Phishing Indicator of Compromise list 06-01-2019

Official organizations, friends, family and relatives might send you URLs, but how do you know that they have not been compromised? Well, you don’t until you ask, so make sure that you treat links and attachments with suspicion.

Report suspicious links

Once you have discovered a phishing campaign, it is strongly recommended to report it to the bank, social media network or support desk of that specific environment. Reporting phishing attacks helps the Cybersecurity industry in the pursuit of cybercriminals.

Phishing Indicators of compromise 06-01-2019

In this list, you will find the domains, urls and queries which we have seen from our phishing feed. These indicators of compromise can be used for alerting rules in various cyber security solutions.

This information is provided as is, there is no guarantee that you can blindly copy and paste the details into a blacklist.

Domains

The following domains have been used to host phishing pages, this means that at a certain point the domain was seen hosting a phishing page. This does mean that there is a chance that the domain has already been cleaned from unwanted pages or malicious code.

  • www.apicola.cl
  • halkbankasi.cf
  • wakanfoundation.com
  • mqwrtqartawert.com
  • banking.credem.it.digitalext.com
  • emelivelez.com
  • kia-555.cf
  • www.houstonmaritime.org
  • domeinschuur.nl
  • dc-designs.org
  • eooty.com
  • services-erca.com
  • quiroga.cl
  • www.areasicurezza-paypal.it
  • paypal.online-secure-accounts.co.za
  • maylite.com.ng
  • guruvanisurat.com
  • baloni.cl
  • paypalll.ga
  • loginpage.co.uk
  • www.eooty.com
  • areasicurezza-paypal.it
  • supportservicecontrol.mixh.jp
  • transformationoflife.com

URLS

The following URL structures have been seen in phishing campaigns, these structures can give you an insight on what type of structures the cybercriminals and threat actors use to lure unaware individuals.

  • /mio-account/impostazioni/Pay-controllo.html
  • /login-halifax-online-banking-service
  • /taxe/losotax/taxnew/tax/bnc/National%20Bank%20Online.html
  • /Bank-America/Validation/eml.php
  • /PayPal%2520Scam%2520By%2520Th3%2520Exploiter%2520v1%2520Fixed%252012-2017/3ce22/myaccount/home.php
  • /mio-account/impostazioni
  • /cba18a89adea500e71d0d2025f93da0c/signin/
  • /Bank-America/Validation/ccinfo.php
  • /InternetBankingHost/HostLogin/
  • /Bank-America/Validation/eml2.php
  • /css/souma23/Paypal2018/secure/inzcwoge=/myaccount/home
  • /mkjj/!%5e%[email protected]%5e%25!%25%5e%5e&@!(*@*&%5e%[email protected]%5e%25%25$%23&*%5e&@%23%25$%25%[email protected]!*&@&%5e%25%25%[email protected]%25%5e/microsoft.php
  • /PayPal%2520Scam%2520By%2520Th3%2520Exploiter%2520v1%2520Fixed%252012-2017/3ce22/activity.php
  • /bankofamericaupgrade/BOA-update/verification/NC3778N12E999MDM3429/index.php
  • /mio-account/impostazioni/
  • /login/bnc/National%20Bank%20Online.html
  • /media/Yahoo/yaho/yaho/62ac34c8e4886a0e104c129fd13af332
  • /Bank-America/Validation/
  • /portal/microsoft/
  • /css/souma23/Paypal2018/secure
  • /newvir/
  • /22c6989b2304adf2c9e3494474ada241/signin/
  • /MOBILITY/bnc/National%20Bank%20Online.html
  • /media/Yahoo/yaho/yaho/7c35b9c7398575cc68ab3bd0a023f6c2
  • /~jrbhgg/chaseonlinebank/files/1/details.php
  • /info/latest-onedrive/microsoft.php
  • /Bank-America/Validation/login.php
  • /css/app/signin
  • /~lc/paypal/wbsccr.php
  • /wp-content/themes/twentyten/loginyourpaypal
  • /PayPal%20Scam%20By%20Th3%20Exploiter%20v1%20Fixed%2012-2017/3ce22/signin.php
  • /Bank-America/Validation/info.php
  • /TELUS/bnc/National%20Bank%20Online.html

Queries

The queries which have been listed here are queries which have been seen in the URL requests of phishing campaigns. Use these queries to your own advantage.

  • cmd=login_submit&id=7224eddc555704ce82c9893ba4eb2b6b7224eddc555704ce82c9893ba4eb2b6b&session=7224eddc555704ce82c9893ba4eb2b6b7224eddc555704ce82c9893ba4eb2b6b
  • cmd=login_submit&id=b7ea24e2f5d039a47f1488b5f5645550b7ea24e2f5d039a47f1488b5f5645550&session=b7ea24e2f5d039a47f1488b5f5645550b7ea24e2f5d039a47f1488b5f5645550
  • country.x=&locale.x=en_EN
  • cmd=login_submit&id=2698511d5edb40f99e9aabbdb46c5a382698511d5edb40f99e9aabbdb46c5a38&session=2698511d5edb40f99e9aabbdb46c5a382698511d5edb40f99e9aabbdb46c5a38
  • cmd=login_submit&id=eff0c000d14384e664b62d8b332d569aeff0c000d14384e664b62d8b332d569a&session=eff0c000d14384e664b62d8b332d569aeff0c000d14384e664b62d8b332d569a
  • cmd=login_submit&id=ea443c5276010d8ea8e3ceaf5671bdb3ea443c5276010d8ea8e3ceaf5671bdb3&session=ea443c5276010d8ea8e3ceaf5671bdb3ea443c5276010d8ea8e3ceaf5671bdb3
  • cmd=login_submit&id=0339a271d449e54d8766fe66189856f00339a271d449e54d8766fe66189856f0&session=0339a271d449e54d8766fe66189856f00339a271d449e54d8766fe66189856f0
  • cmd=login_submit&id=88b11ba642b3eab595800ffbccb9d78688b11ba642b3eab595800ffbccb9d786&session=88b11ba642b3eab595800ffbccb9d78688b11ba642b3eab595800ffbccb9d786
  • country.x=EG&locale.x=en_EG
  • cmd=login_submit&id=b66fc717220748a5ee6b9397a931ede3b66fc717220748a5ee6b9397a931ede3&session=b66fc717220748a5ee6b9397a931ede3b66fc717220748a5ee6b9397a931ede3
  • cmd=login_submit&id=0183fd743f606d6daca4aa48225eb2400183fd743f606d6daca4aa48225eb240&session=0183fd743f606d6daca4aa48225eb2400183fd743f606d6daca4aa48225eb240
  • cmd=login_submit&id=46d0789425d2115388971f29afe6d23b46d0789425d2115388971f29afe6d23b&session=46d0789425d2115388971f29afe6d23b46d0789425d2115388971f29afe6d23b

Complete indicator

In the list below you can view the full indicator which was seen, this includes the domain, path and query. We also provide a phishing category matched to the indicator, this category states which environment the phishing attack tried to penetrate.

Target Indicator
Banking dc-designs.org/login/bnc/National%20Bank%20Online.html
Banking domeinschuur.nl/Bank-America/Validation/info.php?cmd=login_submit&id=eff0c000d14384e664b62d8b332d569aeff0c000d14384e664b62d8b332d569a&session=eff0c000d14384e664b62d8b332d569aeff0c000d14384e664b62d8b332d569a
Yahoo services-erca.com/media/Yahoo/yaho/yaho/62ac34c8e4886a0e104c129fd13af332
Banking domeinschuur.nl/Bank-America/Validation/eml.php?cmd=login_submit&id=7224eddc555704ce82c9893ba4eb2b6b7224eddc555704ce82c9893ba4eb2b6b&session=7224eddc555704ce82c9893ba4eb2b6b7224eddc555704ce82c9893ba4eb2b6b
Banking transformationoflife.com/taxe/losotax/taxnew/tax/bnc/National%20Bank%20Online.html
PayPal www.areasicurezza-paypal.it/mio-account/impostazioni/
Banking mqwrtqartawert.com/TELUS/bnc/National%20Bank%20Online.html
PayPal www.apicola.cl/wp-content/themes/twentyten/loginyourpaypal
Microsoft quiroga.cl/mkjj/!%5e%[email protected]%5e%25!%25%5e%5e&@!(*@*&%5e%[email protected]%5e%25%25$%23&*%5e&@%23%25$%25%[email protected]!*&@&%5e%25%25%[email protected]%25%5e/microsoft.php
Banking guruvanisurat.com/bankofamericaupgrade/BOA-update/verification/NC3778N12E999MDM3429/index.php
Banking domeinschuur.nl/Bank-America/Validation/ccinfo.php?cmd=login_submit&id=b66fc717220748a5ee6b9397a931ede3b66fc717220748a5ee6b9397a931ede3&session=b66fc717220748a5ee6b9397a931ede3b66fc717220748a5ee6b9397a931ede3
PayPal supportservicecontrol.mixh.jp/PayPal%20Scam%20By%20Th3%20Exploiter%20v1%20Fixed%2012-2017/3ce22/signin.php?country.x=EG&locale.x=en_EG
PayPal paypalll.ga/css/app/signin
PayPal emelivelez.com/css/souma23/Paypal2018/secure/inzcwoge=/myaccount/home
Banking kia-555.cf/MOBILITY/bnc/National%20Bank%20Online.html
PayPal paypal.online-secure-accounts.co.za/cba18a89adea500e71d0d2025f93da0c/signin/?country.x=&locale.x=en_EN
PayPal paypal.online-secure-accounts.co.za/22c6989b2304adf2c9e3494474ada241/signin/
Banking domeinschuur.nl/Bank-America/Validation/ccinfo.php?cmd=login_submit&id=0183fd743f606d6daca4aa48225eb2400183fd743f606d6daca4aa48225eb240&session=0183fd743f606d6daca4aa48225eb2400183fd743f606d6daca4aa48225eb240
Banking domeinschuur.nl/Bank-America/Validation/
Banking www.houstonmaritime.org/~jrbhgg/chaseonlinebank/files/1/details.php
PayPal areasicurezza-paypal.it/mio-account/impostazioni
Banking domeinschuur.nl/Bank-America/Validation/login.php?cmd=login_submit&id=46d0789425d2115388971f29afe6d23b46d0789425d2115388971f29afe6d23b&session=46d0789425d2115388971f29afe6d23b46d0789425d2115388971f29afe6d23b
Banking halkbankasi.cf/InternetBankingHost/HostLogin/
Banking domeinschuur.nl/Bank-America/Validation/eml.php?cmd=login_submit&id=ea443c5276010d8ea8e3ceaf5671bdb3ea443c5276010d8ea8e3ceaf5671bdb3&session=ea443c5276010d8ea8e3ceaf5671bdb3ea443c5276010d8ea8e3ceaf5671bdb3
Banking domeinschuur.nl/Bank-America/Validation/info.php?cmd=login_submit&id=b7ea24e2f5d039a47f1488b5f5645550b7ea24e2f5d039a47f1488b5f5645550&session=b7ea24e2f5d039a47f1488b5f5645550b7ea24e2f5d039a47f1488b5f5645550
Yahoo services-erca.com/media/Yahoo/yaho/yaho/7c35b9c7398575cc68ab3bd0a023f6c2
PayPal supportservicecontrol.mixh.jp/PayPal%2520Scam%2520By%2520Th3%2520Exploiter%2520v1%2520Fixed%252012-2017/3ce22/myaccount/home.php
PayPal www.areasicurezza-paypal.it/mio-account/impostazioni/Pay-controllo.html
Banking loginpage.co.uk/login-halifax-online-banking-service
Banking wakanfoundation.com/taxe/losotax/taxnew/tax/bnc/National%20Bank%20Online.html
Banking domeinschuur.nl/Bank-America/Validation/eml2.php?cmd=login_submit&id=0339a271d449e54d8766fe66189856f00339a271d449e54d8766fe66189856f0&session=0339a271d449e54d8766fe66189856f00339a271d449e54d8766fe66189856f0
PayPal eooty.com/~lc/paypal/wbsccr.php
Banking domeinschuur.nl/Bank-America/Validation/login.php?cmd=login_submit&id=2698511d5edb40f99e9aabbdb46c5a382698511d5edb40f99e9aabbdb46c5a38&session=2698511d5edb40f99e9aabbdb46c5a382698511d5edb40f99e9aabbdb46c5a38
Microsoft baloni.cl/info/latest-onedrive/microsoft.php
PayPal supportservicecontrol.mixh.jp/PayPal%2520Scam%2520By%2520Th3%2520Exploiter%2520v1%2520Fixed%252012-2017/3ce22/activity.php
Microsoft maylite.com.ng/portal/microsoft/
Banking banking.credem.it.digitalext.com/newvir/
Banking domeinschuur.nl/Bank-America/Validation/eml2.php?cmd=login_submit&id=88b11ba642b3eab595800ffbccb9d78688b11ba642b3eab595800ffbccb9d786&session=88b11ba642b3eab595800ffbccb9d78688b11ba642b3eab595800ffbccb9d786
PayPal emelivelez.com/css/souma23/Paypal2018/secure
PayPal www.eooty.com/~lc/paypal/wbsccr.php

Before you go