Does Malicious Campaign Planning Take as Long as Legitimate Marketing Campaign Planning?

It has become common for cyber criminals to ride on famous brands to make their nefarious campaigns work. The release of the world’s most anticipated tech gadgets is no different. And given the public attention and techies’ innate desire to be the first to own the latest gadgets, threat actors will always target potential buyers with the most sophisticated scams.

We’re targeting the most in-demand tech releases of 2022 to help users stay protected. Our research aimed to determine whether cybercriminals take as long to prepare their campaigns as legitimate companies. Our key findings include:

  • A total of 855 domains were detected containing strings of characters that cyber criminals would likely use in campaigns targeting the potential buyers of the most anticipated gadgets.
  • We uncovered 118 subdomains containing strings of characters cybercriminals may be using in campaigns targeting the techies awaiting the most coveted tech finds of 2022.
  • Eight of the top product domains and subdomains of 2022 were detected as malicious.
  • Threat actors may have spent 3 to 29 weeks preparing to launch their malicious campaigns.
  • Domain registrations related to the iPhone 14 peaked in September, coinciding with the planned launch date.

An example of the additional artifacts recovered from our analysis is available for download from our website.

Search for traces in the DNA

We began our investigation by searching for domain registration hints through Domains & Subdomains Discovery. Using our list of the most anticipated technical releases of 2022, we’ve identified domain or subdomain strings that threat actors might want to use in their scams (see table below for details).

Most Anticipated Gadgets Planned release date strings
panic playdate April 18, 2022 playdateplaydate + console
valve steam deck February 25, 2022 steam + deck valve + steam + deck
Rivian R1T January 2022 (for all variants but originally released September 2021) rivian + r1t
Rivian R1S June 2022 rivian + r1s
magic jump 2 Sep 2022 magic jump2
Metaquest 3 October 2023 (delayed) meta + quest3
Apple iPhone 14 September 16, 2022 Apple + iphone14iphone14
Google pixel watch October 13, 2022 google + pixel + watchpixel + watch
Apple AR glasses January 2023 (delayed) Apple + Argus
Chevrolet Silverado E March 2023 (delayed) Chevy + Silveradoe
Google AR glasses 2023 or 2024 (delayed) google + arbrille

To determine whether cybercriminals spend as much time preparing campaigns as marketers typically do (ie, a year before launch), we looked at domain registration volume trends for each product a year before the planned release. For the products originally slated to launch sometime in 2022, we began tracking about two years ahead of the new dates their manufacturers set.

This led to the discovery of 855 domains. Note that obvious false positives like playdate-app[.]ok, doggy playdate[.]ws and toddler playdate[.]com has been removed from our list of playdate containing domains due to the generic nature of the string. A bulk malware review revealed that four of them are currently detected as malicious, namely:

  • steamdecktouchtype[.]com
  • Apple iPhone14[.]in
  • iphone14[.]industry
  • 25iphone14pro[.]above

Only two – iphone14[.]biz and 25iphone14pro[.]top – continued to host live content, but none had anything to do with selling the iPhone 14 based on screenshot lookups, nor owned by the makers of the said products.

It is also interesting to note that only 41 of the 855 domains that contained our pre-defined strings had unredacted email addresses from registrants or belonged to the product manufacturers examined based on a bulk WHOIS search. In particular, 24 identified Apple, Inc. or Apple France as their registrant organization and three noted this [email protected][.]com as the registrant’s email address, similar to the domains owned by the tech giant.

We followed the same steps for subdomains, resulting in the discovery of 117 web properties containing the previously identified strings. Of these, four are currently classified as malware hosts – iphone14[.]pwr lottery1[.]tk, iphone14[.]issam[.]Digital, www[.]iphone14[.]issam[.]digital and iphone14metacollab[.]blogspot[.]com.

While all four sites remain live, Blogspot seemed eager to remove the malicious blog from its platform. None of the subdomains belonged to the examined product manufacturers.

To know how much time threat actors spent creating their specially designed traps, we took a closer look at the WHOIS records of malicious domains and subdomains (based on their root domains). The malicious site iphone14metacollab[.]blogspot[.]com was of course excluded since anyone can create a blog on the platform.

Five of the malicious cyber assets were created between three and 29 weeks before the launch date of their target products. However, one was created a week after the Target Gadget was released. Another – iphone14[.]pwr lottery1[.]tk – had no creation date in the records. The more detailed the page, as was the case with iphone14[.]biz, it seemed, the longer the preparation lasted.

So the quick answer to our main question is that cybercrime can take weeks or months of planning. The more convincing a malicious website wants to appear in order to have a better chance of success, the more work and preparation time is required.

Additionally, further research of the iPhone 14 domains revealed that the associated registration volume peaked in September, coinciding with the product’s launch date. Currently, domain registration has slowed down.

As this study has shown, cyber criminals and other threat actors aim to make the most profit. The time and effort they put into their campaigns and malicious websites are likely to meet their financial goals.

In the case of the villains, the better the scam, the greater the potential gain. However, the threats posed by fake websites can be avoided with careful WHOIS and DNS intelligence monitoring and consistent threat source blocking.

If you are conducting a similar research or would like access to the full data behind this research, please do not hesitate to contact us.