A Forensic Analysis of a Malicious Domain Common in Phishing and Job Scams in Kenya

This is a forensic analysis of a fake World Vision domain that has been used to scam people in Kenya for a while. A key element of this scam is the email domain @wvikenya.org, which closely mimics official domains to lure victims into sharing sensitive information or making payments.

In this analysis, I will:

1. Inspect the domain server to evaluate its configuration and potential vulnerabilities.

2. Analyze the associated IP address for any suspicious activities or connections.

3. Identify signs of phishing activity, such as malicious redirects or spoofing tactics.

4. Recommend measures to enhance the domain’s integrity and reduce phishing risks.

Step 1: Perform NSLookup

Perform NSLookup to resolve the domain’s IP address and gather information about the domain's DNS records.

Command: nslookup wvikenya.org

From nslookup, we are able to determine the domain’s IP address, which we then use to determine if the server is up.

IP Address: 95.216.19.231

Step 2: Ping the IP Address

We then ping the IP address, which is essentially sending packets to detect any unusual delays or failed responses, which could indicate server misconfigurations or downtime.

All 10 packets sent (-c 10) were successfully received (0% packet loss), hence a stable connection.

Step 3: Browser Check

http://wvikenya.org/

The target URL displays Apache default directory listing, which indicates a misconfigured web server, no index file, poor security practices, among other reasons.

Also, the exposed directory suggests amateur configuration, however, this could be intentionally deceptive and may be a temporary state between operations, a pattern which is very consistent with automated deployment tools.

Step 4: Analyze IP on Threat Intelligence Sites

1. Analysis on AlienVault Open Threat Exchange

From the report above, the IP has quite a high number of DNS resolutions (57 Domains) which indicate a potential DNS abuse.

Secondly, 18 open ports indicate a poorly secured or deliberately misconfigured server.

The combination of open ports (21, 22, 53, 80, 100, etc) also suggest that this server might be in use for Command and Control infrastructure, spam/malware distribution, botnet operations and data exfiltration.

The report also indicates that it uses a certificate for *.accuratefarmmachinery.co.ke but it is being hosted in Finland.

2. Analysis on VirusTotal

Virustotal IP Report

The low community score (1/94) confirms our suspicion. The IP belongs to Hetzner, a German hosting provider, but is hosted in Finland, which is another common pattern for malicious actors seeking hosting in privacy-friendly jurisdictions.

Also, the conflicting reports between security vendors (marking it malicious) and Abusix (marking it clean) could be due to recent activation of malicious activities, sophisticated evasion techniques, or infrastructure in transition phase.

3. Analysis on Grey Noise

VERDICT: MALICIOUS DOMAIN

Conclusion

From this investigation, we can conclude that @wvikenya.org is a malicious domain masquerading as World Vision in Kenya.

The domain exhibits classic signs of malicious infrastructure, including misconfigured servers, multiple DNS resolutions, and suspicious hosting patterns.

Key Strategic Recommendations

1. National Domain Repository Initiative

A centralized National Domain Repository could empower citizens to easily verify the legitimacy of organizational domains, even with little to no technical knowledge. This initiative would provide a user-friendly, searchable platform to validate organizational websites and include real-time domain verification to combat phishing and fraud.

2. Democratize Basic Cybersecurity Awareness Training.

We need to make cybersecurity awareness accessible, inclusive, and reflective of local realities. This can be achieved through:

3. Localized Cybersecurity Awareness Programs through successful models like ENISA's, tailoring them to the cultural and linguistic contexts of target communities.

• Develop multilingual training materials that showcase common local scams and practical mitigation techniques.

• 4. Education Integration

We need to add basic cyber into school curricula, starting from primary education to create lifelong habits.We can then expand into adult education programs to target vulnerable populations, such as senior citizens and small business owners.