A Look Back on "The Manipulaters"

The Past Informs the Present In Cybercrime Investigations

Case studies offer a helpful framework for how certain tools and techniques unlock insights that would be difficult or impossible to achieve otherwise. Often, these same case studies also provide useful context concerning the broader underground economy. 

Using the case study of the Manipulaters, a prolific Pakistan-based cybercrime merchant that enabled countless phishing campaigns over nearly a decade of activity, this piece explores the role of historical Whois and DNS data in mapping a domain-focused threat actor’s footprint. Importantly, understanding the historical context of this group’s most active period not only offers important context, but it also provides insights into what appears to be a resurgence of activity after a period of dormancy.

In this Security Bulletin, readers will better understand: 

• The context and broader market forces that allowed the Manipulaters to flourish 
• The groups’ ascent from phishing kit vendor to domain reseller 
• How DomainTools Iris Investigate and historical Whois records revealed several thousand domains associated with the Manipulaters over the last decade