• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
    • Get the 2022 Cloud Scurity Comparison Guide
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
      • Cyber Threat Categories and Definitions
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Threats

You Know, for Science

By Andrea Kaiser
Posted on March 15, 2018
Updated on March 1, 2020

Share

FacebookTweetLinkedIn

In December 2016, Cisco Umbrella released a new security category called “Newly Seen Domains”.  This category identifies domains that have been queried for the first time by customers of Cisco Umbrella. The Security Research team has been developing new classifiers that can make malicious convictions on these newly seen domains. We’ve also been engaging in some simple threat hunting techniques.
One technique is to search the list of newly seen domain names for a combination of specific keywords. In particular, keywords often used in phishing and scareware domain names. For example; verify, security, account, login, apple, office365, alert, virus, google, microsoft.
This blog post will highlight a subset of scareware domains found through one of our threat hunting exercises.

Scareware at .science

Scareware is a domain or malicious software that tricks users into believing their computer is infected with malware and sells fake antivirus software or technical support to remove it. These type of domains often impersonate well known companies, like Microsoft.
A large amount of scareware domains impersonating Microsoft were newly seen within the past couple of days from the .science gTLD. We’re going to look closer at one of these domains and will provide a full list of domains at the end of the post. A large amount of them will display the same fake Microsoft page if you use the URI  /ow/en/ with the domain name.
http://security[.]microsoft[.]com[.]jfjaky[.]brightloyaltroutofenergy[.]science/ow/en/

After clicking “Continue” an animation loads that is pretending to scan your system. The results always tell you that your system is infected with ransomware.

After clicking on “Download and Repair Windows” you’re instructed on how to install the software.

When I reviewed these domains, the location they were using to host the executable did not deliver the download and responded with a 400-bad request.
So, I decided to check out the domain they were using throughout their html source to host their images; globalsystools[.]com and was able to download the executable.

Here is a screenshot of the software running on a virtual machine.

Simply doing a Google search on the phone number displayed, 1-855-332-0124, reveals that it is well known and associated with tech support scams.
In case you’re curious, here’s a look at what happened to the CPU usage on my virtual machine after installing this software.

 

Don’t Take the Bait

If a company is using these types of lies, impersonations and scareware tactics to frighten people into installing their software, you should stay away. Tech support scams thrive on this type of impersonation, tricking the person into believing they’re seeking help from a reputable trusted company.
Let’s look at the structure of one of these domain names.
http://security.apple.com.abwxfmcxp.prehistorichelpfulmillipedeofsuccess[.]science

  • “security.apple.com.abwxfmcxp” are subdomains on the parent domain prehistorichelpfulmillipedeofsuccess[.]science
  • .science is the gTLD

 
When you visit the above URL, you’re visiting a subdomain of the domain name prehistorichelpfulmillipedeofsuccess[.]science. It may appear that the subdomains form a legitimate domain name “security.apple.com” but that is only done to trick people into taking the bait. Be sure to always check hostnames down to their TLD, or in this case, the gTLD being .science.
At Cisco Umbrella, we’re continually working against malicious actors to protect our customers.  Our Security Research team uses many methods to stay ahead of attacks from algorithmic classification techniques to threat hunting for specific attack trends.

Scareware .science domains:

security.apple.com.abwxfmcxp.prehistorichelpfulmillipedeofsuccess[.]science
security.apple.com.adyudcuae.fineweaselofmajorinfluence[.]science
security.apple.com.aqxqqkyn.provocativemindfulkittiwakeofteaching[.]science
security.apple.com.bkqzknz.cuterobuststallionofbrotherhood[.]science
security.apple.com.bmtqdrjbkk.elatedurbanearwigofexercise[.]science
security.apple.com.bsvclbypv.brightloyaltroutofenergy[.]science
security.apple.com.ctbuyz.outrageousmuscularoxpeckerfromvenus[.]science
security.apple.com.drevspdpjc.outrageousmuscularoxpeckerfromvenus[.]science
security.apple.com.erthx.hospitablerousingdugongofacumen[.]science
security.apple.com.etouw.hospitablerousingdugongofacumen[.]science
security.apple.com.fjeryuzbwpw.fineweaselofmajorinfluence[.]science
security.apple.com.fnizlv.fortunatescrupulouspythonofeffort[.]science
security.apple.com.fqnpfativv.fortunatescrupulouspythonofeffort[.]science
security.apple.com.gdwmqsmiie.provocativemindfulkittiwakeofteaching[.]science
security.apple.com.hbdkvpb.brightloyaltroutofenergy[.]science
security.apple.com.hjjkjb.prehistorichelpfulmillipedeofsuccess[.]science
security.apple.com.hlhoy.fineweaselofmajorinfluence[.]science
security.apple.com.hwujcl.hospitablerousingdugongofacumen[.]science
security.apple.com.ifcdpdkuu.cuterobuststallionofbrotherhood[.]science
security.apple.com.ixbdzvs.hypnoticflawlesshornetofeducation[.]science
security.apple.com.jizsindate.hypnoticflawlesshornetofeducation[.]science
security.apple.com.jlyyr.fineweaselofmajorinfluence[.]science
security.apple.com.lsujjp.cuterobuststallionofbrotherhood[.]science
security.apple.com.luzxwkkd.hypnoticflawlesshornetofeducation[.]science
security.apple.com.lxraws.hospitablerousingdugongofacumen[.]science
security.apple.com.mheltrsefo.hypnoticflawlesshornetofeducation[.]science
security.apple.com.mmlhkj.zippybananamantisofmerriment[.]science
security.apple.com.mostbknp.prehistorichelpfulmillipedeofsuccess[.]science
security.apple.com.nbrepqwp.outrageousmuscularoxpeckerfromvenus[.]science
security.apple.com.nlqavnjoh.prehistorichelpfulmillipedeofsuccess[.]science
security.apple.com.nolsesjp.fineweaselofmajorinfluence[.]science
security.apple.com.onuvfrdu.hospitablerousingdugongofacumen[.]science
security.apple.com.oqbtzqy.provocativemindfulkittiwakeofteaching[.]science
security.apple.com.otbmgbtude.hospitablerousingdugongofacumen[.]science
security.apple.com.otlwnof.hypnoticflawlesshornetofeducation[.]science
security.apple.com.pfmntiegue.zippybananamantisofmerriment[.]science
security.apple.com.pfvsatlr.cuterobuststallionofbrotherhood[.]science
security.apple.com.pryjozhhwy.hospitablerousingdugongofacumen[.]science
security.apple.com.puziy.brightloyaltroutofenergy[.]science
security.apple.com.reibkrrgiz.fineweaselofmajorinfluence[.]science
security.apple.com.sfvfkrmm.brightloyaltroutofenergy[.]science
security.apple.com.shmhvrtmsy.hospitablerousingdugongofacumen[.]science
security.apple.com.sjgkxvlgsp.prehistorichelpfulmillipedeofsuccess[.]science
security.apple.com.ssunzxztgoo.provocativemindfulkittiwakeofteaching[.]science
security.apple.com.swhuxuxf.provocativemindfulkittiwakeofteaching[.]science
security.apple.com.tbcaquciks.provocativemindfulkittiwakeofteaching[.]science
security.apple.com.uwjkbbzrg.fineweaselofmajorinfluence[.]science
security.apple.com.vpnwd.prehistorichelpfulmillipedeofsuccess[.]science
security.apple.com.wnirplrk.provocativemindfulkittiwakeofteaching[.]science
security.apple.com.wrdeymepqlu.outrageousmuscularoxpeckerfromvenus[.]science
security.apple.com.xagzsy.fortunatescrupulouspythonofeffort[.]science
security.apple.com.xbxos.importedfunkychipmunkofanger[.]science
security.apple.com.xgisckgbozs.hypnoticflawlesshornetofeducation[.]science
security.apple.com.xhbhtqtg.elatedurbanearwigofexercise[.]science
security.apple.com.xibbfw.outrageousmuscularoxpeckerfromvenus[.]science
security.apple.com.zdpazljrdta.hypnoticflawlesshornetofeducation[.]science
security.microsoft.com.anupvbmd.outrageousmuscularoxpeckerfromvenus[.]science
security.microsoft.com.bgkljlk.brightloyaltroutofenergy[.]science
security.microsoft.com.civtl.fortunatescrupulouspythonofeffort[.]science
security.microsoft.com.cnrihjfpfa.zippybananamantisofmerriment[.]science
security.microsoft.com.dwiopejz.hypnoticflawlesshornetofeducation[.]science
security.microsoft.com.ehezmg.brightloyaltroutofenergy[.]science
security.microsoft.com.eivru.cuterobuststallionofbrotherhood[.]science
security.microsoft.com.eoecxxzkwy.brightloyaltroutofenergy[.]science
security.microsoft.com.epvdser.hospitablerousingdugongofacumen[.]science
security.microsoft.com.fbximggl.hypnoticflawlesshornetofeducation[.]science
security.microsoft.com.geasgbuu.cuterobuststallionofbrotherhood[.]science
security.microsoft.com.goewrmp.hospitablerousingdugongofacumen[.]science
security.microsoft.com.gprfm.zippybananamantisofmerriment[.]science
security.microsoft.com.gqzvaa.outrageousvenomoussawflyofenthusiasm[.]science
security.microsoft.com.gzajkf.prehistorichelpfulmillipedeofsuccess[.]science
security.microsoft.com.gzqygkx.brightloyaltroutofenergy[.]science
security.microsoft.com.igaaiahtg.provocativemindfulkittiwakeofteaching[.]science
security.microsoft.com.imwyquutds.outrageousmuscularoxpeckerfromvenus[.]science
security.microsoft.com.iozqitj.brightloyaltroutofenergy[.]science
security.microsoft.com.iqptmrzhrj.zippybananamantisofmerriment[.]science
security.microsoft.com.iuvtfsup.fineweaselofmajorinfluence[.]science
security.microsoft.com.jdrrxwhqsx.zippybananamantisofmerriment[.]science
security.microsoft.com.jfjaky.brightloyaltroutofenergy[.]science
security.microsoft.com.jqvrkuhcq.provocativemindfulkittiwakeofteaching[.]science
security.microsoft.com.jubwmpg.prehistorichelpfulmillipedeofsuccess[.]science
security.microsoft.com.jzxsayc.zippybananamantisofmerriment[.]science
security.microsoft.com.kyrjzeblh.hospitablerousingdugongofacumen[.]science
security.microsoft.com.kyxpk.elatedurbanearwigofexercise[.]science
security.microsoft.com.ldnckbdh.zippybananamantisofmerriment[.]science
security.microsoft.com.lisoarx.hypnoticflawlesshornetofeducation[.]science
security.microsoft.com.lwbgk.zippybananamantisofmerriment[.]science
security.microsoft.com.lxhot.provocativemindfulkittiwakeofteaching[.]science
security.microsoft.com.mehjervjgwn.hypnoticflawlesshornetofeducation[.]science
security.microsoft.com.mjuwpxddbm.elatedurbanearwigofexercise[.]science
security.microsoft.com.mrjnb.stylishvoraciousiguanaofromance[.]science
security.microsoft.com.muwciv.hospitablerousingdugongofacumen[.]science
security.microsoft.com.mxkakvl.hospitablerousingdugongofacumen[.]science
security.microsoft.com.nclkgzsxbs.provocativemindfulkittiwakeofteaching[.]science
security.microsoft.com.oajlkumfv.fortunatescrupulouspythonofeffort[.]science
security.microsoft.com.ofimeyovg.brightloyaltroutofenergy[.]science
security.microsoft.com.ogsfrjbeoqb.zippybananamantisofmerriment[.]science
security.microsoft.com.oogjjknpjm.provocativemindfulkittiwakeofteaching[.]science
security.microsoft.com.pbwdrqlkgl.hospitablerousingdugongofacumen[.]science
security.microsoft.com.pftrsscvu.fortunatescrupulouspythonofeffort[.]science
security.microsoft.com.pioxrjnjycs.outrageousmuscularoxpeckerfromvenus[.]science
security.microsoft.com.pmdgwwjrrcj.elatedurbanearwigofexercise[.]science
security.microsoft.com.puvdcz.prehistorichelpfulmillipedeofsuccess[.]science
security.microsoft.com.pxyefct.provocativemindfulkittiwakeofteaching[.]science
security.microsoft.com.qrhqfr.fortunatescrupulouspythonofeffort[.]science
security.microsoft.com.reokwd.brightloyaltroutofenergy[.]science
security.microsoft.com.rkvsfv.outrageousmuscularoxpeckerfromvenus[.]science
security.microsoft.com.roknlrvgm.zippybananamantisofmerriment[.]science
security.microsoft.com.rtmtlngul.brightloyaltroutofenergy[.]science
security.microsoft.com.slhyn.fineweaselofmajorinfluence[.]science
security.microsoft.com.snaire.prehistorichelpfulmillipedeofsuccess[.]science
security.microsoft.com.spktyaegwts.zippybananamantisofmerriment[.]science
security.microsoft.com.tanbzwvzy.hypnoticflawlesshornetofeducation[.]science
security.microsoft.com.tmehevnn.hospitablerousingdugongofacumen[.]science
security.microsoft.com.tvhznnq.brightloyaltroutofenergy[.]science
security.microsoft.com.udgtg.fortunatescrupulouspythonofeffort[.]science
security.microsoft.com.udpeda.zippybananamantisofmerriment[.]science
security.microsoft.com.ukzilncqw.fineweaselofmajorinfluence[.]science
security.microsoft.com.umpcu.hospitablerousingdugongofacumen[.]science
security.microsoft.com.uvguuhcxobh.provocativemindfulkittiwakeofteaching[.]science
security.microsoft.com.vqnjqtnc.prehistorichelpfulmillipedeofsuccess[.]science
security.microsoft.com.vrqluu.hospitablerousingdugongofacumen[.]science
security.microsoft.com.wdwhnhw.prehistorichelpfulmillipedeofsuccess[.]science
security.microsoft.com.weplokyf.hospitablerousingdugongofacumen[.]science
security.microsoft.com.xorbcz.zippybananamantisofmerriment[.]science
security.microsoft.com.ykwrsc.outrageousmuscularoxpeckerfromvenus[.]science
security.microsoft.com.yogseycixas.fortunatescrupulouspythonofeffort[.]science
security.microsoft.com.ysfqmogqzho.fortunatescrupulouspythonofeffort[.]science
security.microsoft.com.ywfmassrron.hypnoticflawlesshornetofeducation[.]science
security.microsoft.com.zdjnc.cuterobuststallionofbrotherhood[.]science
security.microsoft.com.zfaaonnk.outrageousmuscularoxpeckerfromvenus[.]science
security.microsoft.com.zgijsg.elatedurbanearwigofexercise[.]science
security.microsoft.com.zmjajstvmid.hypnoticflawlesshornetofeducation[.]science
security.microsoft.com.znxfmr.elatedurbanearwigofexercise[.]science
security.microsoft.com.zpuszjzw.hospitablerousingdugongofacumen[.]science
The hosting IP of the domains, showing many more seen by Cisco Umbrella’s passive DNS data:
185[.]145[.]129[.]106

View of 185[.]145[.]129[.]106 in Investigate

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella