Arnaques exploitant le conflit en Ukraine : les chercheurs d’Infoblox publient une liste de sites web frauduleux

0

Depuis l’invasion de l’Ukraine par la Russie le 24 février dernier, le groupe Infoblox Threat Intelligence a observé une augmentation remarquable du nombre de nouveaux noms de domaine liés à l’Ukraine, en analysant le trafic sur ses résolveurs DNS récursifs : les experts ont observé plus de deux fois plus de domaines, détectés pour la première fois, que la semaine précédente. 

Tribune – Une grande partie de cette activité s’inscrit dans le cadre d’une réponse globale à la crise humanitaire en Europe de l’Est, et une partie consiste en de nouveaux efforts menés par des groupes auparavant non coordonnés. Cependant, les cybercriminels ont également saisi l’occasion en créant de nombreux sites pour usurper ou imiter les véritables efforts de soutien. Différencier ces deux scénarios peut être difficile, même pour les experts.

En réponse, Infoblox a développé de multiples mesures d’authenticité, et ses chercheurs ont analysé manuellement des dizaines de domaines nouvellement observés, qui sont liés à l’Ukraine.

Le groupe Threat Intelligence d’Infoblox a trouvé des indicateurs de compromission (IoCs) liés à la fois à des campagnes de logiciels malveillants, et aux individus essayant de coordonner la livraison d’équipements médicaux à l’Ukraine. Pour la plupart des escroqueries, l’objectif final est de collecter des cryptomonnaies.

En utilisant ces indicateurs de compromission, Infoblox a réuni une liste de nouveaux sites web liés à la crise. Veuillez trouver ci-dessous la liste des sites identifiés à ce jour.

Pour une version régulièrement mise à jour, une analyse détaillée des cyberarnaques liées à l’Ukraine par Infoblox, veuillez vous rendre à cette adresse : https://blogs.infoblox.com/cyber-threat-intelligence/cyber-threat-advisory/cyber-threat-advisory-ukrainian-support-fraud/

Les individus et les organisations qui souhaitent soutenir des causes humanitaires en Ukraine, ou participer aux efforts locaux pour mettre fin à la guerre, doivent faire preuve d’une grande prudence lors de leurs interactions avec des sites Web liés à ces efforts. Certains de ces sites pourraient servir de façade frauduleuse à des opérations de renseignement étranger ou de cybercriminalité. Ils peuvent avoir été conçus pour déposer des logiciels espions sur des appareils et récolter des informations personnelles identifiables (PII). Avant de fournir des informations personnelles ou financières à ces sites Web, vérifiez auprès d’une source de confiance qui identifie l’organisation et son domaine d’hébergement.

INDICATOR

DESCRIPTION

NOTES

https://cdn[.]discordapp[.]com /attachments /946667303825735721/948011944776986715 /Izcei[.]jpg

malware

Malspam used Ukraine support-themed message to deliver downloader attachments that retrieved the AgentTesla binary from this file hosting location.

4464u4jhw4[.]xyz

malware

Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain.

487jw34e[.]xyz

malware

Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain.

a3k67[.]xyz

malware

Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain.

hf39q48[.]xyz

malware

Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain.

pritto4523463[.]xyz

malware

Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain.

pritto456123[.]xyz

malware

Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain.

pritto4563[.]xyz

malware

Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain.

q34yfhh897[.]xyz

malware

Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain.

xsolo[.]live

malware

Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain.

xsolo[.]shop

malware

Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain.

xsolo[.]store

malware

Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain.

xsolo[.]us

malware

Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain.

3ywg4544y3[.]xyz

malware

Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain.

789o8lm[.]xyz

malware

Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain.

bertshbt32[.]xyz

malware

Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain.

danhramvaiqua[.]xyz

malware

Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain.

muonroimasaovancon[.]xyz

malware

Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain.

w3eg544456u[.]xyz

malware

Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain.

ukraineforever[.]com

phishing

domain parked in 2018 and reregistered in Feb 2022. The page has changed twice in the last few days; the twitter acccount is new and has one tweet. requesting relief funds.

ukraine-human-rights[.]org

phishing

Website contains Russian propaganda content; sibling website: https://de[.]ukraine-human-rights[.]org/

ukraineforever[.]com

phishing

Domain parked in 2018 and reregistered in Feb 2022. The page has changed twice in the last few days; the twitter acccount is new and has one tweet.

protectukraine[.]org

phishing

BTC Scam

ukrainecharity[.]net

phishing

Ukraine relief scams

donateukraine[.]com

phishing

ukraine-appeal[.]com was registered on 02/13 soliciting donations. Claims to work with a number of legitimate charities but doesn’t link to any. Payment through Stripe. 3-month cert from Let’s Encrypt. Contact address listed is a work-share space in London with no contact names. Same IP 157.245.35.51 hosts afghanappeal[.]com (registered on 02/06) with identical logo. Neither sites link to or from other websites.

ukraine-appeal[.]com

phishing

Recently registered domain focusing on gathering funds for “on the ground disbursement.” No apparent propaganda and the payment processing system is Stripe, so they aren’t collecting financial information. The site does ask for PII (name), though, and have a form for a newsletter, which means giving over an email address.

assistukraine[.]org

phishing

newly registered. hosted on same IP with several variants of domain name as well as other suspicious crypto related domains. address on website not found. looks like a BTC scam.

app-en[.]com

phishing

Reported by security researchers for donation scam activity related to the Russian invasion of Ukraine. https://twitter.com/JCyberSec_/status/1498239774116753409

donateukraine[.]sbs

phishing

https://twitter.com/JCyberSec_/status/1498239774116753409

helpukraine[.]su

phishing

Site purports to be collecting donations for the Armed Forces of Ukraine, but the donation button currently leads to a missing page and the domain was registered via a Russian registrar.

helpukraine[.]charity

phishing

Found on same IP space as other scam domains using Ukraine support-themed messages. Website states they were founded in 2014, but business indexes show a 2022 establishment date. https://www.paqle.dk/p/help-ukraine/6913551. Bitcoin addresses owned by this entity show minimal transaction. https://www.blockchain.com/btc/address/1JxmpptfbZmxd5Apk135NJfXHdzmR7F9wi

saveukraine-website[.]margosolution[.]com

phishing

using cpcalendars[.]saveukraine[.]website in its ssl certificate. saveukraine[.]website was confirmed a fraudulent site using fake Ukraine support content.

standwitukraine[.]com

phishing

Found on same IP space as other scam domains using Ukraine support-themed messages. Nxdomain now

donateeforukraine[.]com

phishing

In early March 2022, this domain was pointing to a shady website claiming to collect funds to support Ukrainian people during the crisis escalation against Russia. However, no information was provided about the organization behind this project and where the money were actually going to.

support4ukraine[.]info

phishing

Domain used in support of a Ukrainian conflict-related scam operation.

donate-ukraine[.]org

phishing

Created on February 26th, in early March 2022 this domain pointed to a phishy donation website aimed at supporting people of Ukraine during the crisis escalation. No information was provided about the organization behind this project and no information was provided about how the money are going to be spent

fundukraine[.]org

phishing

In early March 2022, this domain was pointing to a phishy donation website for helping people in Ukraine. There was no information about either the owning organization or the destination of the donations

helpukrainestopputin[.]org

phishing

In early March 2022, this site was pointing to a phishy site aimed at collecting donations via an Indiegogo campaign to support people facing war in Ukraine. No information was provided about both the organization behind the project and how the collected money were going to be spent

istandwithukrainepin[.]com

phishing

Created on February 26th, in early March 2022 this domain pointed to a phishy e-store for ukraine-branded material. The store doesn’t provide any indication about the organization behind that project

ukrainedevs[.]com

suspicious

Newly registered domain purportedly recruiting Ukranian software developers.

pakukrainecentre[.]com

suspicious

Website serving content related to trade and investment between Pakistan and Ukraine. But its hosted in China. Many URL on the domain have recently detected as Phishing, Spam or Malicious and Site is currently not accessible.

ictvukraine[.]tv

suspicious

Suspicious domain as it is routed through Russian IP space before delivering the content. Some signs point to authenticity. ICTV is a popular Ukrainian TV station. Domain registration matches content that service started in March 2020 purportedly by StarlightMedia. This Ukranian company owns several media outlets including ICTV.

ukrainecrisis[.]org

suspicious

Domain registered 7 days ago. Nothing clearly malicious; hosting news with no apparent propaganda.

adoptioninukraine[.]com

suspicious

Registered in 2011 and unrelated to the current conflict. The phone number is linked to two Facebook pages (one taken down) that list other websites claiming to be a Columbian-Ukranian adoption service; however, this website is Russian-hosted.

bat-ukraine[.]com

suspicious

currently parked and tied to malware IPs

helpukraine[.]org

suspicious

Expired domain that shows static image at base page with a support message for Ukraine, limited content on website and appears to be mostly unused.

helpukraine[.]biz

suspicious

New website with newly registered domain that has not been configured. This could potentially be used later for malicious purposes.

web4ukraine[.]org

suspicious

URL redirector service, splash page shows message against Russian invasion of Ukraine before redirect action. According to the creator, the intent of this service is to slow down Russian web traffic and spread awareness about the Ukranian conflict. https://english.radio.cz/700-czech-webmasters-support-call-counter-russian-propaganda-8743231. Creator of service has been criticized for his/her intent for usage, as it can be used as a medium to deliver malware and punish innocent users. https://www.reddit.com/r/javascript/comments/t242c0/we_are_letting_people_in_russia_know_that_we_dont/

amazingukraine[.]tours

parked

This domain attracted some attention in late February – early March 2022 due to the name linked to the Ukraine-Russia crisis escalation. Created during the crisis, it was parked for potential future usage in early March 2022

fightlikeukraine[.]com

parked

This domain attracted some attention in late February – early March 2022 due to the name linked to the Ukraine-Russia crisis escalation. Created during the crisis, it was parked for potential future usage in early March 2022

aid2ukraine[.]com

parked

This is a parked domain created in relation to the Russian invasion of Ukraine

aid2ukraine[.]org

parked

This is a parked domain created in relation to the Russian invasion of Ukraine

aid4ukraine[.]org

parked

This is a parked domain created in relation to the Russian invasion of Ukraine

amazingukraine[.]tours

parked

This is a parked domain created in relation to the Russian invasion of Ukraine

cookforukraine[.]com

parked

This is a parked domain created in relation to the Russian invasion of Ukraine

defend-ukraine[.]org

parked

This is a parked domain created in relation to the Russian invasion of Ukraine

defendukraine[.]world

parked

This is a parked domain created in relation to the Russian invasion of Ukraine

freedomforukraine[.]org

parked

This is a parked domain created in relation to the Russian invasion of Ukraine

freeukraine[.]art

parked

This is a parked domain created in relation to the Russian invasion of Ukraine

freeukraine[.]live

parked

This is a parked domain created in relation to the Russian invasion of Ukraine

freeukraine[.]news

parked

This is a parked domain created in relation to the Russian invasion of Ukraine

freeukraine[.]today

parked

This is a parked domain created in relation to the Russian invasion of Ukraine

freeukraine[.]world

parked

This is a parked domain created in relation to the Russian invasion of Ukraine

freeukraine[.]xyz

parked

This is a parked domain created in relation to the Russian invasion of Ukraine

gloryofukraine[.]com

parked

This is a parked domain created in relation to the Russian invasion of Ukraine

goukraine[.]tours

parked

This is a parked domain created in relation to the Russian invasion of Ukraine

helpukraine[.]today

parked

This is a parked domain created in relation to the Russian invasion of Ukraine

helpukrainebuild[.]com

parked

This is a parked domain created in relation to the Russian invasion of Ukraine

helpukrainepeopletoday[.]com

parked

This is a parked domain created in relation to the Russian invasion of Ukraine

helpukrainerebuild[.]com

parked

This is a parked domain created in relation to the Russian invasion of Ukraine

heroofukraine[.]com

parked

This is a parked domain created in relation to the Russian invasion of Ukraine

heroofukraine[.]org

parked

This is a parked domain created in relation to the Russian invasion of Ukraine

istandswithukraine[.]com

parked

This is a parked domain created in relation to the Russian invasion of Ukraine

istandwithukraine[.]live

parked

This is a parked domain created in relation to the Russian invasion of Ukraine

istandwithukraine[.]news

parked

This is a parked domain created in relation to the Russian invasion of Ukraine

istandwithukraine[.]today

parked

This is a parked domain created in relation to the Russian invasion of Ukraine

lettersukraine[.]com

parked

This is a parked domain created in relation to the Russian invasion of Ukraine

letterukraine[.]com

parked

 

LAISSER UN COMMENTAIRE

S'il vous plaît entrez votre commentaire!
S'il vous plaît entrez votre nom ici

Notifiez-moi des commentaires à venir via e-mail. Vous pouvez aussi vous abonner sans commenter.

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.