3752022765?profile=RESIZE_710xRed Sky Alliance information sharing portal provided data about a member falling for a business email compromise (BEC).  Attackers sent a payment request spoofing a well-known local contractor by changing TLD from .COM to .US.  In total, 113 additional domains were registered by the same actors in August-November 2019.


On 26 November 2019, a Red Sky Alliance member shared a fraud report regarding a local construction company email which was spoofed.  The attackers convinced the member’s procurement office to change a billing ACH to the suspect company, in order to process a, "past due invoice."

The attacker domain was registered to "anu blessed" and djh35@mail.com.  A total of 114 domains were then registered to the same attacker domain (see Table 1, and Indicators table). 


Table 1. WHOIS for Djh35@mail.com-registered domain typosquatting Absher Construction Co.

Domain Name:



NameCheap, Inc.

Creation Date:


Registrant Name:

anu blessed

Registrant Address:

1018 bentwood way





Registrant Phone:


Registrant Email:


Most of those domains were also impersonating various construction companies throughout the US, and the attackers simply used the same domain name in the .US TLD.  In some cases, likely when a domain was already used in the .US zone, they modified the domain.  For example, legitimate construction/real estate company Al. Neyer, neyer.com was spoofed with typo-squatted domain alneyer.us.


Serial: TR-19-337-002

Report Date: 11272019

Country: US    

Industries: Construction, Education, All

Prepared by: Yury Polozov


Red Sky Alliance clients: IOCs available in Blacklist channel and by querying Red Sky Alliance CTAC Kibana.

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance