Date: 11/26/2024
Severity: Medium
Summary
"Christmas-Themed Scam Sites" refers to the discovery of over 1,000 websites designed to deceive users with fake holiday-themed giveaways. These mobile-optimized sites encourage victims to share links with their WhatsApp contacts, leading them to fake surveys, fraudulent shopping pages, or app store links promoting potentially unwanted programs (PUPs). The goal of these scams is to trick users into providing personal information or downloading harmful software.
Indicators of Compromise (IOC) List
Url/Domain | 1free.nur49.top 1free.tgf59.top 1free.vvu18.top 50g.avdzy.top 50g.cwg90.xyz 50g.ko47.top 50g.p4nmow.top free.htw75.top free.nhq76.top free.thu76.top free3.thu76.top free4.cte31.top free4.ygq53.top free7.thu76.top free7.ygq53.top free9.ygq53.top guiweb.de49.top guiweb.iod32.xyz guiweb.m4click.top guiweb.uv12.top ld20.oc49.top ld37.gp23.top ld37.ydq22.xyz ld52.fph55.xyz ld61.gbo83.xyz ld71.urqaq.top ld73.fph55.xyz ld73.xud50.xyz ld83.fn73.top ld84.eq86.top ld85.dj12.buzz ld86.vu78.top ld87.gp23.top ld87.ue25.top ld88.vu78.top ld93.hy9w0.shop ld94.fn73.top ld97.uib59.xyz ld201.qyh19.xyz ld216.j3v42.shop ld230.bnv30.xyz ld238.nft63.top ld250.ort68.xyz ld264.ort68.xyz ld265.bnv30.xyz ld267.gte31.xyz ld267.j3v42.shop ld270.tm43.buzz ld271.vvu18.top ld273.hy9w0.shop ld274.thu76.top ld275.tm43.buzz ld279.uri36.xyz ld281.hy9w0.shop tk174.tvahoz.top tk204.kliinn.top tk213.ipqxud.top tk214.ut87.top tk221.kliinn.top z9.em50.top |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | userdomainname like "1free.nur49.top" or url like "1free.nur49.top" or userdomainname like "1free.tgf59.top" or url like "1free.tgf59.top" or userdomainname like "1free.vvu18.top" or url like "1free.vvu18.top" or userdomainname like "50g.avdzy.top" or url like "50g.avdzy.top" or userdomainname like "50g.cwg90.xyz" or url like "50g.cwg90.xyz" or userdomainname like "50g.ko47.top" or url like "50g.ko47.top" or userdominname like "50g.p4nmow.top" or url like "50g.p4nmow.top" or userdomainname like "free.htw75.top" or url like "free.htw75.top" or userdomainname like "free.nhq76.top" or url like "free.nhq76.top" or userdomainname like "free.thu76.top" or url like "free.thu76.top" or userdomainname like "free4.cte31.top" or url like "free4.cte31.top" or userdomainname like "free4.ygq53.top" or url like "free4.ygq53.top" or userdomainname like "free7.thu76.top" or url like "free7.thu76.top" or userdomainname like "free7.ygq53.top" or url like "free7.ygq53.top" or userdomainname like "free9.ygq53.top" or url like "free9.ygq53.top" or userdomainname like "guiweb.de49.top" or url like "guiweb.de49.top" or userdomainname like "guiweb.iod32.xyz" or url like "guiweb.iod32.xyz" or userdomainname like "guiweb.m4click.top" or url like "guiweb.uv12.top" or userdomainname like "ld20.oc49.top" or url like "ld20.oc49.top" or userdomainname like "ld37.gp23.top" or url like "ld37.gp23.top" or userdomainname like "ld37.ydq22.xyz" or url like "ld37.ydq22.xyz" or userdomainname like "ld52.fph55.xyz" or url like "ld52.fph55.xyz" or userdomainname like "ld52.fph55.xyz" or url like "ld52.fph55.xyz" or userdomainname like "ld71.urqaq.top" or url like "ld71.urqaq.top" or userdomainname like "ld73.fph55.xyz" or url like "ld73.fph55.xyz" or userdomainname like "ld73.xud50.xyz" or url like "ld73.xud50.xyz" or userdominname like "ld83.fn73.top" or url like "ld83.fn73.top" or userdomainname like "ld84.eq86.top" or url like "ld84.eq86.top" or userdomainname like "ld85.dj12.buzz" or url like "ld85.dj12.buzz" or userdomainname like "ld86.vu78.top" or url like "ld86.vu78.top" or userdomainname like "ld87.gp23.top" or url like "ld87.gp23.top" or userdomainname like "ld87.ue25.top" or url like "ld88.vu78.top" or userdomainname like "ld93.hy9w0.shop" or url like "ld93.hy9w0.shop" or userdomainname like "ld94.fn73.top" or url like "ld94.fn73.top" or userdomainname like "ld97.uib59.xyz" or url like "ld97.uib59.xyz" or userdomainname like "ld201.qyh19.xyz" or url like "ld201.qyh19.xyz" or userdomainname like "ld216.j3v42.shop" or url like "ld216.j3v42.shop" or userdomainname like "ld230.bnv30.xyz" or url like "ld230.bnv30.xyz" or userdomainname like "ld238.nft63.top" or url like "ld238.nft63.top" or userdomainname like "ld250.ort68.xyz" or url like "ld250.ort68.xyz" or userdomainname like "ld264.ort68.xyz" or url like "ld264.ort68.xyz" or userdomainname like "ld265.bnv30.xyz" or url like "ld265.bnv30.xyz" or userdomainname like "ld267.gte31.xyz" or url like "ld267.gte31.xyz" or userdomainname like "ld267.j3v42.shop" or url like "ld267.j3v42.shop" or userdomain like "ld270.tm43.buzz" or url like "ld270.tm43.buzz" or userdomainname like "ld271.vvu18.top" or url like "ld271.vvu18.top" or userdomainname like "ld273.hy9w0.shop" or url like "ld273.hy9w0.shop" or userdomainname like "ld274.thu76.top" or url like "ld274.thu76.top" or userdomainname like "ld275.tm43.buzz" or url like "ld275.tm43.buzz" or userdomainname like "ld279.uri36.xyz" or url like "ld279.uri36.xyz" or userdomainname like "ld281.hy9w0.shop" or url like "ld281.hy9w0.shop" or userdomainname like "tk174.tvahoz.top" or url like "tk174.tvahoz.top" or userdomainname like "tk204.kliinn.top" or url like "tk204.kliinn.top" or userdomainname like "tk213.ipqxud.top" or url like "tk213.ipqxud.top" or userdomainname like "tk214.ut87.top" or url like "tk214.ut87.top" or userdomainname like "tk221.kliinn.top" or url like "tk221.kliinn.top" or userdomainname like "z9.em50.top" or url like "z9.em50.top" |
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-11-25-IOCs-for-Christmas-themed-scam-sites.txt