Warning ! third-party regarding subdomains of ru[.]com using the names of US states


This Multi-State
Infrastructure Information Sharing and Analysis Center (MS-ISAC) Advisory
is being provided to assist agencies and organizations in guarding against
the persistent malicious actions of cybercriminals. Even though the
services provided by the MS-ISAC are only available to the public sector,
all private sector organizations are encouraged to review this
Advisory and implement appropriate mitigation measures.


The MS-ISAC received notice from a trusted third-party regarding subdomains
of ru[.]com using the names of US states. Although many of them are not
currently active, these domains could be used for phishing campaigns or
other malicious activity like malspam. The domains follow a consistent
template with using standard state names (no acronyms, spacing, or hyphens)
in the format <state>[.]ru[.]com. For example: 


  • California[.]ru[.]com
  • NewYork[.]ru[.]com
  • NorthDakota[.]ru[.]com
  • Ohio[.]ru[.]com


This information is being
provided for situational awareness. The MS-ISAC recommends blocking the
domain at your web filter, on any edge devices, and in your spam
filtering solution. If your organization utilizes the MS-ISAC Malicious
Domain Blocking and Reporting (MDBR) Service, all of the domains have been
added. While some of these domains are currently up for sale, the domain
could become active at any time.