Date: 11/14/2024
Severity: High
Summary
In early November, a threat actor registered over 550 phishing domains impersonating legitimate booking sites, banks, crypto wallets, and restaurants. The email contact for these registrations is “ilotirabec207@gmail.com”. Many of the domains were previously registered and later "dropcaught" by the attacker. While most of the domains are stockpiled and not yet active, some are currently being used in phishing campaigns. About 90% of the active domains use Cloudflare for domain fronting, with the remaining 10% hosted on shared servers, potentially revealing their real IP addresses. These scams are designed to trick victims into revealing sensitive information, such as login credentials and financial details, ahead of the holiday season.
Indicators of Compromise (IOC) List
URL/Domain | 6gmao.com buffd2.com elo7verificacao.com io-home-app-v3.com slngtd.com 1incho.com 1nvestment-1ogin-401k.com caprevolve.com ch-uberprufung.com chatinvfolio.com checks-referensview5543.com complete-orderr.com dextscreeneer.com guestyrelus.com gzpop-nov08.com hotelpolicies.com hotelppolicy.com hotelreluss.com id45436.com id76281.com id983.com invrevise.com io-v3-home-app.com mojaplatba.com myhomes38.com myhomes98.com operamarie.com org-home-on-app.com otelthematch2425.com payment-poshmark.com pizlanova.com policieshotel.com rajskapartment.com rlsguesty.com sbri-nov08.com tbi-nov08.com ciashofcoins.com d2maket.com elon23.com home9438.com marketsdota2.com microqarzuz.com monesyg2.com myhome9482.com myworklifeatt.com push-aktualisieren.com sghausfloidpmga.com sign-aktualisieren.com |
IP Address | 46.173.214.86 80.64.24.116 178.253.40.69 147.45.48.99 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | userdomainname like "sign-aktualisieren.com" or url like "sign-aktualisieren.com" or userdomainname like "elon23.com" or url like "elon23.com" or userdomainname like "1incho.com" or url like "1incho.com" or userdomainname like "6gmao.com" or url like "6gmao.com" or userdomainname like "buffd2.com" or url like "buffd2.com" or userdomainname like "elo7verificacao.com" or url like "elo7verificacao.com" or userdomainname like "io-home-app-" or url like "io-home-app-" or userdomainname like "v3.com" or url like "v3.com" or userdomainname like "slngtd.com" or url like "slngtd.com" or userdomainname like "1nvestment-1ogin-401k.com" or url like "1nvestment-1ogin-401k.com" or userdomainname like "caprevolve.com" or url like "caprevolve.com" or userdomainname like "ch-uberprufung.com" or url like "ch-uberprufung.com" or userdomainname like "chatinvfolio.com" or url like "chatinvfolio.com" or userdomainname like "checks-referensview5543.com" or url like "checks-referensview5543.com" or userdomainname like "complete-orderr.com" or url like "complete-orderr.com" or userdomainname like "dextscreeneer.com" or url like "dextscreeneer.com" or userdomainname like "guestyrelus.com" or url like "guestyrelus.com" or userdomainname like "gzpop-nov08.com" or url like "gzpop-nov08.com" or userdomainname like "hotelpolicies.com" or url like "hotelpolicies.com" or userdomainname like "hotelppolicy.com" or url like "hotelppolicy.com" or userdomainname like "hotelreluss.com" or url like "hotelreluss.com" or userdomainname like "id45436.com" or url like "id76281.com" or userdomainname like "id983.com" or url like "id983.com" or userdomainname like "invrevise.com" or url like "invrevise.com" or userdomainname like "io-v3-home-app.com" or url like "io-v3-home-app.com" or userdomainname like "mojaplatba.com" or url like "mojaplatba.com" or userdomainname like "myhomes38.com" or url like "myhomes38.com" or userdomainname like "myhomes98.com" or url like "myhomes98.com" or userdomainname like "operamarie.com" or url like "operamarie.com" or userdomainname like "org-home-on-app.com" or url like "org-home-on-app.com" or userdomainname like "otelthematch2425.com" or url like "otelthematch2425.com" or userdomainname like "payment-poshmark.com" or url like "payment-poshmark.com" or userdomainname like "pizlanova.com" or url like "pizlanova.com" or userdomainname like "policieshotel.com" or url like "policieshotel.com" or userdomainname like "rajskapartment.com" or url like "rajskapartment.com" or userdomainname like "rlsguesty.com" or url like "rlsguesty.com" or userdomainname like "sbri-nov08.com" or url like "sbri-nov08.com" or userdomainname like "tbi-nov08.com" or url like "tbi-nov08.com" or userdomainname like "ciashofcoins.com" or url like "ciashofcoins.com" or userdomainname like "d2maket.com" or url like "d2maket.com" or userdomainname like "home9438.com" or url like "home9438.com" or userdomainname like "marketsdota2.com" or url like "marketsdota2.com" or userdomainname like "microqarzuz.com" or url like "microqarzuz.com" or userdomainname like "monesyg2.com" or url like "monesyg2.com" or userdomainname like "myhome9482.com" or url like "myhome9482.com" or userdomainname like "myworklifeatt.com" or url like "myworklifeatt.com" or userdomainname like "push-aktualisieren.com" or url like "push-aktualisieren.com" or userdomainname like "sghausfloidpmga.com" or url like "sghausfloidpmga.com" |
Detection Query 2 | dstipaddress IN ("46.173.214.86","80.64.24.116","178.253.40.69","147.45.48.99") or ipaddress IN ("46.173.214.86","80.64.24.116","178.253.40.69","147.45.48.99") or publicipaddress IN ("46.173.214.86","80.64.24.116","178.253.40.69","147.45.48.99") or srcipaddress IN ("46.173.214.86","80.64.24.116","178.253.40.69","147.45.48.99") |
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-11-13-phishing-domains-for-the-holidays.txt