Matthias Wandel is a popular YouTuber with a woodworking and engineering channel. He covers all kinds of genius inventions on his channel, and I have been watching his content for over a decade. His YouTube account was compromised recently through phishing and session hijacking.
But hacks like this could happen to any of us, as all the bad actor needs is a moment of bad judgment from us. We will practice a threat intelligence operation with IPinfo’s IP metadata to analyze what went wrong and determine how to prevent this.
- Virtual Machine (Please do not visit websites here directly from your machine). I am using VirtualBox. I have semi-obfuscated the links for that reason.
- IPinfo CLI: GitHub - ipinfo/cli: Official Command Line Interface for the IPinfo API (IP geolocation and other types of IP data)
- IPinfo free account
The initial email came from a website called
crainc***c[.]com. By looking up the website, it looks legit:
They have social media pages, and their owner’s name is mentioned in the email.
However, they are in the crane and truck rental business and are NOT associated with video editing software services. It is highly unlikely for them to email people YouTubers’ regarding sponsorship.
We can look up the IP address of the website’s server using the IPinfo CLI.
As we can see, the website server is based in the United States, and the ASN is a well-known hosting service.
We can conclude that, in this instance, it is likely that
crainc***c[.]com’s service was compromised in some way. However, I cannot provide a more conclusive opinion without Matthias’s email headers. If you have access to the email headers, you can look up the IP addresses from the email headers on our website and get all location, ASN and other IP metadata information. I will write a post about this another day.
The followup email is where things get interesting. The followup email came from
When we visit the site, it redirects to the official Blackmagic website, which is suspicious.
Looking up the website in IPinfo’s CLI, we can see that the website is hosted on a server out of Russia.
Aside from the server being located in Russia when Blackmagic Design is an Australian company, we can notice some suspicious domains hosted on the IP address. This will be our baseline for threat prevention.
Mattias Wandel then provided more context around Session hijacking and how he recovered his account.
If you would like to block their ranges, here is the list:
I recommend that the user use ASN range blocking instead of country range blocking. But in either case, feel free to use our free IP to Country ASN database.
Snowflake Query using IPinfo's IP to Country ASN database
flat_data.value as AS197695_ips
SELECT public.range2cidr(start_ip, end_ip) as ip_range
This information was generated using our free IP to Country ASN database on Snowflake.
Considering the sheer volume of domains they host, it is best to use an IP-based firewall to protect your infrastructure instead of a domain-based firewall.
Moving forward, the IP address 22.214.171.124 IP Address Details - IPinfo.io has 2,268 domains hosted on it.
126.96.36.199 Hosted Domains
The vast majority of these domains have the
.ru TLD. So, to keep things light, here are some of the domains they own without the
This information was generated using our Hosted Domains database.
If you have any follow-up questions, feel free to drop them below.