the trash. There comes the third category of emails: Those we wished we hadn't read and acted upon because they are bound to be malicious, sent by cybercriminals trying to lure you into one of their scams.

We've encountered a couple of email addresses that belonged or were connected to known cybercriminals. Using them as pivot points on Maltego with WhoisXML API transforms, we expanded the digital footprints of the perpetrators of cybercrime.

Data Set

Hundreds of email addresses confirmed belonging to cybercriminals and money mule recruiters were gathered. These include the following whose footprints (connected domains and IP addresses) were expanded via Maltego with WhoisXML API transforms.

Discoveries Using Maltego with WhoisXML API Transforms

Each of the six email addresses cited above to Maltego-WhoisXML API transforms to determine connected domains and IP addresses if any. We used the Historical Reverse WHOIS Search transform and found that the email addresses had connections to a total of 22 domains. Below are Maltego graphs showing the connections found.

[email protected][.]com

silver[.][email protected][.]com

[email protected][.]co[.]uk

[email protected][.]com

shwark[.]power[.][email protected][.]com

[email protected][.]com

Given that the email addresses were confirmed malicious, it is safe to assume that it would be safer for organizations and individuals to avoid accessing the domains they are connected to as well.

Three of these connected domains, in fact, were dubbed "suspicious" on VirusTotal, namely, account-mail-yahoo[.]com, mail-yahoo[.]info, and open-mail-yahoo[.]com. Eight, meanwhile, were reported "malicious." These are accounts-mail-yahoo[.]com, magicsystem[.]info, mg6-mail-yahoo[.]com, priv8darkshop[.]com, silver-root[.]com, supervpn[.]net, supervpn[.]us, and www--mail-yahoo[.]com. Including these 11 suspicious and malicious domains in blocklists is highly recommended, as accessing them can result in spamming, phishing, and malware infection.

Using the 22 domains obtained as Maltego search terms, we uncovered another 43 domains that only sported different top-level domain (TLD) extensions. Examples of these include:

  • blockchane[.]com
  • freshdump[.]com
  • magicsystem[.]at
  • magicsystem[.]be
  • magicsystem[.]com
  • supervpn[.]biz
  • supervpn[.]cc
  • supervpn[.]co
  • epijobs[.]com
  • gewe[.]at
  • gewe[.]be
  • gewe[.]biz
  • mail-yahoo[.]biz
  • mail-yahoo[.]de
  • mail-yahoo[.]info
  • logisticsinternational[.]com
  • logisticsinternational[.]lk
  • logisticsinternational[.]co[.]in
  • musichammer[.]com
  • musichammer[.]ru

Since they share similarities with the domains connected to the malicious email addresses, users may want to avoid accessing them as well or do so carefully, at the very least. To get these domains, we used the Maltego-WhoisXML API Find Other TLDs transform.

Running DNS lookups for the 77 domains provided us with a list of 34 unique IP addresses. Some of the domains shared hosts while others did not resolve to specific IP addresses. It may be worth watching out for communications from these in your network logs, as they may have connections to malicious activity or threat actors.

Blocking communications to and from devices with these 12 malicious IP addresses from our list is highly advised:

  • 35[.]186[.]238[.]101
  • 74[.]6[.]136[.]150
  • 34[.]98[.]99[.]30
  • 52[.]58[.]78[.]16
  • 52[.]128[.]23[.]153
  • 184[.]168[.]131[.]241
  • 192[.]0[.]78[.]25
  • 213[.]239[.]199[.]42
  • 183[.]111[.]174[.]73
  • 212[.]82[.]100[.]150
  • 98[.]136[.]103[.]23
  • 192[.]0[.]78[.]24

These IP addresses have been cited for malicious activity, primarily phishing and malware hosting, on VirusTotal.


Expanding lists of indicators of compromise (IoCs), such as the email addresses connected to threats, that we used as data source for this short analysis is advisable if organizations want to avoid as many threat vectors as possible.

Without digital footprint expansion using open-source tools like Maltego and the WhoisXML API transforms and other solutions featured in this post, we would have not been able to identify 77 domains and 34 IP addresses that could be connected to the threats. Worse, we wouldn't know that blocking a total of 23 domains and IP addresses could keep our networks more resilient to threats.

Check this tutorial blog for more information about using WhoisXML API in Maltego. WhoisXML API is partnering with top security companies around the world. Check our partnership page for more details.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider – Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.  Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byAppdetex

IPv4 Markets

Sponsored byIPXO

Domain Management

Sponsored byMarkMonitor

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign