In this blog post, we’re going to look at a campaign that reveals recently created domains impersonating known Romanian gas companies.
It all started with an ad on YouTube that featured a suspicious domain related to the legitimate RoEnergy Trade Fair. The ad was voiced in Romanian using an automatic translator. The website hosted on inf24roenergy[.]pro is shown in Figure 1.
Figure 1
Using VirusTotal, we could determine which IP address the domain resolves to:
Figure 2
By pivoting using the IP address, we found that other suspicious domains are hosted on the same IP address (see Figure 3).
Figure 3
We believe that the attackers’ purpose is to steal users credentials. Multiple login forms were identified on the malicious domains:
Figure 4
Using a domain search engine such as Whoxy, we searched for domains that contain a specific keyword. As we can see in the figure below, two suspicious domains were registered at the end of October 2023:
Figure 5
We identified another IP address that leads to other suspicious domains impersonating a large gas company, Transgaz. Figure 6 shows two of these domains:
Figure 6
The website’s content is in Romanian, however, we found some inconsistencies. For example, the text has letters with diacritics in some paragraphs and without in others. Another red flag is the presence of English words from time to time:
Figure 7
Figure 8
Finally, the address mentioned in the contact page is fake, and some phone numbers have an incorrect prefix:
Figure 9
We advise users to not enter credentials on suspicious websites, and to report suspicious ads on YouTube. The list of all domains identified in this campaign:
effectroenergy[.]pro
inforomenergy[.]pro
inf24roenergy[.]pro
inf360romenergy[.]pro
oneromenergy[.]pro
protransgas[.]info
proromenergy[.]info
roenergy24[.]info
romenergy360[.]info
romenergy[.]pro
romtransgaz[.]info
romatransgaz[.]pro
romenergyinside[.]pro
transgazinfo[.]pro
transgaze[.]pro
transsgaze[.]pro
transgasinside[.]info
Article Link: Attackers impersonate Romanian Gas Companies – OSINT Investigation – CYBER GEEKS