Subscribe to receive notifications of new posts:

Don’t trust that tweet…or that email from "Bill Gates"

2020-07-20

1 min read

This blog originally appeared in July 2020 on the Area 1 Security website, and was issued in advance of Cloudflare's acquisition of Area 1 Security on April 1, 2022. Learn more.

Each day, hundreds of thousands of new domains are registered by users around the world. Unfortunately, the simplicity of domain registration makes it simple for attackers to register fraudulent domains for use in phishing campaigns. In fact, according to ICANN, nearly 5.45% of newly registered domains per day are malicious (including phishing, botnets, and malware). This means there are 25,070 newly registered malicious domains per day on average.

On July 16th, 2020, an email appearing to be from the Bill & Melinda Gates Foundation was sent to numerous recipients, seeking donations for the Foundation in Bitcoin. The email enticed potential donors by offering to double any donations received within seven days. The sender domain of the email was strikingly similar to the legitimate foundation’s domain, gatesfoundation.org.

Aside from one letter, the malicious sender domain could easily pass for one belonging to the Gates Foundation. The attacker cleverly employed typosquatting when creating the domain name, just minutes before sending the email. Without close scrutiny, the domain’s typo is indistinguishable from the legitimate domain. The attacker also set up an SPF record for the domain in order to ensure reliable delivery of their attack. Interestingly, this phish was sent just a day after Bill Gates’ Twitter account was hacked and used to tweet a message nearly identical to this email.

Benign Domain: gatesfoundation.org
Malicious Domain: gatesfoundatlon[.]com
Malicious Domain Age: 2020-07-16 17:00:54 +0000 UTC
SPF Record:
     gatesfoundatlon[.]com.	1759	IN	TXT	"v=spf1 include:spf.privateemail.com ~all"
Bitcoin address: 18XJzrgPqYhKKeR2j4vz6wPQorK3sNuNxs

Whois Record for gatesfoundatlon[.]com

Domain name: gatesfoundatlon[.]com
Registry Domain ID: 2546450570_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2020-07-16T17:00:54.00Z
Registrar Registration Expiration Date: 2021-07-16T17:00:54.00Z
Registrar: NAMECHEAP INC
Registrar IANA ID: 1068
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone: +1.6613102107
Reseller: NAMECHEAP INC
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: addPeriod https://icann.org/epp#addPeriod
Registry Registrant ID:
Registrant Name: WhoisGuard Protected
Registrant Organization: WhoisGuard, Inc.
Registrant Street: P.O. Box 0823-03411
Registrant City: Panama
Registrant State/Province: Panama
Registrant Postal Code:
Registrant Country: PA
Registrant Phone: +507.8365503
Registrant Phone Ext:
Registrant Fax: +51.17057182
Registrant Fax Ext:
Registrant Email: 42d8ccf1af2d41378f65f3d302938b5e.protect@whoisguard.com
Registry Admin ID:
Admin Name: WhoisGuard Protected
Admin Organization: WhoisGuard, Inc.
Admin Street: P.O. Box 0823-03411
Admin City: Panama
Admin State/Province: Panama
Admin Postal Code:
Admin Country: PA
Admin Phone: +507.8365503
Admin Phone Ext:
Admin Fax: +51.17057182
Admin Fax Ext:
Admin Email: 42d8ccf1af2d41378f65f3d302938b5e.protect@whoisguard.com
Registry Tech ID:
Tech Name: WhoisGuard Protected
Tech Organization: WhoisGuard, Inc.
Tech Street: P.O. Box 0823-03411
Tech City: Panama
Tech State/Province: Panama
Tech Postal Code:
Tech Country: PA
Tech Phone: +507.8365503
Tech Phone Ext:
Tech Fax: +51.17057182
Tech Fax Ext:
Tech Email: 42d8ccf1af2d41378f65f3d302938b5e.protect@whoisguard.com
Name Server: dns1.registrar-servers.com
Name Server: dns2.registrar-servers.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2020-07-15T23:22:34.80Z <<<

Twitter Message From July 15, 2020:

Area 1 uses multiple analysis techniques that leverage insight gained from proactive web crawling and early identification of attacker campaign infrastructure, to detect and stop email from spoofed domains and accounts. Using preemptive threat hunting and a broad set of proprietary analysis techniques, Area 1 identifies phishing campaigns, including malicious newly registered domains, that other defenses miss.

Cloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
Email SecurityCloud Email SecurityPhishing

Follow on X

Cloudflare|@cloudflare

Related posts

October 08, 2024 1:00 PM

Cloudflare acquires Kivera to add simple, preventive cloud security to Cloudflare One

The acquisition and integration of Kivera broadens the scope of Cloudflare’s SASE platform beyond just apps, incorporating increased cloud security through proactive configuration management of cloud services. ...

May 30, 2024 1:00 PM

Disrupting FlyingYeti's campaign targeting Ukraine

In April and May 2024, Cloudforce One employed proactive defense measures to successfully prevent Russia-aligned threat actor FlyingYeti from launching their latest phishing campaign targeting Ukraine...