Date: 01/28/2025
Severity: Critical
Summary
This campaign impersonates popular online shopping sites by displaying fake login pages that share a common design template. These pages request a phone number and password from the victim. According to our telemetry, web pages using this template have been active since at least November 2024. Once login credentials are entered, the pages return a hard-coded message stating, "The account does not exist." Instead of authenticating with the legitimate shopping site, the page's code transmits the user’s information to the local host (the web server).
Indicators of Compromise (IOC) List
Domains\Urls : | 3chvt.shop 6at3.com 7uzx.com 7uzx.shop ama-zon-pk.club amwv10.top bjggc.vip dewgmee.vip gateeioe.com meescnja.top noon368.cc uyugg.vip www.ababao678.com www.gateeioe.com www.goodmallc.com www.nu9hh.com ynjfs.vip |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\Urls : | userdomainname like "amwv10.top" or url like "amwv10.top" or userdomainname like "ama-zon-pk.club" or url like "ama-zon-pk.club" or userdomainname like "dewgmee.vip" or url like "dewgmee.vip" or userdomainname like "meescnja.top" or url like "meescnja.top" or userdomainname like "www.nu9hh.com" or url like "www.nu9hh.com" or userdomainname like "ynjfs.vip" or url like "ynjfs.vip" or userdomainname like "www.ababao678.com" or url like "www.ababao678.com" or userdomainname like "3chvt.shop" or url like "3chvt.shop" or userdomainname like "7uzx.shop" or url like "7uzx.shop" or userdomainname like "uyugg.vip" or url like "uyugg.vip" or userdomainname like "7uzx.com" or url like "7uzx.com" or userdomainname like "bjggc.vip" or url like "bjggc.vip" or userdomainname like "noon368.cc" or url like "noon368.cc" or userdomainname like "6at3.com" or url like "6at3.com" or userdomainname like "gateeioe.com" or url like "gateeioe.com" or userdomainname like "www.gateeioe.com" or url like "www.gateeioe.com" or userdomainname like "www.goodmallc.com" or url like "www.goodmallc.com" |
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-24-IOCs-for-phishing-pages-targeting-online-shoppers.txt