Depuis l’invasion de l’Ukraine par la Russie le 24 février dernier, le groupe Infoblox Threat Intelligence a observé une augmentation remarquable du nombre de nouveaux noms de domaine liés à l’Ukraine, en analysant le trafic sur ses résolveurs DNS récursifs : les experts ont observé plus de deux fois plus de domaines, détectés pour la première fois, que la semaine précédente.
Tribune – Une grande partie de cette activité s’inscrit dans le cadre d’une réponse globale à la crise humanitaire en Europe de l’Est, et une partie consiste en de nouveaux efforts menés par des groupes auparavant non coordonnés. Cependant, les cybercriminels ont également saisi l’occasion en créant de nombreux sites pour usurper ou imiter les véritables efforts de soutien. Différencier ces deux scénarios peut être difficile, même pour les experts.
En réponse, Infoblox a développé de multiples mesures d’authenticité, et ses chercheurs ont analysé manuellement des dizaines de domaines nouvellement observés, qui sont liés à l’Ukraine.
Le groupe Threat Intelligence d’Infoblox a trouvé des indicateurs de compromission (IoCs) liés à la fois à des campagnes de logiciels malveillants, et aux individus essayant de coordonner la livraison d’équipements médicaux à l’Ukraine. Pour la plupart des escroqueries, l’objectif final est de collecter des cryptomonnaies.
En utilisant ces indicateurs de compromission, Infoblox a réuni une liste de nouveaux sites web liés à la crise. Veuillez trouver ci-dessous la liste des sites identifiés à ce jour.
Pour une version régulièrement mise à jour, une analyse détaillée des cyberarnaques liées à l’Ukraine par Infoblox, veuillez vous rendre à cette adresse : https://blogs.infoblox.com/cyber-threat-intelligence/cyber-threat-advisory/cyber-threat-advisory-ukrainian-support-fraud/
Les individus et les organisations qui souhaitent soutenir des causes humanitaires en Ukraine, ou participer aux efforts locaux pour mettre fin à la guerre, doivent faire preuve d’une grande prudence lors de leurs interactions avec des sites Web liés à ces efforts. Certains de ces sites pourraient servir de façade frauduleuse à des opérations de renseignement étranger ou de cybercriminalité. Ils peuvent avoir été conçus pour déposer des logiciels espions sur des appareils et récolter des informations personnelles identifiables (PII). Avant de fournir des informations personnelles ou financières à ces sites Web, vérifiez auprès d’une source de confiance qui identifie l’organisation et son domaine d’hébergement.
|
INDICATOR |
DESCRIPTION |
NOTES |
|
https://cdn[.]discordapp[.]com /attachments /946667303825735721/948011944776986715 /Izcei[.]jpg |
malware |
Malspam used Ukraine support-themed message to deliver downloader attachments that retrieved the AgentTesla binary from this file hosting location. |
|
4464u4jhw4[.]xyz |
malware |
Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
|
487jw34e[.]xyz |
malware |
Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
|
a3k67[.]xyz |
malware |
Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
|
hf39q48[.]xyz |
malware |
Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
|
pritto4523463[.]xyz |
malware |
Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
|
pritto456123[.]xyz |
malware |
Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
|
pritto4563[.]xyz |
malware |
Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
|
q34yfhh897[.]xyz |
malware |
Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
|
xsolo[.]live |
malware |
Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
|
xsolo[.]shop |
malware |
Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
|
xsolo[.]store |
malware |
Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
|
xsolo[.]us |
malware |
Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
|
3ywg4544y3[.]xyz |
malware |
Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
|
789o8lm[.]xyz |
malware |
Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
|
bertshbt32[.]xyz |
malware |
Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
|
danhramvaiqua[.]xyz |
malware |
Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
|
muonroimasaovancon[.]xyz |
malware |
Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
|
w3eg544456u[.]xyz |
malware |
Spam emails using “Stand with Ukraine” message theme sent suspicious links with this domain. |
|
ukraineforever[.]com |
phishing |
domain parked in 2018 and reregistered in Feb 2022. The page has changed twice in the last few days; the twitter acccount is new and has one tweet. requesting relief funds. |
|
ukraine-human-rights[.]org |
phishing |
Website contains Russian propaganda content; sibling website: https://de[.]ukraine-human-rights[.]org/ |
|
ukraineforever[.]com |
phishing |
Domain parked in 2018 and reregistered in Feb 2022. The page has changed twice in the last few days; the twitter acccount is new and has one tweet. |
|
protectukraine[.]org |
phishing |
BTC Scam |
|
ukrainecharity[.]net |
phishing |
Ukraine relief scams |
|
donateukraine[.]com |
phishing |
ukraine-appeal[.]com was registered on 02/13 soliciting donations. Claims to work with a number of legitimate charities but doesn’t link to any. Payment through Stripe. 3-month cert from Let’s Encrypt. Contact address listed is a work-share space in London with no contact names. Same IP 157.245.35.51 hosts afghanappeal[.]com (registered on 02/06) with identical logo. Neither sites link to or from other websites. |
|
ukraine-appeal[.]com |
phishing |
Recently registered domain focusing on gathering funds for “on the ground disbursement.” No apparent propaganda and the payment processing system is Stripe, so they aren’t collecting financial information. The site does ask for PII (name), though, and have a form for a newsletter, which means giving over an email address. |
|
assistukraine[.]org |
phishing |
newly registered. hosted on same IP with several variants of domain name as well as other suspicious crypto related domains. address on website not found. looks like a BTC scam. |
|
app-en[.]com |
phishing |
Reported by security researchers for donation scam activity related to the Russian invasion of Ukraine. https://twitter.com/JCyberSec_/status/1498239774116753409 |
|
donateukraine[.]sbs |
phishing |
|
|
helpukraine[.]su |
phishing |
Site purports to be collecting donations for the Armed Forces of Ukraine, but the donation button currently leads to a missing page and the domain was registered via a Russian registrar. |
|
helpukraine[.]charity |
phishing |
Found on same IP space as other scam domains using Ukraine support-themed messages. Website states they were founded in 2014, but business indexes show a 2022 establishment date. https://www.paqle.dk/p/help-ukraine/6913551. Bitcoin addresses owned by this entity show minimal transaction. https://www.blockchain.com/btc/address/1JxmpptfbZmxd5Apk135NJfXHdzmR7F9wi |
|
saveukraine-website[.]margosolution[.]com |
phishing |
using cpcalendars[.]saveukraine[.]website in its ssl certificate. saveukraine[.]website was confirmed a fraudulent site using fake Ukraine support content. |
|
standwitukraine[.]com |
phishing |
Found on same IP space as other scam domains using Ukraine support-themed messages. Nxdomain now |
|
donateeforukraine[.]com |
phishing |
In early March 2022, this domain was pointing to a shady website claiming to collect funds to support Ukrainian people during the crisis escalation against Russia. However, no information was provided about the organization behind this project and where the money were actually going to. |
|
support4ukraine[.]info |
phishing |
Domain used in support of a Ukrainian conflict-related scam operation. |
|
donate-ukraine[.]org |
phishing |
Created on February 26th, in early March 2022 this domain pointed to a phishy donation website aimed at supporting people of Ukraine during the crisis escalation. No information was provided about the organization behind this project and no information was provided about how the money are going to be spent |
|
fundukraine[.]org |
phishing |
In early March 2022, this domain was pointing to a phishy donation website for helping people in Ukraine. There was no information about either the owning organization or the destination of the donations |
|
helpukrainestopputin[.]org |
phishing |
In early March 2022, this site was pointing to a phishy site aimed at collecting donations via an Indiegogo campaign to support people facing war in Ukraine. No information was provided about both the organization behind the project and how the collected money were going to be spent |
|
istandwithukrainepin[.]com |
phishing |
Created on February 26th, in early March 2022 this domain pointed to a phishy e-store for ukraine-branded material. The store doesn’t provide any indication about the organization behind that project |
|
ukrainedevs[.]com |
suspicious |
Newly registered domain purportedly recruiting Ukranian software developers. |
|
pakukrainecentre[.]com |
suspicious |
Website serving content related to trade and investment between Pakistan and Ukraine. But its hosted in China. Many URL on the domain have recently detected as Phishing, Spam or Malicious and Site is currently not accessible. |
|
ictvukraine[.]tv |
suspicious |
Suspicious domain as it is routed through Russian IP space before delivering the content. Some signs point to authenticity. ICTV is a popular Ukrainian TV station. Domain registration matches content that service started in March 2020 purportedly by StarlightMedia. This Ukranian company owns several media outlets including ICTV. |
|
ukrainecrisis[.]org |
suspicious |
Domain registered 7 days ago. Nothing clearly malicious; hosting news with no apparent propaganda. |
|
adoptioninukraine[.]com |
suspicious |
Registered in 2011 and unrelated to the current conflict. The phone number is linked to two Facebook pages (one taken down) that list other websites claiming to be a Columbian-Ukranian adoption service; however, this website is Russian-hosted. |
|
bat-ukraine[.]com |
suspicious |
currently parked and tied to malware IPs |
|
helpukraine[.]org |
suspicious |
Expired domain that shows static image at base page with a support message for Ukraine, limited content on website and appears to be mostly unused. |
|
helpukraine[.]biz |
suspicious |
New website with newly registered domain that has not been configured. This could potentially be used later for malicious purposes. |
|
web4ukraine[.]org |
suspicious |
URL redirector service, splash page shows message against Russian invasion of Ukraine before redirect action. According to the creator, the intent of this service is to slow down Russian web traffic and spread awareness about the Ukranian conflict. https://english.radio.cz/700-czech-webmasters-support-call-counter-russian-propaganda-8743231. Creator of service has been criticized for his/her intent for usage, as it can be used as a medium to deliver malware and punish innocent users. https://www.reddit.com/r/javascript/comments/t242c0/we_are_letting_people_in_russia_know_that_we_dont/ |
|
amazingukraine[.]tours |
parked |
This domain attracted some attention in late February – early March 2022 due to the name linked to the Ukraine-Russia crisis escalation. Created during the crisis, it was parked for potential future usage in early March 2022 |
|
fightlikeukraine[.]com |
parked |
This domain attracted some attention in late February – early March 2022 due to the name linked to the Ukraine-Russia crisis escalation. Created during the crisis, it was parked for potential future usage in early March 2022 |
|
aid2ukraine[.]com |
parked |
This is a parked domain created in relation to the Russian invasion of Ukraine |
|
aid2ukraine[.]org |
parked |
This is a parked domain created in relation to the Russian invasion of Ukraine |
|
aid4ukraine[.]org |
parked |
This is a parked domain created in relation to the Russian invasion of Ukraine |
|
amazingukraine[.]tours |
parked |
This is a parked domain created in relation to the Russian invasion of Ukraine |
|
cookforukraine[.]com |
parked |
This is a parked domain created in relation to the Russian invasion of Ukraine |
|
defend-ukraine[.]org |
parked |
This is a parked domain created in relation to the Russian invasion of Ukraine |
|
defendukraine[.]world |
parked |
This is a parked domain created in relation to the Russian invasion of Ukraine |
|
freedomforukraine[.]org |
parked |
This is a parked domain created in relation to the Russian invasion of Ukraine |
|
freeukraine[.]art |
parked |
This is a parked domain created in relation to the Russian invasion of Ukraine |
|
freeukraine[.]live |
parked |
This is a parked domain created in relation to the Russian invasion of Ukraine |
|
freeukraine[.]news |
parked |
This is a parked domain created in relation to the Russian invasion of Ukraine |
|
freeukraine[.]today |
parked |
This is a parked domain created in relation to the Russian invasion of Ukraine |
|
freeukraine[.]world |
parked |
This is a parked domain created in relation to the Russian invasion of Ukraine |
|
freeukraine[.]xyz |
parked |
This is a parked domain created in relation to the Russian invasion of Ukraine |
|
gloryofukraine[.]com |
parked |
This is a parked domain created in relation to the Russian invasion of Ukraine |
|
goukraine[.]tours |
parked |
This is a parked domain created in relation to the Russian invasion of Ukraine |
|
helpukraine[.]today |
parked |
This is a parked domain created in relation to the Russian invasion of Ukraine |
|
helpukrainebuild[.]com |
parked |
This is a parked domain created in relation to the Russian invasion of Ukraine |
|
helpukrainepeopletoday[.]com |
parked |
This is a parked domain created in relation to the Russian invasion of Ukraine |
|
helpukrainerebuild[.]com |
parked |
This is a parked domain created in relation to the Russian invasion of Ukraine |
|
heroofukraine[.]com |
parked |
This is a parked domain created in relation to the Russian invasion of Ukraine |
|
heroofukraine[.]org |
parked |
This is a parked domain created in relation to the Russian invasion of Ukraine |
|
istandswithukraine[.]com |
parked |
This is a parked domain created in relation to the Russian invasion of Ukraine |
|
istandwithukraine[.]live |
parked |
This is a parked domain created in relation to the Russian invasion of Ukraine |
|
istandwithukraine[.]news |
parked |
This is a parked domain created in relation to the Russian invasion of Ukraine |
|
istandwithukraine[.]today |
parked |
This is a parked domain created in relation to the Russian invasion of Ukraine |
|
lettersukraine[.]com |
parked |
This is a parked domain created in relation to the Russian invasion of Ukraine |
|
letterukraine[.]com |
parked |