Abusing the Mali ccTLD (.ml) to Target Dutch Organisations

<h2>Introduction</h2>At the start of 2019, Anomali Labs observed an upward trend in threat actors abusing the Mali country code top-level domain (ccTLD), “.ml”, to host suspicious and malicious sites closely resembling Dutch-based organisations. Our research identified the .ml ccTLD is amongst one of the top ten most recently abused TLDs when it comes to spam operations, complemented by the relative ease in registering .ml domains at no cost for up to a 12-month period. Our evaluation and assessment of over 5,000 phishing sites registered using the .ml ccTLD uncovered Dutch and global financial organisations were the most targeted sectors and geographic location selected for exploitation by threat actors. This blog post offers some key insights into our analysis and we hope to raise awareness of the abuse of .ml ccTLD in impersonating established organisations through malicious cyber activity such as phishing attacks.<h2>Background</h2>On January 9th, 2019, Anomali Labs observed two credential harvesting pages hosted on the same server targeting two separate Dutch financial organisations. The pages were hosted on domains registered using the West African country of Mali’s top-level domain (ccTLD) “.ml”, which closely resembles the targeted organisations legitimate websites hosted on The Netherlands ccTLD “.nl”. Both of these phishing pages were designed to deceive users into accessing the pages where threat actors attempt to obtain login credentials for the online banking customers. Presumably, threat actors could then log into the online banking accounts to steal payment card information, initiate fraudulent transactions or potentially extort the victim. Fortunately, the phishing pages had a limited online lifespan prior to being taken down and blacklisted by Google Safe Browsing, which commands over 60 percent of the web browser market share. At the time of discovery, the phishing sites resolved to a German-based IP address 185.158.251[.]84, (AS39378 - SERVINGA), which is assigned to VPS2DAY, a VPS provider in Germany, Netherlands, Romania, Sweden, U.K. and the U.S. <img alt="" src="https://cdn.filestackcontent.com/07MhkacTBS3s6PqsEKpW"/>Figure 1. Sanitised illegitimate login prompt requesting the visitor’s Private (Particulier) or Business (Zakelijk) username (Gebruikersnaam) and password (Wachtwoord) <h3>The Threat Implications to Dutch Organisations</h3>Operating on the hypothesis that adversaries will leverage the similarities between ccTLDs: .ml and .nl, to target Dutch organisations; we test out our hypothesis by analysing over 5,000 verified phishing .ml domains collected over the course of a 12-month period (January 1st - December 31st, 2018).As a preliminary step before analysing the phishing data, we built more context on how the .ml ccTLD stacks up against other TLDs by visiting the top ten most abused as reported by Spamhaus, a leading anti-spam organisation. On 21 January 2019, Spamhaus ranked the .ml ccTLD eighth on its top ten list of most abused TLDs for spam operations. Additionally, the .ml ccTLD received a badness index rating of 6.48 out of 10 due to 62.4 percent (>32,000) of the +52,000 observed domains being classified as bad domains (See Figure 2). <img alt="" src="https://cdn.filestackcontent.com/NigUh3tJTUicOJXuqNfT"/> Figure 2. Spamhaus Top 10 Most Abused Top Level Domains (Current as of January 21, 2019) We also explored the .ml domain registration process to see how complex it may be for threat actors to abuse this ccTLD to conduct malicious activity such as spamming, phishing campaigns, or hosting and distributing malware. The homepage for the Point ML Registry, “an initiative of the Agence des Technologies de l'Information et de la Communication (AGETIC) in Bamako, Mali”, provides a straightforward process where interested buyers can search for available domain names and register available names with a click of a button (See Figure 3). Next, we proceeded through the registration process twice and added two domain name variants of popular Dutch brands; a beverage company and a financial institution, which takes us to a Freenom e-commerce site to complete the purchase (See Figure 4). Then we selected “Checkout” where the user is redirected to the final screen to purchase the domain, with no charge for the initial 12 months, and can also choose to forward traffic from the domain to a specific site or setup a name server which defines the domain's current DNS provider that provides the location of our site when requested (See Figure 5). The final registration step involves a review and checkout page, which presented three options to make the purchase: 1) verify an email address, 2) log into a Freenom account, or 3) log in using a Google or Facebook account. Of note, we did not complete the purchase of the domain and have confirmed before this publication that the domain is still available for purchase.<img alt="" src="https://cdn.filestackcontent.com/IkTYNe41RLWxjUC7XeWr"/>Figure 3. Homepage for Point ML Registry<img alt="" src="https://cdn.filestackcontent.com/hkoHhaD9SOC2kudaFrB8"/>Figure 4. Freenom Availability Check and Selection of Domain<img alt="" src="https://cdn.filestackcontent.com/IMORQXS5R0iEdAcsBMOk"/>Figure 5. Multiple Purchasing Options and Initial DNS Record Configuration on Freenom Checkout<img alt="" src="https://cdn.filestackcontent.com/v2qIyToQqeN9irGMcfLi"/> Figure 6. Freenom Review and Checkout Screen To Finalise Domain PurchaseAt this point, we have additional context that helps build our understanding of the potential for abusing the the Mali ccTLD:<ul><li>Has the Mali ccTLD been abused to target Dutch organisations? Yes, the initial discovery.</li><li>How does the .ml ccTLD rank amongst its peer TLDs? Spamhaus states it is one of the most abused TLDs.</li><li>How difficult is it to register a .ml domain? Relatively easy for both legitimate and malicious subscribers.</li></ul>Upon exploration of the dataset of over 5,000 phishing sites registered with the .ml, Anomali researchers identified 15 targeted sectors with the top three most targeted being: Financial Services, Professional/Consultancy Services, and Telecommunications. These companies either have a Dutch headquarters or were globally dispersed companies.The below represents a sample of common phishing themes we observed:<h3>Credential Harvesting Pages</h3>Credential harvesting pages were amongst the most common types of phishing attacks observed in the period. They typically employ replica sites of legitimate organisations account login pages in attempt to lure unsuspecting users into disclosing their credentials.<img alt="" src="https://cdn.filestackcontent.com/Jd3V5GFQbSLDDkOdmQZ1"/>Figure 7. Credential harvesting page targeting ABN AMRO, the third-largest bank in the Netherlands (Status: Offline)<img alt="" src="https://cdn.filestackcontent.com/zjKdpopS6QFHH9uHBMMA"/>Figure 8. Invoice-themed Credential Harvesting Page Targeting Vodafone Netherlands Customers (Status: Offline) <h3>Whaling Attacks</h3>Aside from common phishing sites or replicas mimicking legitimate brand login pages, we observed other phishing types. In one of the more notable findings, we observed a Microsoft Office365-themed credential harvesting page likely targeting C-level executives from three different Dutch headquartered companies in a whaling attack in mid-December 2018.<ul><li>A C-level executive from Aegon, a multinational life insurance company headquartered in The Hague, Netherlands, was possibly targeted in a whaling attack (See Figure 9). This page contained the senior executive's corporate email address which is indicative of the victim clicking on a malicious hyperlink embedded in a phishing email or the threat actor preparing to send a phishing email to the intended target.</li><li>The second attack was against a C-level executive employed by KLM Royal Dutch Airlines, the flag carrier airline of the Netherlands headquartered in Amstelveen.</li><li>The third attack was against a C-level executive who works for Martinair, a Dutch cargo airline headquartered and based at Amsterdam Airport Schiphol and a subsidiary of Air France-KLM.</li></ul><img alt="" src="https://cdn.filestackcontent.com/m9WqhCPbTW2nW82kdrPr"/>Figure 9. Credential Harvesting Page Mimicking Microsoft Office365 Login Page and Targeting a C-level Executive from Aegon N.V. (Status: Offline) <h3>Global Financial Institutions</h3>Aside from observing .ml domains targeting Dutch organisations and executives, Anomali Labs found evidence of 21 global financial institutions from nine countries such as The Netherlands, United States, Canada, Australia, United Kingdom, and United Arab Emirates targeted in multiple phishing campaigns. Typical of other credential harvesting pages, the threat actor created a replica account login page or verification site of the targeted financial institution in an attempt to steal user credentials and security question answers.<img alt="" src="https://cdn.filestackcontent.com/QCAdf2LQQcel909zQdkj"/>Figure 10. Targeted Global Financial Institution by Headquartered Country<img alt="" src="https://cdn.filestackcontent.com/102eHpXRQkyVy5yboptb"/>Figure 11. Fake Login or Account Verification Screens for Targeted Global Financial Institutions (Status: Offline) <h3>Defending Against Phishing and Credential Harvesting Sites</h3>Enterprises<ul><li>Domain Takedowns - The first step in protecting your brand is to register your trademark. Trademark owners have the right to submit takedowns of fraudulent domains via Registrars and Hosting Providers by filing a complaint with these organisations. Another right of the trademark owner is entering into the Uniform Domain-Name Dispute Resolution-Policy (UDRP) by filing a Uniform Rapid Suspension (URS) complaint with the World Intellectual Property Organisation (WIPO) to takedown the offending domains. A friendly reminder, organisations need to first register your trademarked brand with the Trademark Clearinghouse (TMCH), which is ICANN’s database of protected trademarks before submitting the URS complaint. </li><li>Defensive Registrations - Consider defensive registration; registering multiple variations of your domain name, even if you have no intention of actually using them, this will keep the domains from being registered by squatters and threats actors that may leverage your brand name to conduct malicious activities or profit from an overpriced resell opportunity. </li><li>Browser Vendor Reporting - If you come across a phishing or malware site and followed the takedown options with no success, or a delay in the offending domains removal, consider reporting it to a Google and Microsoft. Reporting these malicious sites could allow other users to receive security warnings before visiting the site and possibly prevent infection or credential exposure.<ul><li>Google SafeBrowsing - <a href="https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en" target="_blank">https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en</a></li><li>Microsoft - <a href="https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site-guest" target="_blank">https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site-guest</a> </li></ul></li><li>Information Security Teams - Enterprise information security functions should consider blacklisting, or at least formulating suitable SIEM alert mechanisms for the .ml ccTLD across the relevant security controls (email gateway, firewall, web proxy). Undertake threat hunting exercises, in light of relevant and timely cyber threat information and intelligence, to see if any users received phishing emails from .ml domains or hyperlinks within the message body, and investigate instances where users may have communicated with the phishing sites. If not already in place, consider implementing a cybersecurity awareness programme to continually train and educate all staff members on the dangers of social engineering attacks. Reward staff appropriately for observing the teachings. </li><li>Brand Protection Solutions - Invest in a comprehensive brand monitoring solution that includes suspicious domain registrations and phishing site detection to track, investigate, and remediate targeted adversarial activity. </li><li>Situational Awareness - Consider staying abreast of the latest cyber security threat developments by subscribing to the <a href="https://www.anomali.com/community" target="_blank">Anomali Weekly Threat Briefing</a> and other cyber news articles and blogs. </li><li>Information Sharing and Analysis Center (ISAC)/Security Interest Group - Upon being alerted on such incidents, where possible, the indicators such as sender email address, sender’s IP address, embedded hyperlinks, malicious file attachments, and tactics, techniques, and procedures (TTPs) should be shared amongst trusted partners via a secure channel such as an ISAC or relevant security interest group. More information can be found <a href="https://www.anomali.com/isacs-sharing" target="_blank">here</a>.</li></ul>Individuals<ul><li>Do not click on links or open attachments in email messages if they are unsolicited or look suspicious. Seek to validate the authenticity of the message by contacting the sender organisation via a verified phone number or contact email address.</li><li>Always check the URL of the website and make sure that it belongs to the brand. Type the domain name of your brand’s website directly into your browser’s address bar rather than following any link.</li><li>Use strong and unique passwords, a password manager can help store them securely. This will lower the scope of exposure should one password be accessed by a cyber threat actor. Where available use two-factor authentication (multi-factor authentication (MFA)).</li><li>Consider investing in a secure router which provides web filtering of known illegitimate websites.</li></ul><h2>Conclusion</h2>The usage of domain permutations (adding/removing lettering, vowel swaps, hyphenation, repetition and transposition of characters, etc.) in an attempt to trick users to reveal usernames and passwords is a commonly used tactic employed by cyber threat actors on all spectrums of the sophistication scale. This is due to the limited financial outlay required to purchase a domain (as noted above, .ml domains can be initially registered for free), host and mirror an identified website, as well as the ability to simplistically target individuals or large volumes of users. Anomali Labs assesses that the usage of the Mali ccTLD (.ml) is to illegitimately pose as the Netherlands ccTLD (.nl), due to the similarity in the lettering, and a large number of examples has been uncovered during this research. All enterprise information security functions should consider the above recommendations, in line with their desired cyber risk appetite, and continually stay abreast of the latest cyber threat trends and TTPs.All organisations identified in our review have been promptly informed of the phishing threats prior to release of this blog post. Sources<a href="http://www.point.ml/en/index.html" target="_blank">Point ML Registry</a> <a href="https://www.spamhaus.org/statistics/tlds/" target="_blank">SpamHaus</a> <a href="https://www.virustotal.com/#/ip-address/185.158.251.84" target="_blank">VirusTotal</a> <a href="https://www.w3counter.com/globalstats.php" target="_blank">W3 Counter</a>