In a recent study[1], I considered the use of clustering and open-source intelligence ('OSINT') investigation techniques to connect and identify potential scam domains similar to examples reported in a series of recent fraudulent campaigns. The scams in question involve the impersonation of law firms, and comprise the contacting of brand owners under the guise of providing information on third-party attempts to register the brand name.
In the initial analysis, many of the fraudulent domains were found to have used names of the form '[companyname]lawfirm(s).TLD' (with .com, org and .uk all having been used in the reported examples), registered in the first months of 2025, predominantly through the registrars Hostinger Operations UAB, PDR Ltd. d/b/a PublicDomainRegistry[.]com, and Namecheap Inc, and generally with privacy-protected registrant details (mostly using Privacy Protect, LLC (PrivacyProtect[.]org)).
In this deeper dive, I consider the full set of .com registrations with names ending with 'lawfirm(s).com', as a follow up to the previous analysis focusing on the smaller .org dataset.
As of the date of analysis (09-May-2025, based on a version of the .com zonefile downloaded on 08-May-2025), there were 40,918 .com domains with names ending with 'lawfirm(s).com'. 2,192 of these were registered since the start of 2025 (based on the examples for which whois information was available via an automated look-up), of which 477 were registered to one of the three 'high-risk' registrars in question.
Looking at the host IP addresses in each case, as a basis for further 'clustering', the 477 domains were found to be hosted at a total of 351 distinct addresses, with eight IP addresses accounting for three or more of the domains in the set (with a list topped by 84.32.84.32 (35 domains) and 34.120.137.41 (23 domains)). However, taking a slightly less granular approach and grouping together adjacent or near-adjacent IP addresses by netblock, we do find additional clusters of potentially related domains, such as 65 examples hosted at IP addresses of the form 162.255.119.x, and 64 hosted at 192.64.119.x.
Considering firstly the 84.32.84.32 cluster of 35 domains, it is instructive to visualise other characteristics of the domains in question, to gain further insights and an appreciation of the strength of the connections between the examples (in terms of shared or similar characteristics) (Figure 1).
Figure 1: Visualisation of the cluster of high-risk, potential scam-related domains hosted at IP address 84.32.84.32 (with the site 'name' - i.e. the portion of the domain name prior to 'lawfirm(s).com' - and the (2025) date of registration given in each case)
In this specific case, the majority of the domains within the cluster actually resolved just to placeholder pages at the time of analysis, although two examples of live sites (apparently targeting the Asian and Middle East markets) were identified. It is also of note that two examples of domains targeting the well-known firm Grant Thornton (grantthornton-lawfirm[.]com and grant-thornton-lawfirm[.]com) were identified, and would certainly be candidates for content tracking by the brand owner, so as to be alerted by the potential appearance of any threatening content.
The second-largest cluster (by common IP address - in this case, 34.120.137.41) actually has a greater 'hit-rate' of live sites, with 20 of the 23 domains in question actually resolving to live content as of the time of analysis. Again, many of these appear to be targeting the Middle East market, with purported business areas covering a range of areas of law (including - in addition to the trademark services of the original examples - personal injury, corporate and immigration law). Several of the websites (Figure 2) have similar appearances to those identified in the previous study, perhaps suggestive of the use of common site templates, and potentially of linkages as parts of a wider coordinated campaign.
Figure 2: Examples of live websites from the cluster of domains hosted at IP address 34.120.137.41
Addendum: Brand Protection Data is Beautiful
It is also worth noting that the clustering patterns within the data can also be visualised in a range of different ways. For example, Figure 3 shows an extract of a 'timeline' view of the group of 477 high-risk domains, where the horizontal axis shows the date of registration, the vertical axis shows the first component of the host IP address (e.g. '162' in 162.255.119.x), and the values (and associated colours) in the main body of the plot show the numbers of domains matching the associated characteristics. In this view, the clusters at IP-address netblocks 62.255.119.x and 192.64.119.x contribute to the 'bright spots' in the rows in question.
Figure 3: Extract of a timeline heat-map of the group of 477 high-risk domains, by date of registration (horizontally) and the first component of the host IP address (vertically)
Reference
This article was first published on 9 May 2025 at:
No comments:
Post a Comment