Jake | JCyberSec_
@JCyberSec_
Followers
9,527
Following
63
Media
3,121
Statuses
9,309
Expert in Credential Phishing and Phishing Kit Research. Working in Cyber Security - Threat Intelligence #Phishing
UK
Joined August 2017
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
ドラフト
• 398173 Tweets
#わたしの宝物
• 73115 Tweets
NuNew Medley Song
• 70918 Tweets
青春18きっぷ
• 51033 Tweets
Baakhabar Sant Rampal Ji
• 49987 Tweets
LINEスタンプ
• 28200 Tweets
ILL BE THERE TODAY
• 26895 Tweets
Errejón
• 26334 Tweets
船井電機
• 24689 Tweets
LIA AT DG BEAUTY POP UP
• 19645 Tweets
WALL SONG OHMLENG
• 18486 Tweets
まっすー
• 15059 Tweets
Razem
• 13738 Tweets
FURIA EN BONDI
• 12954 Tweets
もやしもん
• 12097 Tweets
Adoちゃん
• 11572 Tweets
GENTO SA TAIWAN
• 11216 Tweets
Last Seen Profiles
I got phished. Not a training phish a REAL
#phishing
site⚠️
I am a security expert but I still fell for it🫡
⛔️You shouldn't blame users everyone can get tricked.
Here is what happened....🧵⤵️
74
264
1K
Threat Actors using the global CrowdStrike outage to spin up new domains 🌐
👁️Keep an eye out for malware posing to 'fix' the issue
🔒Malicious phishing pages posing as a fixing site
#Phishing
19
320
516
:: Phishing Hunting Thread ::
This is a thread about how to hunt and find
#Phishing
sites.
Retweets would be great to help spread the knowledge and please add your own techniques, ideas and suggestions.
Let's go hunting!
9
222
380
Sent a couple of canary tokens to a threat actor phishing for Metamask account phrases 🦊🪙🪙
The actor used ProtonVPN out of the Netherlands 🇳🇱
Until they forgot...
🇳🇬197.211.52.13
12
42
272
🔥Threat actor sending Hermes
#phishing
via SMS is arrested!🚓
🔍Note the actor was using a Hotel room to hide their geo-location
These actors are clever to hide their tracks, keep this in mind when dealing with them.
7
76
223
So you want to learn about phishing kits 🧑🎓
🧵 In this thread I will highlight threat hunting skills and IoCs within phishing kits to look for ⤵️
Retweets are appreciated ♻️
🔍Follow me for more
#phishing
intelligence
@Jcybersec_
4
107
224
⚠️UK police to send 70,000 SMS after taking down ispoof
The UK’s largest fraud operation has brought down a phone number spoofing and OTP capturing site - ispoof[.]cc📱
Full Details and Analysis in Thread⤵️🧵
9
68
189
LAPSUS$ are making a lot of noise but there is history of this group before these large profile breaches⚠️
🔍Let's see what we can find out about this group using their old website...
You will be surprised what I discovered! ⤵️
🧵
5
49
199
Announcing KIT Intel 📣
🎉A Phishing Kit Intelligence Platform
“Understand the threat actors' playbook and capabilities”
#KITIntel
🧵 THREAD ⤵️
7
59
193
How to create a good
#phishing
site:
✅ - Use a legitimate host
✅ - Use the latest theme of the target
✅ - Ensure it has a TLS
✅ - Host the exfil address on a legitimate service
🌐/pianohub-170fd.dt.r.appspot.com/
POST to 🌐 /sonarquberb.azurewebsites.net/1/handler.php
5
52
184
I have just found a phishing kit with an API key in.
The API key has only 1000 free searches...
It would be awful if someone did 1000 searches with that key in a loop...
#phishing
4
32
150
⚠️So you have heard about the Twilio breach?
SMS
#phishing
messages were sent to Twilio staff resulting in multiple employees accounts being compromised 📱
🥷Threat actors then accessed 163 customers resulting in further compromise
Here is a timeline of events...
Thread🧵⤵️
3
60
134
The terms:
General Intelligence Requirements (GIRs)
Priority Intelligence Requirements (PIRs)
Intelligence Requirements (IRs)
are used CTI all the time.
While exact definitions and usage can vary, here's a general overview...
1
24
116
Haha if you're going to create a hidden file, don't then list it in robots.txt. Guess where I went first ...
5
15
106
Thankfully the card which was compromised was easily able to be reset on the app and no malicious payments were made or attempted.
However, it is plain to see how people get caught out.
2
4
113
5
13
107
Never seen a fake
@haveibeenpwned
#phishing
website before 🤯
🌐hxxps://have-i-been-pwned.com/uhive970477wyksm/account
💢
@Namecheap
#KITIntel
🔍 I would assume the passwords as being exfiltrated but currently the POST gets a 400 status code
🔠For awareness
@troyhunt
5
44
107
New CTI chart 🔥
Cyber threat hunting maturity ranking system.
🖥️Where does your organisation sit on this?
#CTI
#ThreatHunting
#ThreatIntel
1
35
98
Would people be interest in a Phishing Kit analysis thread?
Any other ideas or items you are interested in - let me know!
11
5
96
Just because a website displays a default landing page or error page doesn't mean the site is down.
This websites landing page shows a default web page but in fact it is hosting a phishing kit
Do not take threat actors infrastructure at face value
4
20
88
:: Phishing Admin Panel Hunting Thread ::
In this thread we will find ways to hunt and attribute phishing admin panels.
This is a continuation from my
#phishing
hunting thread released earlier this year. ()
Please retweet to knowledge share among others.
:: Phishing Hunting Thread ::
This is a thread about how to hunt and find
#Phishing
sites.
Retweets would be great to help spread the knowledge and please add your own techniques, ideas and suggestions.
Let's go hunting!
9
222
380
3
45
78
I was tired after finishing a long busy day at work, wanted to have food and just quickly wanted to deal with the order to get that shipped off.
3
1
81
The email wasn't a sold notification. It was a private message from a user to me so everything was Vinted branded and official as it uses their internal messaging system.
The link in the DM was the phishing link.
1
3
77
With all the noise about Browser In The Browser (BITB)
#phishing
templates🖥️
🔍I made a YARA rule to detect a deployed template based upon the code provided by
@mrd0x
💀
Made by ::
@JCyberSec_
🥷
Download here ::
2
30
75
🎉 We have just passed 50,000 unique phishing kits in our repository.
🔍All these kits are parsed, processed, and searchable.
It is really interesting to see how many kits are duplicated across domains and campaigns.
This shows that
#phishing
is getting disrupted well enough💀
6
15
74
⚠️Phishing Landscape 2022:
An Annual Study of the Scope and Distribution of Phishing
🌐
🧵Thread of notable findings ⤵️
3
37
65
Just written a new script to enhance data in
@urlscanio
.
I now upload new found malware panels with tags for the type for ease of use.
I hope people find this valuable and if you're hunting panels you can utilise these submissions.
Next step is to automate the script running!
4
9
64
#Emotet
Summer holidays over - Emotet is back online. 📊
What Do We Know So Far?
Since Friday morning, the servers of cybercrime gang MUMMY SPIDER (aka. TA542) are active again. 🔊
Thread - Retweet to help share knowledge! ♻️
2
47
64
Never fire or punish anyone for falling for a
#phishing
site.
Education - Sure. Punishment - No.
The user didn't fail; your internal security controls failed.
If an employee falls for a phish then you have failed to block, detect, and secure your user-base.
@JCyberSec_
joke aside, what were their response like? did you id'd the employee, aren't you afraid the person gets sacked?
1
0
2
1
16
59
To tell what botnet an
#Emotet
sample is from, extract the payload and then analyze the RSA Key. Visualizing relationships between RSA keys and C&C servers can be seen in the image.
1/3
1
23
63
🎉Presenting CTI-URLScan
CTI-URLScan is a command line tool to enable analysts to search submissions.
Automatic extraction of API items to allow for easier ingestion.
Pull screenshots and DOM content.
💻
1
16
58
@LeveragedHonky
It wasn't a cold message I was selling an item. I didn't see that the link was to an external site I clicked it quickly assuming it was the finalise the transaction page.
The red flags are obvious. This was a low level unsophisticated phish. But distracted and on autopilot...
3
0
58
I was selling some items of clothes on Vinted👚
✉️I got an email from Vinted saying one of my items had been sold and to click here to process the order.
I clicked on the link without thinking and got to a page which asked for my card details💳
10
3
59
Once I had entered my full card details and hit submit the next page asked for my cards limit. This is when alarm bells started to ring. I looked at the URL bar to find I wasn't on the Vinted site anymore.
2
1
58
⚠️ New Slack channel :: Magecart Intel Sharing ⚠️
If you're engaged in hunting or protecting against
#Magecart
then come join.
Split into with different TLP areas to enable effective intel sharing and allowing for collaborative working amount peers.
📬 DM me for an invite now.
5
18
57
⚠️The UK has been hit with courier SMS Phishing for a while now 📦
🔍This thread will detail all the current Royal Mail kits with detailed intelligence for each one🔍
Here we go ...!⬇️
1
18
56
I then received a second fake SOLD notification about 5mins later.
1
1
53
🔥We have just discovered an E-Commerce entrepreneur who is selling
#phishing
kits and bullet proof hosting on the side...
🌐hxxps://sellix.io/o365spammer
🧵THREAD ⤵️
4
18
49
🔥So where are we with SolarWinds Orion and what have we learnt since the original disclosure. 🔎
📄A thread to pull public information together...
1/n
💥
#SolarWinds
#SolarWindsOrion
1
28
51
🕵️UK law enforcement are now preparing to send 70,000 SMS messages to potential victims of the site
ispoof allowed controlling users to intercept OTP and Telepins of victims #⃣#⃣#⃣#⃣
💯This video was uploaded to the ispoof telegram channel and is beyond amazing!!! 😂🤣😂🤣
4
10
47
Friday read 📖
How To Unpack Malware -
A fantastic and deep analysis of packers written by
@Marco_Ramilli
👍
🔎Covering: UNPACME (
@unpacme
), DiE, process and DLL injection, Process Hollowing, APC, Process Doppelgänging, and debuggers.
#Malware
#CTI
1
22
49
The image uploaded to the GMP website has not had its Exifdata removed...
2
3
44
📢Using intel which my team generated Officers from Londons Police
@DCPCU_tweets
executed four search warrants across England relating to
#phishing
SMS campaigns linked to Hi Mum/Dad
#Familyscams
🔍🚓
👀Gotta love when a plan comes together🚨
2
5
45
I have discovered a GitHub user pushing crypto
#phishing
🔥
🕴️The user has phishing pages for:
CoinBase
TrustWallet
MetaMask
SafeMoon
MetaWallet
✉️All stolen data is sent via (
@formsubmitio
)
🧵IoCs below ⤵️
2
14
42
I can already see how this is going to be abused by threat actors.
Going to make tracking these threats 100x harder.
Who is pastebin working for? Security or threat actors?
4
10
44
Still no suspicion as I assumed Vinted would pay the money into this card account.💰
4
1
44
Let's do a detailed
#FF
because Friday and knowledge sharing is good!
Format - Username :: Reason to follow them
Note: These are in no alphabetical order.
Feel free to append your own list!
#THREAD
#FollowFriday
1
10
44
Easy
#Phishing
win for a Monday morning:
- /dns04.com
- /dns05.com
900 hits on
@urlscanio
of which 289 are phishing.
Targets include: WhatsApp, Apple, Bank of America, Amazon.
Regex: "domain:dns[0-9]{2}.com"
#cyber
@nullcookies
@packet_Wire
@dave_daves
@Spam404
@n0p1shing
0
13
41
I use Ubuntu as my main OS and I have a number of cheat sheets which I refer to for commands which I use periodically 📜
I want to share them with you here and see if they are helpful to anyone else 👨👧
⚠️Let's begin!
1
7
40
InterPol👮♂️ announced the arrest of 3 individuals linked to
#16Shop
; the prolific Phishing-as-a-Service service📁
📅16Shop has been around for years, with public attribution available since 2018!👀
It is great arrests are being made but is this too little too late?🤔
🧵⤵️
1
10
40
I found a strange website today...
🖥️It led me to discover a huge
#phishing
infrastructure setup
Everything was hiding behind this seemingly innocent website...
Read on to understand what happened ⤵️
4
9
36
This is big. ⚠️
Multiple crypto accounts all hijacked almost simultaneously. Using COVID theme.
🌐Scan of the site:
💰Bitcoin wallet:
Cloudflare detects the site as malicious.
#cryptoforhealth
#Crypto
💲
5
23
37
I never thought I would see the day when
@Namecheap
were getting more likes than my tweet ...
Good work folks! 👍
2
0
37
On the same IP address and on port 3790 there was an instance of the Metasploit Project hosted
🥷This group may have been actively targeting clients
💰Before they found buying access was a lot easier...
2
0
35
Whilst looking into another thing I stumbled across another
#MageCart
campaign.
URL🌐 hxxps://jquerycdnlib.at/5c21f3dbf01e0.js - 217.8.117.42
Filename: 5c21f3dbf01e0.js
The code grabs card details and then sends back to itself to store on the domain.
@iblametom
@malwrhunterteam
1
16
36
For the latest SOTI report (Phishing for Finance),
@SteveD3
and I looked at Kr3pto and Ex-Robotos phishing kits.
We were able to work together with our unique datasets to discover exclusive insights into SMS Credential phishing
Check it out:
0
17
36
A little Christmas gift to all you
#phishing
threat hunters out there ... 🎄
📂A thread of phishing kits....
1/n⤵️
1
12
35
And here are some great
#Phishing
feed resources to use to hunt ::
-
@PhishStats
-
-
@open_phish
-
-
@PhishTank_Bot
-
-
@urlscanio
-
1
10
35
I am seeing an increase in the use of upside down letters used in phishing attacks ⚠️
#KITIntel
🔍 All these URLs are linked to Creds bros
#phishingkits
🟢This TTP is used to bypass static URL scanning and is not new
1
15
33
Can we share a thought for all IT workers at the moment:
- FireEye 🔥
- Solar Wind 💥
- Google 🔎
7
3
35
Check out this cesspool of filth⚠️
44 new
#PredatorTheThief
💳 URLs have appeared within the last two weeks.
@urlscanio
has 268 domains archived.
IPs rotate but all sit on AS35278 belonging to
@sprinthost
.
#Malware
@JAMESWT_MHT
@James_inthe_box
@malwrhunterteam
@MaelSecurity
3
14
35
As stated at the start of this thread here are some great
#Phishing
accounts to follow ::
-
@JCyberSec_
-
@IpNigh
-
@PhishingAi
-
@packet_Wire
-
@ActorExpose
-
@PhishStats
-
@FeedPhish
-
@JayTHL
-
@Cyberfishio
-
@dave_daves
-
@ozuma5119
-
@smica83
2
10
34
Highly suspicious newly registered domain on Cloudflare ⚠️
🌐 - /LETENCRYPTS.ORG
📅 - Dec 30, 2020
Paging:
@letsencrypt
0
7
34
⚠️I am seeing a new trend of WhatsApp based SMS
#phishing
📱
🔍These lead a user to directly transfer money pretending to be a persons son/daughter
Phishing can use any vector to contact you. Stay alert!
7
20
34
So
@Namecheap
(
@lothar97
@NamecheapCEO
) released a report titled "Our fight against fraud and abuse" 📄
Here are the key takeaways and something ALL web hosting companies should read and understand ⤵️
2
13
33
This is a new scam for me - Flower Shop Scams 💐
💰Buy flowers from fake flower shops
The flowers do not exist, the shop doesn't exist, the flowers will never arrive.
This is very clever and here is why ... 👀
3
16
31
Modified Facebook
#phishing
page🎣
🌐/protectionsoffice404.000webhostapp.com
📃Pages:
/m.help.htm
/m.upgrade.pay.htm
/confirmed.htm
⚠️Rare kit always hosted on 000 based on historic deployments
Hosted by
@000webhost_com
- Take this down.
4
21
29
Saturday
#MalwarePanelUpdate
📊
Lots of new panels from a range of
#malware
including:
#AZORult
,
#kpot
,
#Lokibot
,
#BlackNET
,
#Tesla
, and
#OskiStealer
.
🖥️Full IoC list:
They have all been pushed to
@urlscanio
with my tag if you want to view them. 🌐
1
15
30
#MageCart
script located in the wild on several eCommerce sites.⚠️
🌐Script is loaded from hxxps://adventurewar.com/payment/mage_secure/payment.js - 103.134.152.1
TLS
@letsencrypt
2
10
29
#Phishing
Actor Cazanova continues to try and distance himself from his phishing kits.
Asserting his website is down; HOWEVER, the version tracker portal is still online hosted on his site.
His site is NOT down or offline.
#CyberSecurity
#Phishing
@BleepinComputer
@urlscanio
7
9
29
There is a growing increase in call back scams 📵
🔍They are very simple to run but highly effective
THIS IS HOW THEY WORK...⤵️
🧵
1
12
31
This is still a very relevant image for all CTI analysts to understand and link to current reporting.
Direct link between
#Emotet
,
#TrickBot
, and
#IcedID
. Also links between
#WizardSpider
as creators / closely linked to
#GrimSpider
#Ryuk
Image Source:
1
5
30
I have created an open team on
@KeybaseIO
for Phishing hunting. 🎣
⚠️If you want to join search for "Phishing" and request to join.
I am hoping we can share IoCs and other
#Phishing
and
#PhishingKit
intel.🌐
Please RT♻️ to share this to more people.
2
23
30
It's been a while, but here is today's
#Malware
panel updates which include: 📊
23 new
#Mailers
📧
8 new
#OskiStealer
🪝
4 new
#Nexus
💵 and
#TaurusStealer
💲
Brand new C2 panels on
@urlscanio
uploaded with my tag ⚠️
IOC List:
#MalwarePanelUpdate
1
7
28
I have just seen a new
#phishing
kit targeting the UK's NHS 🇬🇧🧑⚕️
🌐hxxps://nhsdigitalpassports.uk/Alert.php
⚠️Intel: The "Alert.php" filename has also been seen in Post Office phishing websites showing these kits are highly likely to be linked.
@UK_Daniel_Card
@LisaForteUK
2
27
29
Group IB analysis of the Okta phishing kits we have been seeing recently🔍
⚠️This was the group which caused the Twilio breach and caused the Signal alert a week ago
1
15
29
If you are going to host
#phishing
on
@gitlab
then you would do wise to not use a photo of yourself as your profile picture...
What else can we find out about this individual...?
1/n
#phishing
Alert
@BankofAmerica
@BofA_Help
hxxps://daviking95.gitlab.io/boa/account.html
@malwrhunterteam
@PhishStats
@urlscanio
@Bank_Security
@gandibar
1
0
3
2
9
27