Recently, the Federal Bureau of Investigation (FBI) issued a warning about the LabHost phishing-as-a-service (PhaaS) campaign, raising concerns about global user security. The FBI flagged 42,515 IoCs related to the campaign, prompting WhoisXML API to conduct an extensive analysis of these indicators through a comprehensive DNS investigation.
Following the FBI’s identification of the IoCs, WhoisXML API meticulously examined 42,401 unique domains after filtering out duplicates and non-domain entries. Additionally, they uncovered 1,661 new typosquatting domains that mirrored the IoCs listed by the FBI. This joint list of 44,062 domains revealed several key insights and enhancements.
The analysis unveiled the presence of 18 prominent brands within the new typosquatting domains, all of which were also flagged by the FBI. Furthermore, data from the Internet Abuse Signal Collective (IASC) DNS traffic showcased 11,009 distinct client IP addresses making 74,617 DNS requests across 163 domains.
Further scrutiny using First Watch Malicious Domains Data Feed revealed 3,319 malicious domains created prior to the FBI’s warning date, with an average lead time of 419 days. Notably, the examination of subdomains within the 44,062 domains highlighted common strings like www, mail, webmail, and others, totaling 61,727 subdomains.
Delving deeper, an investigation into IP resolutions of the 44,062 domains identified 1,346 unique IP addresses, with 1,055 of them categorized as malicious. Geolocation data for these IPs indicated a distribution across 41 countries, with the U.S., Germany, and the Netherlands topping the list.
By cross-referencing the domains against various databases, WhoisXML API found that 682 typosquatting domains had current WHOIS records, created between 2012 and 2025. These domains were registered with 62 different registrars across 27 countries, with text strings related to the 18 well-known brands.
Comparing creation dates reported by the FBI and First Watch yielded interesting findings, suggesting variations in data sources. The examination of subdomains and active IP resolutions further enriched the analysis, shedding light on potential threats lurking within the LabHost PhaaS campaign.
While this overview provides a glimpse into the comprehensive research conducted by WhoisXML API, the full findings and additional artifacts are available for download on their website. As cybersecurity threats continue to evolve, in-depth investigations like these play a crucial role in enhancing threat detection capabilities and fortifying defenses against malicious actors.
📰 Related Articles
- Global Phishing Campaign Exposes Corporate Data Breaches
- FBI Exposes 42,000 Phishing Domains in LabHost Cybercrime Network
- World Leaders Forge Trade Partnerships, Impacting Global Economic Landscapes
- US ‘Golden Dome’ Missile Defense System Sparks Global Security Concerns
- Russia’s Failed Intercontinental Missile Launch Raises Global Security Concerns