@BushidoToken Threat Intel

  Legitimate third-party Platform-as-a-Service (PaaS) providers are becoming increasingly leveraged by threat actors for phishing and malware deployment. PaaS providers such as cloud instances, marketing platforms, content delivery networks (CDN), and dynamic DNS servers have been weaponised for a range of malicious activities. One of the key benefits is that they can be used to  evade detection systems. This is due to the decreased likelihood of these being pre-emptively blocked because of established levels of trust and legitimate usage.  Many of these types of malware and phishing campaigns also combine the use of multiple platforms simultaneously, making these particularly difficult for human analysts and automated systems to identify and malicious activity. The research in this blog details how cybercriminals l everage these systems as credential harvesting pages, payload hosting sites, redirector links, C&C servers, "dead drop resolvers", and for data exfiltration. 

As far as brands that get impersonated a lot, PayPal has got to be in the Top 5 or Top 3 globally. Between August and October, I personally received 19 PayPal credential phishing page links and my crud email provider (not Gmail or Outlook) didn't block them, so they've been landing in my inbox. So I took a look at them, natch.  I examined various phishing attempts that appear to be sent in a similar manner to my personal email, which has only appeared in one small breach in 2017, according to Have I Been Pwned for the record. One phishing kit stood out and forced my hand into blogging about it. It consisted of 11 parts, including the phishing email itself and the initial landing page; followed by several pages to harvest credit card and billing information, bank account details, and finally the bit that I'd not personally seen before (but I doubt is that new) was that it asked me to "Upload your identity".   The amount of personal data this phishing kit is harvest