At the start of 2019, Anomali Labs observed an upward trend in threat actors abusing the Mali country code top-level domain (ccTLD), “.ml”, to host suspicious and malicious sites closely resembling Dutch-based organisations. Our research identified the .ml ccTLD is amongst one of the top ten most recently abused TLDs when it comes to spam operations, complemented by the relative ease in registering .ml domains at no cost for up to a 12-month period. Our evaluation and assessment of over 5,000 phishing sites registered using the .ml ccTLD uncovered Dutch and global financial organisations were the most targeted sectors and geographic location selected for exploitation by threat actors. This blog post offers some key insights into our analysis and we hope to raise awareness of the abuse of .ml ccTLD in impersonating established organisations through malicious cyber activity such as phishing attacks.
On January 9th, 2019, Anomali Labs observed two credential harvesting pages hosted on the same server targeting two separate Dutch financial organisations. The pages were hosted on domains registered using the West African country of Mali’s top-level domain (ccTLD) “.ml”, which closely resembles the targeted organisations legitimate websites hosted on The Netherlands ccTLD “.nl”. Both of these phishing pages were designed to deceive users into accessing the pages where threat actors attempt to obtain login credentials for the online banking customers. Presumably, threat actors could then log into the online banking accounts to steal payment card information, initiate fraudulent transactions or potentially extort the victim. Fortunately, the phishing pages had a limited online lifespan prior to being taken down and blacklisted by Google Safe Browsing, which commands over 60 percent of the web browser market share. At the time of discovery, the phishing sites resolved to a German-based IP address 185.158.251[.]84, (AS39378 - SERVINGA), which is assigned to VPS2DAY, a VPS provider in Germany, Netherlands, Romania, Sweden, U.K. and the U.S.
Figure 1. Sanitised illegitimate login prompt requesting the visitor’s Private (Particulier) or Business (Zakelijk) username (Gebruikersnaam) and password (Wachtwoord)
Operating on the hypothesis that adversaries will leverage the similarities between ccTLDs: .ml and .nl, to target Dutch organisations; we test out our hypothesis by analysing over 5,000 verified phishing .ml domains collected over the course of a 12-month period (January 1st - December 31st, 2018).
As a preliminary step before analysing the phishing data, we built more context on how the .ml ccTLD stacks up against other TLDs by visiting the top ten most abused as reported by Spamhaus, a leading anti-spam organisation. On 21 January 2019, Spamhaus ranked the .ml ccTLD eighth on its top ten list of most abused TLDs for spam operations. Additionally, the .ml ccTLD received a badness index rating of 6.48 out of 10 due to 62.4 percent (>32,000) of the +52,000 observed domains being classified as bad domains (See Figure 2).
Figure 2. Spamhaus Top 10 Most Abused Top Level Domains (Current as of January 21, 2019)
We also explored the .ml domain registration process to see how complex it may be for threat actors to abuse this ccTLD to conduct malicious activity such as spamming, phishing campaigns, or hosting and distributing malware. The homepage for the Point ML Registry, “an initiative of the Agence des Technologies de l'Information et de la Communication (AGETIC) in Bamako, Mali”, provides a straightforward process where interested buyers can search for available domain names and register available names with a click of a button (See Figure 3). Next, we proceeded through the registration process twice and added two domain name variants of popular Dutch brands; a beverage company and a financial institution, which takes us to a Freenom e-commerce site to complete the purchase (See Figure 4). Then we selected “Checkout” where the user is redirected to the final screen to purchase the domain, with no charge for the initial 12 months, and can also choose to forward traffic from the domain to a specific site or setup a name server which defines the domain's current DNS provider that provides the location of our site when requested (See Figure 5). The final registration step involves a review and checkout page, which presented three options to make the purchase: 1) verify an email address, 2) log into a Freenom account, or 3) log in using a Google or Facebook account. Of note, we did not complete the purchase of the domain and have confirmed before this publication that the domain is still available for purchase.
Figure 3. Homepage for Point ML Registry
Figure 4. Freenom Availability Check and Selection of Domain
Figure 5. Multiple Purchasing Options and Initial DNS Record Configuration on Freenom Checkout
Figure 6. Freenom Review and Checkout Screen To Finalise Domain Purchase
At this point, we have additional context that helps build our understanding of the potential for abusing the the Mali ccTLD:
Upon exploration of the dataset of over 5,000 phishing sites registered with the .ml, Anomali researchers identified 15 targeted sectors with the top three most targeted being: Financial Services, Professional/Consultancy Services, and Telecommunications. These companies either have a Dutch headquarters or were globally dispersed companies.
The below represents a sample of common phishing themes we observed:
Credential harvesting pages were amongst the most common types of phishing attacks observed in the period. They typically employ replica sites of legitimate organisations account login pages in attempt to lure unsuspecting users into disclosing their credentials.
Figure 7. Credential harvesting page targeting ABN AMRO, the third-largest bank in the Netherlands (Status: Offline)
Figure 8. Invoice-themed Credential Harvesting Page Targeting Vodafone Netherlands Customers (Status: Offline)
Aside from common phishing sites or replicas mimicking legitimate brand login pages, we observed other phishing types. In one of the more notable findings, we observed a Microsoft Office365-themed credential harvesting page likely targeting C-level executives from three different Dutch headquartered companies in a whaling attack in mid-December 2018.
Figure 9. Credential Harvesting Page Mimicking Microsoft Office365 Login Page and Targeting a C-level Executive from Aegon N.V. (Status: Offline)
Aside from observing .ml domains targeting Dutch organisations and executives, Anomali Labs found evidence of 21 global financial institutions from nine countries such as The Netherlands, United States, Canada, Australia, United Kingdom, and United Arab Emirates targeted in multiple phishing campaigns. Typical of other credential harvesting pages, the threat actor created a replica account login page or verification site of the targeted financial institution in an attempt to steal user credentials and security question answers.
Figure 10. Targeted Global Financial Institution by Headquartered Country
Figure 11. Fake Login or Account Verification Screens for Targeted Global Financial Institutions (Status: Offline)
The usage of domain permutations (adding/removing lettering, vowel swaps, hyphenation, repetition and transposition of characters, etc.) in an attempt to trick users to reveal usernames and passwords is a commonly used tactic employed by cyber threat actors on all spectrums of the sophistication scale. This is due to the limited financial outlay required to purchase a domain (as noted above, .ml domains can be initially registered for free), host and mirror an identified website, as well as the ability to simplistically target individuals or large volumes of users. Anomali Labs assesses that the usage of the Mali ccTLD (.ml) is to illegitimately pose as the Netherlands ccTLD (.nl), due to the similarity in the lettering, and a large number of examples has been uncovered during this research. All enterprise information security functions should consider the above recommendations, in line with their desired cyber risk appetite, and continually stay abreast of the latest cyber threat trends and TTPs.
All organisations identified in our review have been promptly informed of the phishing threats prior to release of this blog post.