Date: 07/27/2024
Severity: High
Summary
Watch out for fake Paris 2024 Olympics giveaways. We've found many domains, including newly-registered ones, promoting bogus data giveaways. These scams request your phone number, encourage sharing with WhatsApp contacts, and push additional fake surveys.
Indicators of Compromise (IOC) List
Domains\Urls | 004fe6.top 2hangv.top 2q1av.top 6cvama.top 9gt2i.top 9rzspe.asia awnqev.top cmost.739fpl.asia eea.gx6b2p.asia fa.rvlf8m.asia fea.lka3m6.asia fuu3i.top kjmw54.top l3v6k.top last.9tnjqa.asia list2.lka3m6.asia nqgv3w.top ogguxu.top olpris.2dbxjm.asia olpris.2tnfvm.asia olpris.36y1gt.asia olpris.6dzbx3.asia olpris.e6phgz.asia olpris.g61jz6.asia olpris.inclk2.asia olpris.m1l22f.asia olpris.ye6art.asia olym.682hn3.asia pageview.2dbxjm.asia pageview.36y1gt.asia pageview.6dzbx3.asia pageview.e6phgz.asia pageview.g61jz6.asia pageview.nqgv3w.top pspiks.asia tkwyv5.top vwqreb.asia xgwqx.top |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\Urls | Domain Query - userdomainname IN (“004fe6.top” or “2hangv.top” or “2q1av.top” or “6cvama.top” or “9gt2i.top” or “9rzspe.asia” or “awnqev.top” or “cmost.739fpl.asia” or “eea.gx6b2p.asia” or “fa.rvlf8m.asia” or “fea.lka3m6.asia” or “fuu3i.top” or “kjmw54.top” or “l3v6k.top” or “last.9tnjqa.asia” or “list2.lka3m6.asia” or “nqgv3w.top” or “ogguxu.top” or “olpris.2dbxjm.asia” or “olpris.2tnfvm.asia” or “olpris.36y1gt.asia” or “olpris.6dzbx3.asia” or “olpris.e6phgz.asia” or “olpris.g61jz6.asia” or “olpris.inclk2.asia” or “olpris.m1l22f.asia” or “olpris.ye6art.asia” or “olym.682hn3.asia” or “pageview.2dbxjm.asia” or “pageview.36y1gt.asia” or “pageview.6dzbx3.asia” or “pageview.e6phgz.asia” or “pageview.g61jz6.asia” or “pageview.nqgv3w.top” or “pspiks.asia” or “tkwyv5.top” or “vwqreb.asia” or “xgwqx.top”) Url Query - url IN (“004fe6.top” or “2hangv.top” or “2q1av.top” or “6cvama.top” or “9gt2i.top” or “9rzspe.asia” or “awnqev.top” or “cmost.739fpl.asia” or “eea.gx6b2p.asia” or “fa.rvlf8m.asia” or “fea.lka3m6.asia” or “fuu3i.top” or “kjmw54.top” or “l3v6k.top” or “last.9tnjqa.asia” or “list2.lka3m6.asia” or “nqgv3w.top” or “ogguxu.top” or “olpris.2dbxjm.asia” or “olpris.2tnfvm.asia” or “olpris.36y1gt.asia” or “olpris.6dzbx3.asia” or “olpris.e6phgz.asia” or “olpris.g61jz6.asia” or “olpris.inclk2.asia” or “olpris.m1l22f.asia” or “olpris.ye6art.asia” or “olym.682hn3.asia” or “pageview.2dbxjm.asia” or “pageview.36y1gt.asia” or “pageview.6dzbx3.asia” or “pageview.e6phgz.asia” or “pageview.g61jz6.asia” or “pageview.nqgv3w.top” or “pspiks.asia” or “tkwyv5.top” or “vwqreb.asia” or “xgwqx.top”) |
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-07-25-Paris-2024-Olympics-scams.txt
https://www.linkedin.com/posts/unit42_olympicscams-scam-unit42threatintel-activity-7222304643047940096--XKq
https://x.com/Unit42_Intel/status/1816539014851174690