Russian Hackers Registering Domains Targeting US Tech Brands

Researchers are tracking a Russian threat actor deploying domains involved in crypto scams targeting the US Presidential Election and tech brands.

The scams offer double crypto returns for deposits and are designed to deceive users into sending coins to attacker-controlled wallets.

The research identified numerous websites promoting fraudulent giveaways featuring high-profile US individuals and brands, using counterfeit legal letters to enhance their credibility. 

These websites targeted prominent figures like Donald Trump, Kamala Harris, Tim Cook, and others, falsely associating them with the scams.

During a separate investigation, threat analysts discovered IOFA domains registered to a Russian email address (ek1991@internet.ru), suggesting a link to potential scam activities.  

They identified a cluster of live scam domains sharing key attributes: registration by ek1991@internet.ru, Cloudflare protection, and similar content themes (cryptocurrency, US finance/tech, 2024 election) with identical body text, which employ CAPTCHAs and some even include chat functionality.

No organizations or individuals are directly involved in the spoofing of any websites, including cryptologic.online, which features content written in Russian. 

Instead, it appears to be a platform for discussing and analyzing cryptographic techniques and related topics, potentially serving as a resource for individuals interested in cryptology.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

The cluster hosts some domains that spoof well-known US politicians and business leaders, likely being used for phishing or other malicious activities.

The chat function on some domains provides step-by-step instructions for transferring cryptocurrency, often requiring the victim to send a specific amount of cryptocurrency before receiving a promised payout. 

This method leads victims to believe that they are sending money without receiving anything in return.

The fraudulent footer content in debate[.]gives included fake legal letters from US regulatory bodies, falsely legitimizing the proposed giveaways, which claimed that the giveaways were sanctioned by the SEC, FTC, and DOJ, which is untrue.

Analysts are creating a silent push IOFA feed of scam domains for enterprise users to integrate into their security systems.

This feed will enhance detection capabilities and enable investigation of related attacker infrastructure using the Silent Push Console and Feed Analytics screen.

Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free