My next class:

Phishing Again and Again

Published: 2023-02-27. Last Updated: 2023-02-27 06:51:44 UTC
by Xavier Mertens (Version: 1)
2 comment(s)

A quick finding while hunting last weekend! Despite many security awareness campaigns, phishing has remained a common threat. You can be targeted by a « personal » phishing attacks that tries to steal credentials to access your corporate account (like a fake VPN login page). But phishing also targets well-known brands. I found a ZIP archive containing many well-designed HTML pages that mimic many classic brands targeted by phishing campaigns.

Example:

Here is the list of pages:

  • Apple italy.html
  • Apple letter (1)New.html
  • BOA letter.html
  • BOA scampage.html
  • CVE-2018.html
  • Chase Final letter.html
  • Letter Best paypal!.html
  • Letter Netlix [Norwegian].html
  • Letter Paypal1.html
  • Letter Paypal2.html
  • Letter [ANything].html
  • New sign on iOS and macOS.html
  • Office-Letter.html
  • PayPal Final letter(1).html
  • PayPal best letter.html
  • PayPal final letter.html
  • PayPal letter.html
  • Secure My Account.html
  • Spotify Subscription Payment Failure.html
  • TOP PADDING Trusted Sender.html
  • Your iCloud storage is full.html
  • [PP] Unusual activity.html
  • amazon.html
  • amex.html
  • apple check activity.html
  • apple-Confirmation.html
  • apple-invoice.html
  • apple-nyolong.html
  • apple-nyolong2.html
  • apple.html
  • apple2.html
  • apple3.html
  • applebagus.html
  • applejapan.html
  • authorize payment paypal.html
  • bbletter (4) (2) (2).html
  • chase-Your credit card statement is ready.html
  • chase.html
  • chase1.html
  • discover.html
  • ebay.html
  • gaenandewe.html
  • google.html
  • icloud.html
  • icloud2.html
  • kata limited paypal.html
  • kecilpaypal.html
  • new signin.html
  • new.html
  • paypal-limited-lang[ID].html
  • paypal.html
  • renyahpp.html
  • revisi apple.html
  • spotify failure payment.html
  • spotify.html
  • still-aol.html
  • unusual.html
  • yahoo-apple.html
  • yahoo-apple2.html
  • yahoojapan.html

Some pages contain a valid URL defined to receive credentials provided by victims other don't, but they are almost ready to be reused in new campaigns...

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Keywords: Phishing
2 comment(s)
My next class:

Comments

Question: Any hashes for those files?
What scan-man said...

Also, a list of forwarding URLs would be handy.

Then we could track domain ownership and block or have the owner fix the problem.

Diary Archives