Another way to lose money?

This year, the stock market has been at its most volatile due to a number of factors. Debate abounds over whether 2022 will be as bad as 2008, but we’ll leave that to the experts. What we do know is that threat actors may be riding the wave as conditions in the stock and foreign exchange markets are attracting media and public attention.

The study analyzed thousands of web properties containing the string “nasdaq”. Since the foreign exchange market also makes headlines, we included the search term “forex” in our search. Our key findings include:

  • 760+ Nasdaq-related domains and subdomains added in the past three months (between 1 August and 31 October 2022)
  • More than 9,100 foreign exchange-related websites were added during the same period
  • Most properties are geolocated and registered in the United States, but there are also properties traced to European and Asian countries
  • About a third of resolved properties can be traced back to Hetzner Online GmbH as Internet Service Provider (ISP), while most domain name registrations were made under Namecheap as registrar

A sample of additional artifacts obtained from our analysis can be downloaded from our website.

Analysis of cybersquatting resources relevant to the market

To determine how dangerous investment-related digital assets are, we used extensive DNS and IP intelligence resources to determine their location, ownership details and content. Here are four questions we tried to answer.

Where are most of the web assets located?

Domains containing “nasdaq” and “forex” were registered primarily in the United States, and a significant number were also registered in Iceland, but mainly because the registrants used the services of a privacy redaction provider based in that country.

About 90% of the assets have active IP solutions, mostly located in the US and Germany.

Figure 1: Registered countries and IP geographic locations of investment-related online resources
Who is responsible for cybersquatting property?

The majority of web resources are managed by Namecheap, accounting for about 17% of the total. It is followed by GoDaddy and GMO with 9.5% and 7.5% shares respectively.

Note also that almost all domains studied have redacted WHOIS records. About 80 percent of the registrant email addresses we retrieve through bulk WHOIS searches are anonymized.

Are squatting resources malicious?

We conducted domain malware checks on all digital properties and found that several of them had been involved in malicious activity. Despite the reports, some continued to host live content. Some examples are shown below.

After taking a closer look at the sample malicious domains, we found three types of malicious content used in different campaigns, namely:

  • Landing page may target Nasdaq and FX investors
  • Pages that lure users in by promising deals and sign-up bonuses
  • The content repeatedly shows the popular trading platform “Exness”
What content is hosted by the web resource?

A screenshot lookup of all parsed resources shows several domains hosting the same content as flagged as “malicious”.Here are some examples of domains that host the same nasdaq login page as nasdaqtaiwan[.]com.

Figure 1: Screenshot of a webpage similar to nasdaqtaiwan hosting the Nasdaq login page[.]com

The following domains host content similar to the malicious domain clever-forex[.]com, which promises customers up to $10,000 in sign-up bonuses. It also has the same Telegram account.

Figure 2: Screenshot of a web page with content similar to clever-forex[.]com

We also found dozens of domains that looked similar to forextrackingnumbercheck[.]com, the thumbnails displayed on the page appear to be promoting Exness. Several domains appear to mimic trading platforms.

Figure 3: Screenshot of a webpage hosting content similar to forextrackingnumbercheck[.]com

In addition to Exness, some content is also made to look like content from legitimate sites. Here are some examples.

While some of the web properties in this study may be operated by legitimate stock and forex brokers, others may be involved in malicious activity targeting investors. We’ve found dozens flagged as malicious, with many more potentially dangerous.

In addition to educating investors about the dangers of cybersquatting, regular monitoring of investment-related web resources can help spot suspicious domains and subdomains early on, before investors lose money to threat actors.

If you wish to conduct a similar investigation or obtain the full data behind this study, please feel free to contact us.

(function (d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s); = id;
js.src = “//”;
fjs.parentNode.insertBefore(js, fjs);
}(document, ‘script’, ‘facebook-jssdk’));

Leave a Reply

Your email address will not be published. Required fields are marked *