ADVANCED PHISHING ACTIVITY

    Date: 10/11/2024

    Severity: Critical

    Summary

    We have identified sophisticated phishing activities that create customized fake login pages using the victim's email address. This system generates deceptive login pages for various commercial, educational, government, and nonprofit organizations. While we traced some of these fraudulent pages to PDF email attachments, the delivery method is not confined to email or attachments alone.

    Indicators of Compromise (IOC) List

    Domains\Urls :

    http://sunvalleyhydro.com/new/auth/1234/new/new/

    https://r8w1v9.roytnate.com/1qId17b/

    2e59-4dc7-abe6.com

    323toto.com

    369realtygroup.com

    3bindustriesconnect.com

    3dincre.com

    3gfreesex.net

    abreuaduogados.com

    ahead-recruitment.ue

    alkadrinks.cam

    amportsinc.com

    apeivo.cam

    arctlcpaper.com

    atrrbklaw.com

    badgercreekenergy.info

    badgerlnc.com

    bausch-streobel.de

    besthugespin.com

    biddingonlinedocuments.com

    bio-fiocruz-br.com

    blusekychemical.com

    bmacorp.org

    boyletm.uk

    calgroverents.info

    carpentertechnlogy.com

    ccaglobals.com

    celticmotorbike.com

    cemaonlines.com

    centricselevator.com

    confluencesco.com

    coventaryhomes.com

    cristoreylc.org

    cuninghampavlng.com

    cynclys.com

    doqatarnimr.sbs

    dreamcusorray.com

    drivepointe.xyz

    ebsfrod.co.uk

    eldensco.uk

    evluator.com

    extreme-deslgn.co.uk

    exymm.com

    fcpmlami.com

    foreverpoz.com

    freelosshistory.com

    fujtisu.com

    gadehomes.org

    galandwelding.com

    gascare-ae.com

    geodls.cam

    greystoneun.com

    groupehalisol.com

    hansgrohhe.com

    hdbthailand.com

    horizoncartage.org

    hpcwlaw.com

    hvncaireers.com

    ic-cds.com

    infrashareinc.ru

    inncept.net

    insclude.com

    integracsc.com

    investcapitalpartners.com

    jpcrownpointcqas.com

    justbuycheap.com

    kastbuild.co

    lancasale.com

    lexinqtonco.com

    linkauthenticator.cz

    mail-mhc.com

    mail-voice-mhc.com

    mailsupport-netsuites.online

    mamchac.com

    mconcept-textile.cam

    medleyblockk.com

    mircrosofts.online

    missinez.com

    montecitoclubs1918.com

    mountviewpot.pro

    nathanandstock.co

    nuunez-edu.com

    officehomecloud.nl

    opssolve.com

    orfits.com

    orgelbau-klais.co

    pchwinsintl.us

    perpinallawfirm.com

    perudosmadethat.com

    pmni1.com

    prackr.com

    precisethiopia.com

    present-info.org

    prohockayeurope.com

    qaraxanli.com

    qeodiss.com

    r2robingraphics.com

    remmipyservice.org

    reviosn.com

    roytnate.com

    sarnerholz.cam

    smilhome.com

    sonaper.de

    ssynchronizationsystemsco.com

    syncportal.tech

    teaf-c.org

    teasmsharesync.top

    texascapitalsonline.ru

    thconsultig.org

    thormpsonbldg.com

    topdocs4viewscans.com

    transequltydevelopment.com

    tynurserys.com

    uniformsforthededicateds.com

    venurconstructions.com

    viklngrefrig.com

    vilagale.cam

    vinkq.com

    washcomanagements.net

    wealthcadics.com

    welsky.info

    westandint.com

    zulrichna.com

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls 1 : 

    userdomainname like "gascare-ae.com" or url like "gascare-ae.com" or userdomainname like "sonaper.de" or url like "sonaper.de" or userdomainname like "reviosn.com" or url like "reviosn.com" or userdomainname like "bausch-streobel.de" or url like "bausch-streobel.de" or userdomainname like "3bindustriesconnect.com" or url like "3bindustriesconnect.com" or userdomainname like "badgerlnc.com" or url like "badgerlnc.com" or userdomainname like "opssolve.com" or url like "opssolve.com" or userdomainname like "freelosshistory.com" or url like "freelosshistory.com" or userdomainname like "bio-fiocruz-br.com" or url like "bio-fiocruz-br.com" or userdomainname like "dreamcusorray.com" or url like "dreamcusorray.com" or userdomainname like "jpcrownpointcqas.com" or url like "jpcrownpointcqas.com" or userdomainname like "nathanandstock.co" or url like "nathanandstock.co" or userdomainname like "welsky.info" or url like "welsky.info" or userdomainname like "justbuycheap.com" or url like "justbuycheap.com" or userdomainname like "wealthcadics.com" or url like "wealthcadics.com" or userdomainname like "pmni1.com" or url like "pmni1.com" or userdomainname like "syncportal.tech" or url like "syncportal.tech" or userdomainname like "kastbuild.co" or url like "kastbuild.co" or userdomainname like "alkadrinks.cam" or url like "alkadrinks.cam" or userdomainname like "drivepointe.xyz" or url like "drivepointe.xyz" or userdomainname like "3dincre.com" or url like "3dincre.com" or userdomainname like "celticmotorbike.com" or url like "celticmotorbike.com" or userdomainname like "transequltydevelopment.com" or url like "transequltydevelopment.com" or userdomainname like "mail-mhc.com" or url like "mail-mhc.com" or userdomainname like "sarnerholz.cam" or url like "sarnerholz.cam" or userdomainname like "mailsupport-netsuites.online" or url like "mailsupport-netsuites.online" or userdomainname like "cynclys.com" or url like "cynclys.com"

    Domains\Urls 2 : 

    userdomainname like "http://sunvalleyhydro.com/new/auth/1234/new/new/" or url like "http://sunvalleyhydro.com/new/auth/1234/new/new/" or userdomainname like "https://r8w1v9.roytnate.com/1qId17b/" or url like "https://r8w1v9.roytnate.com/1qId17b/" or userdomainname like "2e59-4dc7-abe6.com" or url like "2e59-4dc7-abe6.com" or userdomainname like "323toto.com" or url like "323toto.com" or userdomainname like "369realtygroup.com" or url like "369realtygroup.com" or userdomainname like "3gfreesex.net" or url like "3gfreesex.net" or userdomainname like "abreuaduogados.com" or url like "abreuaduogados.com" or userdomainname like "ahead-recruitment.ue" or url like "ahead-recruitment.ue" or userdomainname like "amportsinc.com" or url like "amportsinc.com" or userdomainname like "apeivo.cam" or url like "apeivo.cam" or userdomainname like "arctlcpaper.com" or url like "arctlcpaper.com" or userdomainname like "atrrbklaw.com" or url like "atrrbklaw.com" or userdomainname like "badgercreekenergy.info" or url like "badgercreekenergy.info" or userdomainname like "besthugespin.com" or url like "besthugespin.com" or userdomainname like "biddingonlinedocuments.com" or url like "biddingonlinedocuments.com" or userdomainname like "blusekychemical.com" or url like "blusekychemical.com" or userdomainname like "bmacorp.org" or url like "bmacorp.org" or userdomainname like "boyletm.uk" or url like "boyletm.uk" or userdomainname like "calgroverents.info" or url like "calgroverents.info" or userdomainname like "carpentertechnlogy.com" or url like "carpentertechnlogy.com" or userdomainname like "ccaglobals.com" or url like "ccaglobals.com" or userdomainname like "cemaonlines.com" or url like "cemaonlines.com" or userdomainname like "centricselevator.com" or url like "centricselevator.com" or userdomainname like "confluencesco.com" or url like "confluencesco.com" or userdomainname like "coventaryhomes.com" or url like "coventaryhomes.com" or userdomainname like "cristoreylc.org" or url like "cristoreylc.org" or userdomainname like "cuninghampavlng.com" or url like "cuninghampavlng.com" or userdomainname like "doqatarnimr.sbs" or url like "doqatarnimr.sbs" or userdomainname like "ebsfrod.co.uk" or url like "ebsfrod.co.uk" or userdomainname like "eldensco.uk" or url like "eldensco.uk" or userdomainname like "exymm.com" or url like "exymm.com" or userdomainname like "fcpmlami.com" or url like "fcpmlami.com" or userdomainname like "foreverpoz.com" or url like "foreverpoz.com" or userdomainname like "fujtisu.com" or url like "fujtisu.com" or userdomainname like "gadehomes.org" or url like "gadehomes.org" or userdomainname like "galandwelding.com" or url like "galandwelding.com" or userdomainname like "geodls.cam" or url like "geodls.cam" or userdomainname like "greystoneun.com" or url like "greystoneun.com" or userdomainname like "groupehalisol.com" or url like "groupehalisol.com" or userdomainname like "hansgrohhe.com" or url like "hansgrohhe.com"

    Domains\Urls 3 : 

    userdomainname like "hdbthailand.com" or url like "hdbthailand.com" or userdomainname like "horizoncartage.org" or url like "horizoncartage.org" or userdomainname like "hpcwlaw.com" or url like "hpcwlaw.com" or userdomainname like "hvncaireers.com" or url like "hvncaireers.com" or userdomainname like "ic-cds.com" or url like "ic-cds.com" or userdomainname like "infrashareinc.ru" or url like "infrashareinc.ru" or userdomainname like "inncept.net" or url like "inncept.net" or userdomainname like "insclude.com" or url like "insclude.com" or userdomainname like "integracsc.com" or url like "integracsc.com" or userdomainname like "investcapitalpartners.com" or url like "investcapitalpartners.com" or userdomainname like "lancasale.com" or url like "lancasale.com" or userdomainname like "lexinqtonco.com" or url like "lexinqtonco.com" or userdomainname like "linkauthenticator.cz" or url like "linkauthenticator.cz" or userdomainname like "mail-voice-mhc.com" or url like "mail-voice-mhc.com" or userdomainname like "mamchac.com" or url like "mamchac.com" or userdomainname like "mconcept-textile.cam" or url like "mconcept-textile.cam" or userdomainname like "medleyblockk.com" or url like "medleyblockk.com" or userdomainname like "mircrosofts.online" or url like "mircrosofts.online" or userdomainname like "missinez.com" or url like "missinez.com" or userdomainname like "montecitoclubs1918.com" or url like "montecitoclubs1918.com" or userdomainname like "mountviewpot.pro" or url like "mountviewpot.pro" or userdomainname like "nuunez-edu.com" or url like "nuunez-edu.com" or userdomainname like "officehomecloud.nl" or url like "officehomecloud.nl" or userdomainname like "orfits.com" or url like "orfits.com" or userdomainname like "orgelbau-klais.co" or url like "orgelbau-klais.co" or userdomainname like "pchwinsintl.us" or url like "pchwinsintl.us" or userdomainname like "perpinallawfirm.com" or url like "perpinallawfirm.com" or userdomainname like "perudosmadethat.com" or url like "perudosmadethat.com" or userdomainname like "prackr.com" or url like "prackr.com" or userdomainname like "precisethiopia.com" or url like "precisethiopia.com" or userdomainname like "present-info.org" or url like "present-info.org" or userdomainname like "prohockayeurope.com" or url like "prohockayeurope.com" or userdomainname like "qaraxanli.com" or url like "qaraxanli.com" or userdomainname like "qeodiss.com" or url like "qeodiss.com" or userdomainname like "r2robingraphics.com" or url like "r2robingraphics.com" or userdomainname like "remmipyservice.org" or url like "remmipyservice.org" or userdomainname like "roytnate.com" or url like "roytnate.com" or userdomainname like "smilhome.com" or url like "smilhome.com" or userdomainname like "ssynchronizationsystemsco.com" or url like "ssynchronizationsystemsco.com" or userdomainname like "teaf-c.org" or url like "teaf-c.org" or userdomainname like "teasmsharesync.top" or url like "teasmsharesync.top" or userdomainname like "texascapitalsonline.ru" or url like "texascapitalsonline.ru" or userdomainname like "thconsultig.org" or url like "thconsultig.org" or userdomainname like "thormpsonbldg.com" or url like "thormpsonbldg.com" or userdomainname like "topdocs4viewscans.com" or url like "topdocs4viewscans.com" or userdomainname like "tynurserys.com" or url like "tynurserys.com" or userdomainname like "uniformsforthededicateds.com" or url like "uniformsforthededicateds.com" or userdomainname like "venurconstructions.com" or url like "venurconstructions.com" or userdomainname like "viklngrefrig.com" or url like "viklngrefrig.com" or userdomainname like "vilagale.cam" or url like "vilagale.cam" or userdomainname like "vinkq.com" or url like "vinkq.com" or userdomainname like "washcomanagements.net" or url like "washcomanagements.net" or userdomainname like "westandint.com" or url like "westandint.com" or userdomainname like "zulrichna.com" or url like "zulrichna.com"

     

    Reference:

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-10-11-IOCs-for-advanced-phishing-activity.txt


    Tags

    MalwarePhishingEducationCommercial FacilitiesGovernment Services and Facilities

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags