“Breaking news” is described as information that is being received or broadcast about an event that is happening now or about to happen. (Source: dictionary.cambridge.org) Newscasters, anchormen and women, like David Muir of ABC World News Tonight, will typically start their broadcast by saying “we have breaking news…” And so we were intrigued one day recently when we opened one of our honeypot email accounts to find this list of 3 emails:
Someone clearly wants to get our attention! The source claims to be a news website called “Breaking News Daily.” We conducted a variety of Google searches and cannot find any website called “BreakingNewsDaily” so we decided to open each of these emails. Here is a look at the first email we received at 5:22 pm. Two things struck us immediately that had nothing to do with the content of the email.
- The email came from the domain webplay[.]info, with links pointing back to it.
- The sender of this email misspelled “subscribers” in the FROM address and no, we had never subscribed to anything about breaking news daily, weekly or ever!
So of course we smelled a rat…. As we often do, we ran to our favorite WHOIS tool to find out when this domain was registered, where and by whom. Once again, we see that this breaking news website was registered just 3 days earlier by someone using a proxy service in Panama to hide their identity.
Why did we get this email three times in an hour? We opened the second email to discover the exact same content but it was sent from a different domain, artfully called todaysbignews[.]info. And where was this artfully-named domain registered? In Panama, just 11 days earlier and the domain was being hosted on a server in Turkey! Does any of this build confidence that these emails were linked to legitimate news services?
Now that we had opened two out of three we couldn’t stop there! The final breaking news email did not disappoint us. It came from the oddball domain named sunnydiamonds[.]info, and contained the exact same content as the previous 2 emails including the “subsribers” misspelling in the FROM address. And it will come as no surprise that it was registered in Panama just 3 days earlier!
The point in all of this breaking news is that anyone can publish anything online to deceive others. In case it wasn’t already obvious, a cybercriminal gang (who may be based in India) is purchasing a lot of DOT-info global top level domains and using them to target Americans. (If any of our readers in Australia or the UK get see suspicious DOT-info emails, send them to us!) Here’s another “breaking news” malicious email that was sent from another bogus DOT-info domain called peoplemagazine[.]info and has no affiliation whatsoever to the magazine People at people.com. This bogus domain was also registered on October 23, 2019 through a proxy service in Panama. But these cybercriminals are not just using “breaking news” as their clickbait. Look below and you’ll see that todaysbignews[.]info was also used to send malicious clickbait disguised as airline ticket deals. If you click on the links in any of these emails, you’ll learn a new meaning of “breaking.”