Date: 11/06/2024
Severity: Medium
Summary
"CASH AND LOAN FINANCIAL SCAMS" refers to a series of fraudulent websites identified as part of a loan lending scam. These sites, hosted on suspicious infrastructure, are designed to steal sensitive personal information such as Social Security numbers, bank account details, and driver's license information. Many of the scam domains were recently registered (between October 24-28, 2024) using dropcaught domains, where expired domain registrations were taken over by criminals. These malicious sites share similar layouts and hosting, indicating coordinated scam activity.
Indicators of Compromise (IOC) List
URL/Domains | 45-cash-app.com 45-cash-today.com 45-get-cash.com 79-cash-now.com 79-get-cash.com app-cash-45.com flash-cash-45.com get-cash-45.com cash-cash-loan.com cash-credit-loan-eligibility.com cash-loan-fast-approval.com cash-loan-low-interest.com cash-mart-loan.com cash-money-installment-loan.com cash-money-payday-loan.com cash-to-new-loan.com cash-usa-loan.com ez-cash-loan.com get-cash-loan-today.com mobile-cash-loan.com need-cash-now-loan.com personal-loan-fast-cash.com quick-cash-loan-online.com 100-loan.com 32loan.com 34loan.com 48loan.com 55loan.com 56loan.com 69loan.com 76loan.com 90loan.com |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | userdomainname like "45-cash-app.com" or url like "45-cash-app.com" or userdomainname like "45-cash-today.com" or url like "45-cash-today.com" or userdomainname like "45-get-cash.com" or userdomainname like "79-cash-now.com" or url like "79-cash-now.com" or userdomainname like "79-get-cash.com" or url like "79-get-cash.com" or userdomainname like "app-cash-45.com" or url like "app-cash-45.com" or userdomainname like "flash-cash-45.com" or url like "flash-cash-45.com" or userdomainname like "get-cash-45.com" or url like "get-cash-45.com" or userdomainname like "cash-cash-loan.com" or url like "cash-credit-loan-eligibility.com" or userdaomainname like "cash-loan-fast-approval.com" or url like "cash-loan-low-interest.com" or userdomainname like "cash-mart-loan.com" or url like "cash-mart-loan.com" or userdomainname like "cash-money-installment-loan.com" or url like "cash-money-installment-loan.com" or userdomainname like "cash-money-payday-loan.com" or url like "cash-money-payday-loan.com" or userdomainname like "cash-to-new-loan.com" or url like "cash-to-new-loan.com" or userdomainname like "cash-usa-loan.com" or url like "cash-usa-loan.com" or userdomainname like "ez-cash-loan.com" or url like "ez-cash-loan.com" or userdomainname like "get-cash-loan-today.com" or url like "get-cash-loan-today.com" or userdomainname like "mobile-cash-loan.com" or url like "mobile-cash-loan.com" or userdomainname like "need-cash-now-loan.com" or url like "need-cash-now-loan.com" or userdomainname like "personal-loan-fast-cash.com" or url like "personal-loan-fast-cash.com" or userdomainname like "quick-cash-loan-online.com" or url like "quick-cash-loan-online.com" or userdomainname like "100-loan.com" or userdomainname like "32loan.com" or url like "32loan.com" or userdomainname like "34loan.com" or url like "34loan.com" or userdomainname like "48loan.com" or url like "48loan.com" or userdomainname like "55loan.com" or url like "55loan.com" or userdomainname like "56loan.com" or url like "56loan.com" or userdomainname like "69loan.com" or url like "69loan.com" or userdomainname like "76loan.com" or url like "76loan.com" or userdomainname like "90loan.com" or url like "90loan.com" |
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-11-04-IOCs-for-cash-and-loan-scam.txt