Date: 10/15/2024
Severity: Medium
Summary
Fake shopping campaigns are increasingly common, with scammers creating fraudulent e-commerce sites that mimic legitimate platforms. These sites typically favor cryptocurrencies like BTC, ETH, and USDT for payments, facilitating easier theft. Indicators of these scams include broken links, too-good-to-be-true deals, and poor content quality.
Indicators of Compromise (IOC) List
URL/Domain | penguinshopc.com penguinshopit.com penguinshops.com penguinmallpro.com penguinmalls.com penguinmallmax.com penguinmalle.com penguinmallin.com penguinmallit.com penguinshopin.com penguinmallc.com penguinmallex.com penguinmallt.com penguinshopex.com penguinshopig.com penguinshopmax.com penguinshoppings.com penguinshoppro.com https://penguinshops.com/app.html https://www.antmallbe.com/app.html https://penguinshops.com/IOSbuyer.mobileconfig https://geqian.kbsyub.com/s/sMMx https://penguinshops.com/IOSseller.mobileconfig https://geqian.kbsyub.com/s/HqEm https://app.qianx147.top/data/attachment/da51c7f9d7c7d554700b05f3f714c96d.apk |
Hash |
4dcce01704dbf42d2e561ed42bb6af9a9a8d2e26245dcce738f27df781563542
befc2eef18428d7fe3e407f3e6a5894d8831c28eeaab50d9e787dfb8983fbdcf
4dcf6592850e8e22edb726a7ac5d4a3181bb6d3eb4ef95ea972574a7a9b2a657
a6831474201ccb6eb22bf7a3c17d0e430034cb6e21f9ac7bf1f8dd8bb56d3d2b |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | userdomainname like "penguinshopc.com" or url like "penguinshopc.com" or userdomainname like "penguinshopit.com" or url like "penguinshopit.com" or userdomainname like "penguinshops.com" or url like "penguinshops.com" or userdomainname like "penguinmallpro.com" or url like "penguinmallpro.com" or userdomainname like "penguinmalls.com" or url like "penguinmalls.com" or userdomainname like "penguinmallmax.com" or url like "penguinmallmax.com" or userdomainname like "penguinmalle.com" or url like "penguinmalle.com" or userdomainname like "penguinmallin.com" or url like "penguinmallin.com" or userdomainname like "penguinmallit.com" or url like "penguinmallit.com" or userdomainname like "penguinshopin.com" or url like "penguinshopin.com" or userdomainname like "penguinmallc.com" or url like "penguinmallex.com" or userdomainname like "penguinmallt.com" or url like "penguinmallt.com" or userdomainname like "penguinshopex.com" or url like "penguinshopig.com" or userdomainname like "penguinshopmax.com" or url like "penguinshopmax.com" or userdomainname like "penguinshoppings.com" or url like "penguinshoppings.com" or userdomainname like "penguinshoppro.com" or url like "penguinshoppro.com" or userdomainname like "https://penguinshops.com/app.html" or url like "https://penguinshops.com/app.html" or userdomainname like "https://www.antmallbe.com/app.html" or url like "https://www.antmallbe.com/app.html" or userdomainname like "https://penguinshops.com/IOSbuyer.mobileconfig" or url like "https://penguinshops.com/IOSbuyer.mobileconfig" or userdomainname like "https://geqian.kbsyub.com/s/sMMx" or url like "https://geqian.kbsyub.com/s/sMMx" or userdomainname like "https://penguinshops.com/IOSseller.mobileconfig" or url like "https://penguinshops.com/IOSseller.mobileconfig" or userdomainname like "https://geqian.kbsyub.com/s/HqEm" or url like "https://app.qianx147.top/data/attachment/da51c7f9d7c7d554700b05f3f714c96d.apk" |
Detection Query 2 |
sha256hash IN ("4dcce01704dbf42d2e561ed42bb6af9a9a8d2e26245dcce738f27df781563542","befc2eef18428d7fe3e407f3e6a5894d8831c28eeaab50d9e787dfb8983fbdcf","4dcf6592850e8e22edb726a7ac5d4a3181bb6d3eb4ef95ea972574a7a9b2a657","a6831474201ccb6eb22bf7a3c17d0e430034cb6e21f9ac7bf1f8dd8bb56d3d2b") |
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-10-14-IOCs-for-fake-shopping-scam-sites.txt