Criminals Abusing Tunneling Services for Phishing Websites

    Date: 02/25/2025

    Severity: Medium

    Summary

    Criminals frequently exploit free-tier tunnel services to host phishing pages. These tunnels enable resource sharing without requiring public server hosting. Many open-source phishing kits support integration with popular tunneling platforms. This makes it easier for attackers to leverage these services for malicious purposes. We consistently identify phishing sites abusing tunneling services before public disclosure.

    Indicators of Compromise (IOC) List

    Domains\Urls : 

    https://attached-together-illustrated-packaging.trycloudflare.com 

    https://donna-depends-mls-referring.trycloudflare.com

    https://paypalsecu.ngrok.dev/home/

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query : 

    userdomainname like "https://attached-together-illustrated-packaging.trycloudflare.com" or url like "https://attached-together-illustrated-packaging.trycloudflare.com" or userdomainname like "https://donna-depends-mls-referring.trycloudflare.com" or url like "https://donna-depends-mls-referring.trycloudflare.com" or userdomainname like "https://paypalsecu.ngrok.dev/home/" or url like "https://paypalsecu.ngrok.dev/home/"

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_clfs_load.yml


    Tags

    MalwarePhishingExploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags