We often analyze indictors of phishing-related compromise from techhelplist.com. These lists contain a large number of indicators, usually not all related to one campaign, but to countless ones that have already spread before the lists were updated.

When reviewing and analyzing the lists of indicators, we came across these 3 domains:

  • apple-ftc[.]com
  • apple-fts[.]com
  • apple-yt[.]com

These caught our attention because they seemed to be domains created with a DGA resembling a known brand, an important element of a good phishing campaign.

While searching for further information on these domains, we found that the registrant had them registered with the same email - '55131755@qq[.]com'. This raised the likelihood that there are many more domains with similar goals and patterns ("apple"- <DGA>),  also registered using the same e-mail address - <email addr>.

Using the Maltego research platform, we used this e-mail address to search for other domains that matched it. We found 47 other domains with the same pattern as listed above. After verifying they are not being used legitimately, we added them to our Target lists.

Phishing e-mail (1157).jpg

Even though these domains seem suspicious when they are all listed together, it is easy to see how people might confuse them with the mimicked Apple brand when encountering them on an individual basis.  

We would like to remind you that new phishing protections were recently added by the ThreatSTOP Security Team and have been updated with the data from this analysis.