Are Mypressonline.com’s free subdomain creation services being abused?



It is not uncommon to see free web hosting providers being abused through phishing campaigns. IBM X-Force Exchange has indeed published three indicators of compromise (IoC) linked to such an incident, namely:

  • Url: http[:]// direct7890[.]mypressonline[.]com
  • E-mail address: [email protected][.]com
  • IP adress: 185[.]176[.]43[.]106

The mypressonline domain[.]com leads to a website that offers users a way to easily add related subdomains to their projects. Screenshot Lookup led us to this particular conclusion.

Image 1: Screenshot search result for mypressonline[.]com

As part of our work to make internet use transparent and protect users from digital threats, we used a combination of WHOIS, IP, and DNS intelligence sources and found:

  • 1460 subdomains under the mypressonline domain[.]com, including nine malicious.
  • 805 domains sharing the same registrant organization identified as part of a mypressonline WHOIS history[.]com, including three malicious.
  • At least 300 domains sharing mypressonline[.]com’s IP address, two of which are malicious.

Read on to find out how we got the artifacts and additional IoCs in the following sections. For a list of all the data collected, download the Threat Research Papers here.

How big is Mypressonline[.]the digital footprint of com?

We have used a variety of WHOIS, IP and DNS tools to determine the size of mypressonline[.]com’s digital footprint can be.

Discovery of domains and subdomains

We turned to Domains & Subdomains Discovery to find subdomains containing the string “mypressonline”. We have found 1460 subdomains. Examples include:

  • 0x32[.]mypressonline[.]com
  • abctaxi[.]mypressonline[.]com
  • back links[.]mypressonline[.]com
  • cajid[.]mypressonline[.]com
  • dancing kiss[.]mypressonline[.]com
  • long ago[.]mypressonline[.]com
  • faizaturk[.]mypressonline[.]com
  • g2rss[.]mypressonline[.]com
  • half[.]mypressonline[.]com
  • icon line[.]mypressonline[.]com

A significant portion of these subdomains could be owned by legitimate people or businesses who have used mypressonline[.]the offer of com. As such, only some may have been part of malicious campaigns.

Threat Intelligence Platform

Subjecting the 1,460 subdomains to a massive malware check through the Threat Intelligence Platform (TIP) showed that nine of them were rated “dangerous” by various software engines. malicious. These malicious subdomains are:

  • be ready[.]mypressonline[.]com
  • ieguillermovalencia[.]mypressonline[.]com
  • tv june[.]mypressonline[.]com
  • creativtrening[.]mypressonline[.]com
  • phoenixparties[.]mypressonline[.]com
  • spain[.]mypressonline[.]com
  • vamsipavan[.]mypressonline[.]com
  • veed[.]mypressonline[.]com
  • wyrokipolskie[.]mypressonline[.]com
Whois history and reverse whois search

We wanted to see if there were any more potentially abused properties owned by a former owner of mypressonline.[.]com could be identified, so we took a closer look at the domain’s WHOIS history. We found that:

  • The estate’s ownership history dates back to March 30, 2011.
  • It has 31 historical WHOIS records. The 15 most recent have been redacted.
  • Its WHOIS record dated January 12, 2018 showed a reporting organization (i.e. ATTRACTSOFT GMBH), which, like the current registrant, is based in Germany.

Using reverse WHOIS lookup, we then found 805 domains that listed ATTRACTSOFT GMBH as the reporting organization. Examples include:

  • 007 GB[.]com
  • a2zfilms[.]com
  • balcondeodonnell[.]com
  • caamore[.]report
  • stamp[.]com
  • e-dys[.]com
  • f-gauthier[.]com
  • gabrielvivas[.]com
  • hack virus[.]com
  • i8it[.]report

Of these, three have been rated as “dangerous” by various malware engines, according to a mass malware check via TIP. These malicious domains are:

10fast[.]report

ebac-control[.]com

xripton[.]com ## Search screenshot

We subjected all 805 domains owned by ATTRACTSOFT GMBH to bulk screenshot search and found that many of them had to do with various content related to website development. Examples include:

  • 00sites[.]report
  • agilityhoster[.]com
  • batcave[.]report

These three sites hosted the same content:

Image 2: Screenshot search results for example domains owned by a former mypressonline owner organization[.]com

Do other domains resolve to the same host as mypressonline[.]com?

To determine the answer, we used the IP address 185[.]176[.]43[.]106 to do a reverse IP lookup and discover at least 300 domains sharing http host[:]// direct7890[.]mypressonline[.]com /. We subjected these domains to a mass malware check and found that access to two of them (duolpall111[.]mypressonline[.]com and gestionarcreditobp[.]com) should be avoided.


Overall, our analysis led us to the conclusion that part of mypressonline[.]The com subdomain fingerprint has likely been abused in phishing campaigns, possibly alongside other ATTRACTSOFT GMBH-owned domain properties that we have identified through WHOIS history searches.

If you would like to know more about the conduct of a similar investigation, please do not hesitate to contact us. We can provide you with access to a variety of sources of information and are always ready to collaborate with other researchers.


Previous Santa Clara VTA launches tender for consultant to help with corporate culture
Next How to repay your personal loan in 2022