Update (August 17): 

While reading our new post, one of our coworkers recognized that their wife had just gotten a smishing text from this campaign the day before! The text body is:
"EDD- Your account is pending review after an attempt at FOOTLOCKER, CO, CA. If this was not you, verify at https://my-eddprotection643.duckdns[.]org to block. If this was you please ignore this message"

duckdns_smish

Original Post:

Though most of our indicator of compromise database is powered by hundreds of automated threat intelligence feed sources, last week our team discovered a phishing campaign through... a blog post? Yep, that's right. While sifting through searches that led hundreds of readers to one of our most popular blog posts last month, a ThreatSTOP analyst came across many web searches for what seems to be text from a smishing SMS message:

"εdd- your primary one-time transfer account has been updated, if this was not you visit https://protection-eddhelpcenter538.duckdns[.]org/ to cancel this update. if this was you, please ignore this message."

While the text body is the same in every email, the DuckDNS domain changes.

duckdns_phishing

Image: Hubspot

The domains seen in the search query history that leads to our blog are:

  • protection-eddhelpcenter538.duckdns[.]org (34.85.242.103)
  • safe-eddcenter9209.duckdns[.]org (34.85.242.103)
  • center-eddprotect3320.duckdns[.]org (34.85.242.103)
  • center-eddprepaid792.duckdns[.]org (186.2.166.143)

Looking into these domains, our team found that they are being used as DGAs. Since the email is trying to trick victims into investigating a supposed fund transfer, and since duckdns is not the most impressive parent domain, we see that the subdomains include a variety of secure-related words - protection, safe, help, secure and more.

The domains seen in our lists were hosted on two distinct IPs:

  • 34.85.242[.]103
  • 186.2.166[.]143

Their resolve history, known as Passive DNS, shows that they were used in this campaign for a while. Although they may have been missed by security vendors, (they are not flagged by any of them on VT), these IPs definitely should not be communicated with.

duckdns_vt

Phishing and Smishing attacks can be hard to detect, clever threat actors are practiced and polished at slipping them into inboxes using language and imagery meant to avoid detection and get us to click and interact with them. ThreatSTOP provides users with automated threat protection for hundreds of threat types, including these hard-to-detect phishing campaigns. Our system also aggregates active DGA lists from multiple sources into our indicator of compromise DB and operational blocklists. The result? Automated proactive protection against these, and other, modern and sophisticated attacks.

 

Not a ThreatSTOP customer yet? Want to see ThreatSTOP instantly eliminate attacks on your network?

Get a Demo

 

Here's the full domain list from ThreatSTOP's analysis:

center-eddprepaid792.duckdns[.]org
center-eddprotect3320.duckdns[.]org
citi-helpsecure00.duckdns[.]org
cpanel.protect-eddcenter9573.duckdns[.]org
cpanel.protection-eddhelpcenter538.duckdns[.]org
cpanel.safe-eddcenter9209.duckdns[.]org
cpcalendars.protect-eddcenter9573.duckdns[.]org
cpcalendars.safe-eddcenter9209.duckdns[.]org
cpcontacts.protect-eddcenter9573.duckdns[.]org
cpcontacts.safe-eddcenter9209.duckdns[.]org
e-d-d-safety009.duckdns[.]org
e-d-d-safety022.duckdns[.]org
e-d-d-safety090.duckdns[.]org
help-centeredd312.duckdns[.]org
help-citicenter032.duckdns[.]org
help-safetyeddsupport9568.duckdns[.]org
mail.protect-eddcenter9573.duckdns[.]org
mail.protection-eddhelpcenter538.duckdns[.]org
mail.safe-eddcenter9209.duckdns[.]org
manage-eddsecure54.duckdns[.]org
my-eddprotection643.duckdns[.]org
protect-eddcenter9573.duckdns[.]org
protect-eddcentersupport452.duckdns[.]org
protection-centeredd479.duckdns[.]org
protection-eddcenter9409.duckdns[.]org
protection-eddhelpcenter538.duckdns[.]org
safe-e-d-d-center001.duckdns[.]org
safe-e-d-d-center0253.duckdns[.]org
safe-e-d-d-center042.duckdns[.]org
safe-e-d-d-center079.duckdns[.]org
safe-e-d-d-center9485.duckdns[.]org
safe-edd-center032.duckdns[.]org
safe-eddcenter9209.duckdns[.]org
safe-processoredd939.duckdns[.]org
support-eddprepaid336.duckdns[.]org
support-eddsecurity870.duckdns[.]org
support-prepaidedd4432.duckdns[.]org
webdisk.protect-eddcenter9573.duckdns[.]org
webdisk.protection-eddhelpcenter538.duckdns[.]org
webdisk.safe-eddcenter9209.duckdns[.]org
webmail.protect-eddcenter9573.duckdns[.]org
webmail.protection-eddhelpcenter538.duckdns[.]org
webmail.safe-eddcenter9209.duckdns[.]org
www.protect-eddcenter9573.duckdns[.]org
www.protection-eddhelpcenter538.duckdns[.]org
www.safe-eddcenter9209.duckdns[.]org