One persistent Phish

-


For the last three months I have personally received the same phishing email masquerading as a PayPal 'your account has been suspended' notification, trying to steal my login credentials:

The email arrives from "service@paypal.com" and looks very convincing for the average user. 

Here is the current phishing chain the threat actors are currently using in these types of attacks:

Fortunately, there are several steps involved in this attack. Hopefully this will give unsuspecting users more of a chance to recognise they are being targeted. Flow of the phishing chain (NB the credential harvesting page is replace with the YouTube video):

The interesting part of this attack to me, is that it leveraged one of MySpace's domains to redirect users to the next stage. However, if you try to visit one of the links - without clicking on the button in the URL - it will redirect you to the same YouTube video.

Example YouTube comment from these videos:

Interestingly, I also used URLscan.io here for to check for pages that also redirect to this odd YouTube video. Looking at how often it has been submitted this appears to be an active, ongoing campaign.


Using OSINT techniques such as checking WHOIS data of the malicious domains, we can also learn more about who is behind these attacks. From this, we learn both of the domains were registered through an Indonesian Registrar and hosted with ASNs that are notorious for allowing malicious content and slow for takedowns.

WHOIS Data:

Domain     bloodformercy.id
Age             112 days old
IPv4             192.119.80.250
Location     Washington - Seattle - Hostwinds Llc.
ASN             AS54290 HOSTWINDS, US
DNS     DNS1.REGISTRAR-SERVERS.COM, DNS2.REGISTRAR-SERVERS.COM

Domain     umbrellacorp.id
Age             136 days old
IPv4             192.64.113.199
Location     Georgia - Atlanta - Namecheap Inc.
ASN             AS22612 NAMECHEAP-NET, US
DNS     DNS1.REGISTRAR-SERVERS.COM, DNS2.REGISTRAR-SERVERS.COM

Sponsoring Registrar PANDI ID:         H8100226
Sponsoring Registrar Organization: Jagat Informasi Solusi (int)
Sponsoring Registrar City:                 Jakarta
Sponsoring Registrar State/Province: Jakarta Pusat
Sponsoring Registrar Postal Code:         10220
Sponsoring Registrar Country:                Indonesia
Sponsoring Registrar Phone                 2129388505
Sponsoring Registrar Contact Email:      info@belidomain.co.id

Conclusion: 

Although I have blocked the sender and have submitted takedown requests it appears I am doomed to continue to receive this PayPal phish 😂 

If you enjoyed this, may I invite you to check out my recent talk at BeerCon2 regarding the phishing threat landscape. It is available here and the TL;DR can be found here.

Indicators of Compromise (IOCs):

Domain: umbrellacorp[.]id

Domain: bloodformercy[.]id

Domain: acwqva[.]com

URL: hxxp://umbrellacorp[.]id/killbot/saymon.php

URL: hxxp://umbrellacorp[.]id/killbot/thomas13.php

URL: hxxp://portal[.]bloodformercy[.]id/mobile-signin

IPv4: 192.64.113.199

IPv4: 192.119.80.250

MySpace Redirector Links:

URL: hxxps://mysp.ac/4fylg
URL: hxxps://mysp.ac/4evC9

References:

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

-
Image
After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more