I got phished. Not a training phish a REAL
#phishing
site⚠️
I am a security expert but I still fell for it🫡
⛔️You shouldn't blame users everyone can get tricked.
Here is what happened....🧵⤵️
Threat Actors using the global CrowdStrike outage to spin up new domains 🌐
👁️Keep an eye out for malware posing to 'fix' the issue
🔒Malicious phishing pages posing as a fixing site
#Phishing
:: Phishing Hunting Thread ::
This is a thread about how to hunt and find
#Phishing
sites.
Retweets would be great to help spread the knowledge and please add your own techniques, ideas and suggestions.
Let's go hunting!
Sent a couple of canary tokens to a threat actor phishing for Metamask account phrases 🦊🪙🪙
The actor used ProtonVPN out of the Netherlands 🇳🇱
Until they forgot...
🇳🇬197.211.52.13
🔥Threat actor sending Hermes
#phishing
via SMS is arrested!🚓
🔍Note the actor was using a Hotel room to hide their geo-location
These actors are clever to hide their tracks, keep this in mind when dealing with them.
So you want to learn about phishing kits 🧑🎓
🧵 In this thread I will highlight threat hunting skills and IoCs within phishing kits to look for ⤵️
Retweets are appreciated ♻️
🔍Follow me for more
#phishing
intelligence
@Jcybersec_
⚠️UK police to send 70,000 SMS after taking down ispoof
The UK’s largest fraud operation has brought down a phone number spoofing and OTP capturing site - ispoof[.]cc📱
Full Details and Analysis in Thread⤵️🧵
LAPSUS$ are making a lot of noise but there is history of this group before these large profile breaches⚠️
🔍Let's see what we can find out about this group using their old website...
You will be surprised what I discovered! ⤵️
🧵
How to create a good
#phishing
site:
✅ - Use a legitimate host
✅ - Use the latest theme of the target
✅ - Ensure it has a TLS
✅ - Host the exfil address on a legitimate service
🌐/pianohub-170fd.dt.r.appspot.com/
POST to 🌐 /sonarquberb.azurewebsites.net/1/handler.php
#Emotet
Research Thread - Emotet’s C2 infrastructure can be separated into two lists: Actual Tier 1 C2s that are compromised Linux web hosts and Bot C2s that are infected devices with the UPnP module deployed.
#Malware
** THREAD **
:: Magecart Hunting Thread ::
This is a thread about how to hunt and find
#Magecart
infected sites using
@URLscan
. 💰💵
♻️Please retweet to help spread knowledge and feel free to add your own techniques, ideas, and suggestions.
⚠️THREAD⚠️
I have just found a phishing kit with an API key in.
The API key has only 1000 free searches...
It would be awful if someone did 1000 searches with that key in a loop...
#phishing
⚠️So you have heard about the Twilio breach?
SMS
#phishing
messages were sent to Twilio staff resulting in multiple employees accounts being compromised 📱
🥷Threat actors then accessed 163 customers resulting in further compromise
Here is a timeline of events...
Thread🧵⤵️
The terms:
General Intelligence Requirements (GIRs)
Priority Intelligence Requirements (PIRs)
Intelligence Requirements (IRs)
are used CTI all the time.
While exact definitions and usage can vary, here's a general overview...
Thankfully the card which was compromised was easily able to be reset on the app and no malicious payments were made or attempted.
However, it is plain to see how people get caught out.
Never seen a fake
@haveibeenpwned
#phishing
website before 🤯
🌐hxxps://have-i-been-pwned.com/uhive970477wyksm/account
💢
@Namecheap
#KITIntel
🔍 I would assume the passwords as being exfiltrated but currently the POST gets a 400 status code
🔠For awareness
@troyhunt
There are a number of linked IoCs and campaigns running against Vinted, Etsy, eBay and other selling sites.
Be careful out there people. and
@vinted
@vintedUK
you need to increase your spam protection and prevent this abuse of your platform!
Saw these in my feed and wanted to share. Interesting
#CTI
escalation pyramid and a
#DRIF
pyramid chain.
Gotta love colourful images, especially if they help process and procedure understanding.
Just because a website displays a default landing page or error page doesn't mean the site is down.
This websites landing page shows a default web page but in fact it is hosting a phishing kit
Do not take threat actors infrastructure at face value
Saw these in my feed and wanted to share. Interesting
#CTI
escalation pyramid and a
#DRIF
pyramid chain.
Gotta love colourful images, especially if they help process and procedure understanding.
:: Phishing Admin Panel Hunting Thread ::
In this thread we will find ways to hunt and attribute phishing admin panels.
This is a continuation from my
#phishing
hunting thread released earlier this year. ()
Please retweet to knowledge share among others.
:: Phishing Hunting Thread ::
This is a thread about how to hunt and find
#Phishing
sites.
Retweets would be great to help spread the knowledge and please add your own techniques, ideas and suggestions.
Let's go hunting!
More targeted
#phishing
against the UK using
#COVID19
as a lure.
🌐/uk-covid-19-relieve.com (160.153.133.209)
@GoDaddy
Using the same kit as the common GOV UK phishing sites but with a change of title. Will steal bank details when valid postcode is entered.
:: 16Shop Intelligence Thread ::
#16Shop
is a prolific and one of the first
#Phishing
-as-a-Service (PaaS) offerings.
⚠️This is an intelligence thread on notable elements of the kit, the operation, how to test and detect the scam.
#THREAD
The email wasn't a sold notification. It was a private message from a user to me so everything was Vinted branded and official as it uses their internal messaging system.
The link in the DM was the phishing link.
With all the noise about Browser In The Browser (BITB)
#phishing
templates🖥️
🔍I made a YARA rule to detect a deployed template based upon the code provided by
@mrd0x
💀
Made by ::
@JCyberSec_
🥷
Download here ::
🎉 We have just passed 50,000 unique phishing kits in our repository.
🔍All these kits are parsed, processed, and searchable.
It is really interesting to see how many kits are duplicated across domains and campaigns.
This shows that
#phishing
is getting disrupted well enough💀
Phishing data analysis can provide an insight into victims and discreet campaign targeting tactics.📊
The following data has been extracted from multiple campaigns from the same SMS based phishing campaign targeting UK victims.📲
<THREAD>
#phishing
#security
#cyber
Just written a new script to enhance data in
@urlscanio
.
I now upload new found malware panels with tags for the type for ease of use.
I hope people find this valuable and if you're hunting panels you can utilise these submissions.
Next step is to automate the script running!
#Emotet
Summer holidays over - Emotet is back online. 📊
What Do We Know So Far?
Since Friday morning, the servers of cybercrime gang MUMMY SPIDER (aka. TA542) are active again. 🔊
Thread - Retweet to help share knowledge! ♻️
Never fire or punish anyone for falling for a
#phishing
site.
Education - Sure. Punishment - No.
The user didn't fail; your internal security controls failed.
If an employee falls for a phish then you have failed to block, detect, and secure your user-base.
To tell what botnet an
#Emotet
sample is from, extract the payload and then analyze the RSA Key. Visualizing relationships between RSA keys and C&C servers can be seen in the image.
1/3
🎉Presenting CTI-URLScan
CTI-URLScan is a command line tool to enable analysts to search submissions.
Automatic extraction of API items to allow for easier ingestion.
Pull screenshots and DOM content.
💻
@LeveragedHonky
It wasn't a cold message I was selling an item. I didn't see that the link was to an external site I clicked it quickly assuming it was the finalise the transaction page.
The red flags are obvious. This was a low level unsophisticated phish. But distracted and on autopilot...
I was selling some items of clothes on Vinted👚
✉️I got an email from Vinted saying one of my items had been sold and to click here to process the order.
I clicked on the link without thinking and got to a page which asked for my card details💳
Once I had entered my full card details and hit submit the next page asked for my cards limit. This is when alarm bells started to ring. I looked at the URL bar to find I wasn't on the Vinted site anymore.
⚠️ New Slack channel :: Magecart Intel Sharing ⚠️
If you're engaged in hunting or protecting against
#Magecart
then come join.
Split into with different TLP areas to enable effective intel sharing and allowing for collaborative working amount peers.
📬 DM me for an invite now.
⚠️The UK has been hit with courier SMS Phishing for a while now 📦
🔍This thread will detail all the current Royal Mail kits with detailed intelligence for each one🔍
Here we go ...!⬇️
🔥We have just discovered an E-Commerce entrepreneur who is selling
#phishing
kits and bullet proof hosting on the side...
🌐hxxps://sellix.io/o365spammer
🧵THREAD ⤵️
🔥So where are we with SolarWinds Orion and what have we learnt since the original disclosure. 🔎
📄A thread to pull public information together...
1/n
💥
#SolarWinds
#SolarWindsOrion
🕵️UK law enforcement are now preparing to send 70,000 SMS messages to potential victims of the site
ispoof allowed controlling users to intercept OTP and Telepins of victims #⃣#⃣#⃣#⃣
💯This video was uploaded to the ispoof telegram channel and is beyond amazing!!! 😂🤣😂🤣
My %%Hilarious Tweet%% is ready to send.
@OtterBox
Might want to check your code? Your SQL statement or mailmerge is slightly broken. Unless I really can order a %%PRODUCT_TITLE%% from you?
@nixcraft
Friday read 📖
How To Unpack Malware -
A fantastic and deep analysis of packers written by
@Marco_Ramilli
👍
🔎Covering: UNPACME (
@unpacme
), DiE, process and DLL injection, Process Hollowing, APC, Process Doppelgänging, and debuggers.
#Malware
#CTI
📢Using intel which my team generated Officers from Londons Police
@DCPCU_tweets
executed four search warrants across England relating to
#phishing
SMS campaigns linked to Hi Mum/Dad
#Familyscams
🔍🚓
👀Gotta love when a plan comes together🚨
I have discovered a GitHub user pushing crypto
#phishing
🔥
🕴️The user has phishing pages for:
CoinBase
TrustWallet
MetaMask
SafeMoon
MetaWallet
✉️All stolen data is sent via (
@formsubmitio
)
🧵IoCs below ⤵️
I can already see how this is going to be abused by threat actors.
Going to make tracking these threats 100x harder.
Who is pastebin working for? Security or threat actors?
We’re excited to announce 2 great new features for
#Pastebin
, we think you’ll enjoy using them! In the interest of
#security
, the first is: Burn After Read, and the second is: Password Protected Pastes. Head on over to to check them out 🕵️
More
#MageCart
found on multiple online E-commerce stores.
Infected sites:
/www.ruedesparfums.com
/samedayflash.com
/www.valrhona-chocolate.com
/www.pneumaticsolutions.com.au
Exfil URL: /marketplace-magento.com
Code sample in the image below shows the skimmer.
#Fraud
#Skimmer
Let's do a detailed
#FF
because Friday and knowledge sharing is good!
Format - Username :: Reason to follow them
Note: These are in no alphabetical order.
Feel free to append your own list!
#THREAD
#FollowFriday
I use Ubuntu as my main OS and I have a number of cheat sheets which I refer to for commands which I use periodically 📜
I want to share them with you here and see if they are helpful to anyone else 👨👧
⚠️Let's begin!
⚠️Open redirect abuse
Chain from
@Adobe
(302) ->
@Twitter
(307) -> /love-sensual.hr (302 using window.location.href) ->
@Oracle
Using
@zoom_us
as a lure - "Sign in to Zoom with your Microsoft 365 account"
POST data to 🌐/entab.org/Zoom-meeting/xzoom.php (
#KOSONG
)
#phishing
InterPol👮♂️ announced the arrest of 3 individuals linked to
#16Shop
; the prolific Phishing-as-a-Service service📁
📅16Shop has been around for years, with public attribution available since 2018!👀
It is great arrests are being made but is this too little too late?🤔
🧵⤵️
I found a strange website today...
🖥️It led me to discover a huge
#phishing
infrastructure setup
Everything was hiding behind this seemingly innocent website...
Read on to understand what happened ⤵️
This is big. ⚠️
Multiple crypto accounts all hijacked almost simultaneously. Using COVID theme.
🌐Scan of the site:
💰Bitcoin wallet:
Cloudflare detects the site as malicious.
#cryptoforhealth
#Crypto
💲
On the same IP address and on port 3790 there was an instance of the Metasploit Project hosted
🥷This group may have been actively targeting clients
💰Before they found buying access was a lot easier...
Whilst looking into another thing I stumbled across another
#MageCart
campaign.
URL🌐 hxxps://jquerycdnlib.at/5c21f3dbf01e0.js - 217.8.117.42
Filename: 5c21f3dbf01e0.js
The code grabs card details and then sends back to itself to store on the domain.
@iblametom
@malwrhunterteam
Botnet Infrastructure Detected 🖥️
Appears to be a Vietnamese based kit
🌐hxxp://jx2-bavuong.com/
⚠️4d93c367ef568145dd852f71ad9797e29e7c04e4a7686f06dd3668f3d7c6a01a BOTNET_HOST.rar
#botnet
#malware
For the latest SOTI report (Phishing for Finance),
@SteveD3
and I looked at Kr3pto and Ex-Robotos phishing kits.
We were able to work together with our unique datasets to discover exclusive insights into SMS Credential phishing
Check it out:
I am seeing an increase in the use of upside down letters used in phishing attacks ⚠️
#KITIntel
🔍 All these URLs are linked to Creds bros
#phishingkits
🟢This TTP is used to bypass static URL scanning and is not new
⚠️I am seeing a new trend of WhatsApp based SMS
#phishing
📱
🔍These lead a user to directly transfer money pretending to be a persons son/daughter
Phishing can use any vector to contact you. Stay alert!
So
@Namecheap
(
@lothar97
@NamecheapCEO
) released a report titled "Our fight against fraud and abuse" 📄
Here are the key takeaways and something ALL web hosting companies should read and understand ⤵️
This is a new scam for me - Flower Shop Scams 💐
💰Buy flowers from fake flower shops
The flowers do not exist, the shop doesn't exist, the flowers will never arrive.
This is very clever and here is why ... 👀
Modified Facebook
#phishing
page🎣
🌐/protectionsoffice404.000webhostapp.com
📃Pages:
/m.help.htm
/m.upgrade.pay.htm
/confirmed.htm
⚠️Rare kit always hosted on 000 based on historic deployments
Hosted by
@000webhost_com
- Take this down.
#MageCart
script located in the wild on several eCommerce sites.⚠️
🌐Script is loaded from hxxps://adventurewar.com/payment/mage_secure/payment.js - 103.134.152.1
TLS
@letsencrypt
#Phishing
Actor Cazanova continues to try and distance himself from his phishing kits.
Asserting his website is down; HOWEVER, the version tracker portal is still online hosted on his site.
His site is NOT down or offline.
#CyberSecurity
#Phishing
@BleepinComputer
@urlscanio
I have created an open team on
@KeybaseIO
for Phishing hunting. 🎣
⚠️If you want to join search for "Phishing" and request to join.
I am hoping we can share IoCs and other
#Phishing
and
#PhishingKit
intel.🌐
Please RT♻️ to share this to more people.
I have just seen a new
#phishing
kit targeting the UK's NHS 🇬🇧🧑⚕️
🌐hxxps://nhsdigitalpassports.uk/Alert.php
⚠️Intel: The "Alert.php" filename has also been seen in Post Office phishing websites showing these kits are highly likely to be linked.
@UK_Daniel_Card
@LisaForteUK
🚨We are seeing a worrying trend of new
#COVID
vaccination
#Phishing
campaigns targeting the UK 📊
💰The Phishing site requests personal details and payment details after stating a payment of £4.99 is required for a 'Covid pass'
Group IB analysis of the Okta phishing kits we have been seeing recently🔍
⚠️This was the group which caused the Twilio breach and caused the Signal alert a week ago
If you are going to host
#phishing
on
@gitlab
then you would do wise to not use a photo of yourself as your profile picture...
What else can we find out about this individual...?
1/n