In December 2016, Cisco Umbrella released a new security category called “Newly Seen Domains”.  This category identifies domains that have been queried for the first time by customers of Cisco Umbrella. The Security Research team has been developing new classifiers that can make malicious convictions on these newly seen domains. We’ve also been engaging in some simple threat hunting techniques.

One technique is to search the list of newly seen domain names for a combination of specific keywords. In particular, keywords often used in phishing and scareware domain names. For example; verify, security, account, login, apple, office365, alert, virus, google, microsoft.

This blog post will highlight a subset of scareware domains found through one of our threat hunting exercises.

Scareware at .science

Scareware is a domain or malicious software that tricks users into believing their computer is infected with malware and sells fake antivirus software or technical support to remove it. These type of domains often impersonate well known companies, like Microsoft.

A large amount of scareware domains impersonating Microsoft were newly seen within the past couple of days from the .science gTLD. We’re going to look closer at one of these domains and will provide a full list of domains at the end of the post. A large amount of them will display the same fake Microsoft page if you use the URI  /ow/en/ with the domain name.


After clicking “Continue” an animation loads that is pretending to scan your system. The results always tell you that your system is infected with ransomware.

After clicking on “Download and Repair Windows” you’re instructed on how to install the software.

When I reviewed these domains, the location they were using to host the executable did not deliver the download and responded with a 400-bad request.

So, I decided to check out the domain they were using throughout their html source to host their images; globalsystools[.]com and was able to download the executable.

Here is a screenshot of the software running on a virtual machine.

Simply doing a Google search on the phone number displayed, 1-855-332-0124, reveals that it is well known and associated with tech support scams.

In case you’re curious, here’s a look at what happened to the CPU usage on my virtual machine after installing this software.


Don’t Take the Bait

If a company is using these types of lies, impersonations and scareware tactics to frighten people into installing their software, you should stay away. Tech support scams thrive on this type of impersonation, tricking the person into believing they’re seeking help from a reputable trusted company.

Let’s look at the structure of one of these domain names.[.]science

  •” are subdomains on the parent domain prehistorichelpfulmillipedeofsuccess[.]science
  • .science is the gTLD


When you visit the above URL, you’re visiting a subdomain of the domain name prehistorichelpfulmillipedeofsuccess[.]science. It may appear that the subdomains form a legitimate domain name “” but that is only done to trick people into taking the bait. Be sure to always check hostnames down to their TLD, or in this case, the gTLD being .science.

At Cisco Umbrella, we’re continually working against malicious actors to protect our customers.  Our Security Research team uses many methods to stay ahead of attacks from algorithmic classification techniques to threat hunting for specific attack trends.

Scareware .science domains:[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science[.]science

The hosting IP of the domains, showing many more seen by Cisco Umbrella’s passive DNS data:


View of 185[.]145[.]129[.]106 in Investigate

This post is categorized in: