In this blog post, we’re going to look at a campaign that reveals recently created domains impersonating known Romanian gas companies.
It all started with an ad on YouTube that featured a suspicious domain related to the legitimate RoEnergy Trade Fair. The ad was voiced in Romanian using an automatic translator. The website hosted on inf24roenergy[.]pro is shown in Figure 1.
Using VirusTotal, we could determine which IP address the domain resolves to:
By pivoting using the IP address, we found that other suspicious domains are hosted on the same IP address (see Figure 3).
We believe that the attackers’ purpose is to steal users credentials. Multiple login forms were identified on the malicious domains:
Using a domain search engine such as Whoxy, we searched for domains that contain a specific keyword. As we can see in the figure below, two suspicious domains were registered at the end of October 2023:
We identified another IP address that leads to other suspicious domains impersonating a large gas company, Transgaz. Figure 6 shows two of these domains:
The website’s content is in Romanian, however, we found some inconsistencies. For example, the text has letters with diacritics in some paragraphs and without in others. Another red flag is the presence of English words from time to time:
Finally, the address mentioned in the contact page is fake, and some phone numbers have an incorrect prefix:
We advise users to not enter credentials on suspicious websites, and to report suspicious ads on YouTube. The list of all domains identified in this campaign:
effectroenergy[.]pro
inforomenergy[.]pro
inf24roenergy[.]pro
inf360romenergy[.]pro
oneromenergy[.]pro
protransgas[.]info
proromenergy[.]info
roenergy24[.]info
romenergy360[.]info
romenergy[.]pro
romtransgaz[.]info
romatransgaz[.]pro
romenergyinside[.]pro
transgazinfo[.]pro
transgaze[.]pro
transsgaze[.]pro
transgasinside[.]info
UPDATE
We’ve identified other domains that present fake crypto investments, education courses, and cooking classes:
energysphere[.]pro
transgazrefueling[.]pro
fuelefficientinrom[.]info
limitedlash[.]info
rotechnoere[.]info
onehatueente[.]site
qwizanotes[.]net
bogdust[.]top
quebossa[.]net
ambeeyroma[.]net
pawfunlding[.]net
mountainequ[.]info
cainstery[.]info
desprerompetrol[.]pro
educationplatform[.]pro
coursesknowledge[.]info
dinoautom[.]info
rompetrolright[.]pro
pipelineproconsult[.]info
gfcostsavings[.]info
savingspump[.]pro
economicempowerment[.]pro
profitpathprogram[.]info
petroledge[.]info
newsro[.]shop
sample-test[.]site
smart-academy[.]pro
profuelgasadv[.]info
onlinecashflow[.]website
bonaks[.]site
newamacoin[.]info
amacointm[.]pro
fuelingycr[.]info
prooilfield[.]info
profitpath[.]life
finfreedom[.]info
assetadvantage[.]life