While deepfakes may sometimes be perceived as amusing, their potential for harm is significant and far-reaching. One finance worker for a multinational firm, for example, was tricked into paying out US$25 million to a deepfake scammer who pretended to be their company's chief financial officer (CFO) in a video call just this February.

Palo Alto Networks Unit 42 dove deep into various deepfake scams that have plagued users over time and in the process uncovered 416 domain names that played a part in them. The WhoisXML API research team believes there could be more behind the indicators of compromise (IoCs) that have already been made public. Our analysis specifically uncovered:

A sample of the additional artifacts obtained from our analysis is available for download from our website.

We kicked off the investigation by performing a bulk WHOIS lookup for the domains identified as IoCs, which revealed that only 241 had current WHOIS records. The lookup also yielded other results, namely:

We began our search for connected web properties with Reverse WHOIS Search queries for the three public registrant organizations found in the current WHOIS records of the 241 domain IoCs with current WHOIS records on our list. Using the tool's Advanced feature, we looked for exact matches of the registrant organizations in historical WHOIS records. We found 1,070 registrant-connected domains after duplicates and the IoCs were filtered out.

Next, we performed WHOIS History API queries for the 241 domain IoCs, which allowed us to obtain 32 email addresses from their historical WHOIS records after filtering out duplicates. A closer look at them showed that 10 were public email addresses that we then used to look for email-connected domains.

Reverse WHOIS API queries for the 10 public email addresses further showed that one email address could belong to a domainer (given the high number of connected domains), so it was excluded from the final list. The nine public email addresses appeared in the current WHOIS records of six email-connected domains after duplicates, the IoCs, and the registrant-connected domains were filtered out.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.