This article has been indexed from CircleID: Cybercrime
Thanks to Dancho Danchev, WhoisXML API’s DNS Threat Researcher, for the original investigations available here, which led to the creation of this post.
On any given day, most of us get more emails that we won’t read than those that we would. Many of these messages will remain unread and sent to the trash. There comes the third category of emails: Those we wished we hadn’t read and acted upon because they are bound to be malicious, sent by cybercriminals trying to lure you into one of their scams.
We’ve encountered a couple of email addresses that belonged or were connected to known cybercriminals. Using them as pivot points on Maltego with WhoisXML API transforms, we expanded the digital footprints of the perpetrators of cybercrime.
Data Set
Hundreds of email addresses confirmed belonging to cybercriminals and money mule recruiters were gathered. These include the following whose footprints (connected domains and IP addresses) were expanded via Maltego with WhoisXML API transforms.
- nick2chocolate@hotmail[.]com
- silver[.]root@yahoo[.]com
- akaminosky@yahoo[.]co[.]uk
- mail@yahoo[.]com
- shwark[.]power[.]andrew@gmail[.]com
- hilarykneber@yahoo[.]com
Discoveries Using Maltego with WhoisXML API Transforms
Each of the six email addresses cited above to Maltego-WhoisXML API transforms to determine connected domains and IP addresses if any. We used the Historical Reverse WHOIS Search transform and found that the email addresses had connections to a total of 22 domains. Below are Maltego graphs showing the connections found.
nick2chocolate@hotmail[.]com
silver[.]root@yahoo[.]com
akaminosky@yahoo[.]co[.]uk
mail@yahoo[.]com