.png)
Media Markt is a German multinational chain of over 1000 stores (Media-Saturn Holding) selling consumer electronics across 14 European countries. Media Markt is known as Media World in Italy and Saturn in Luxembourg.
During our PreCrime internet scout of December 20th 2022 we identified suspicious markers across multiple vectors. One of those was this website spoof that could be targeting unsuspecting users of Media Markt (Media World).
The Attack
Legitimate site :
mediaworld[.]it
mediamarkt[.]de
Malicious domain created on December 18, 2022, identified by Bfore.Ai on December 20, 2022
mediaword[.]net
 Malicious site |
Legitimate site |
How does this attack work ?
The URL leads users to a website showing a Media World website where users can buy products such as iPhones and PlayStations. The website baits users into buying something from the website by claiming that they can “take advantage of our promotion and get a discount of up to 15%“. When looking through the site many of the prices are indeed lower than on the original website as shown below.
Malicious site |
Legitimate site |
How do they trick users into believing the attack is real?
-
Users may be led to the malicious website through a phishing campaign, wherein they are baited into visiting the site by promising them products from Media World/Markt at lower prices. This is a tactic often used by threat actors who seek to exploit weaknesses in human cognitive functions.
-
Copying the branding from Media World/Markt including using the same logo, colours and font.
-
Using a domain name similar to Media World/Markt. The threat actors have removed the letter ‘l’ from the domain, which can be very easy to overlook.
Why is this a threat ?
Any user purchasing a product from this website would likely either never receive the product they purchased or get a fake replica of the product instead. This would result in the consumer losing their money and could cause reputational damage to the company and specifically the product.
If successful, this attack would provide threat actors with access to sensitive personal information about the individual or corporate user, allowing threat actors to steal their money and identity.
Recommendations
-
If deals are too good to be true, they most likely are!
-
If in doubt whether an email is legitimate, never click on any links. Go to the legitimate website’s domain instead via a search engine.
-
Always double check the domain name to make sure it is the legitimate one.
-
Never use the same credentials for work and personal accounts.
-
Incorporate Multi Factor Authentication where possible to keep your accounts safe.
Technical Report
The technical report below helps emphasize the differences in terms of DNS records between the malicious domain, and the legitimate domain.
|
Domain |
mediaword[.]net |
mediaworld[.]it |
|---|---|---|
|
Registrar |
GoDaddy.com, LLC |
Telecom Italia s.p.a. |
|
Registrant Organisation |
Domains By Proxy, LLC |
Mediamarket S.p.A. |
|
Registrant Country |
United States |
Italy |
|
Name Servers |
NS51.DOMAINCONTROL.COM NS52.DOMAINCONTROL.COM |
DNS3.INTERBUSINESS.IT DNS11.INTERBUSINESS.IT
|
|
MX record |
N/A |
mx1.hc378-85.eu.iphmx.com mx2.hc378-85.eu.iphmx.com |
|
Last seen active |
20 December 2022 |
20 December 2022 |
|
IP address |
23.227.38.74 Ontario, Toronto, Canada AS13335 Cloudflare, Inc. Organization: Shopify, Inc.
208.91.197.13 Tortola, British Virgin Islands AS40034 Confluence Networks Inc Organization: Confluence Networks Inc
192.185.59.117 Georgia, United States AS19871 Network Solutions, LLC Organization: WEBSITEWELCOME.COM
69.172.201.217 New York, United States AS19324 Dosarrest Internet Security LTD Organization: Aptum Technologies |
172.65.227.140 Ontario, Toronto, Canada AS13335 Cloudflare, Inc. Organization: Cloudflare, Inc. |
|
Domain Age |
2 days old Created 18 December 2022
|
8,959 days old Created on 10 June 1998 |
|
Certificate |
Issued by: Let’s Encrypt Issued to: *.mediaword[.]net Domain validated 03-11-2022 -> 01-02-2023 Valid for 3 months
|
Issued by: DigiCert Inc Issued to: Mediamarket S.p.A. Organisation validated 25-08-2022 -> 26-09-2023 Valid for over 1 year
|
How Bfore.Ai is protecting our customers
At Bfore.Ai, we work daily to ensure these phishing attacks get stopped before even reaching their targets. We are here to make your internet journey safer than it has ever been.
With more than 30K new malicious indicators per day we got you covered no matter where the attack comes from. Only 0.05% false positive rate, stop wasting time in false alerts chasing. By launching our PreCrime and PreEmpt technologies, we measure our anticipation from an attack starting, faster than attackers.
Accepting that the only defense is good detection, is accepting to be forever a victim. We believe in prevention more than response. Visit our website for more information !
.png)
Appendix
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Bfore.Ai) is ultimately responsible for assessing and meeting Client’s own compliance responsibilities. This report does not constitute a guarantee or assurance of Client’s compliance with any law, regulation or standard.
