Phishing Indicator of Compromise list 17-10-2018

Official organizations, friends, family and relatives might send you URLs, but how do you know that they have not been compromised? Well, you don’t until you ask, so make sure that you treat links and attachments with suspicion.

Report suspicious links

Once you have discovered a phishing campaign, it is strongly recommended to report it to the bank, social media network or support desk of that specific environment. Reporting phishing attacks helps the Cybersecurity industry in the pursuit of cybercriminals.

Phishing Indicators of compromise 17-10-2018

In this list, you will find the domains, urls and queries which we have seen from our phishing feed. These indicators of compromise can be used for alerting rules in various cyber security solutions.

This information is provided as is, there is no guarantee that you can blindly copy and paste the details into a blacklist.

Domains

The following domains have been used to host phishing pages, this means that at a certain point the domain was seen hosting a phishing page. This does mean that there is a chance that the domain has already been cleaned from unwanted pages or malicious code.

  • paypal.cynth.oo.gd
  • www.paypal.com.cgi-bin.webapps.tuj3m8.tk
  • https.www-paypal-service-account-secure.acoount.webapss.removelimited.pp.com-cgi-bin-media-home-mpp-323-security-meassure-limited-access.confir-account-infortant.com
  • paypal-closed.com-signin-country.com
  • service-account-security.paypal.com.cafeonthepark.org.au
  • abpayday2017.us
  • unusualverification.ga
  • paypal.com.signin-update.info
  • paypal.secureintl-servicesaccount.com
  • paypal.com.websecure.ver78it.tk
  • www.gimnasiolaarboleda.edu.co
  • paypal.co.updatempik.com
  • www.srtoys.com
  • uscash2017.loan
  • ryanottney.com
  • www.timberlaketrails.com
  • paypal.com.1lesdnjfetuet.tk
  • www.bryanstonprimary.co.za
  • www-paypal-com-conflrmation.com
  • myfairbankonline.com
  • www.360arquitetura.com.br
  • paypal.com.limiteed-account-resolver.com
  • paypal.com-websecurely-login.com
  • www.cjouets.fr
  • www.verification.paypal-service.com.signins-activitys.com
  • sunntrustnotice.myjino.ru
  • www.paypal.com-manager-payment.live
  • verification-paypal.cf
  • www.vazzolermirella.com
  • paypal.systemfraudinfoyouraccountaccess.com
  • fieldpiece.com.au
  • 53rdbank-online-alerts0001.esy.es
  • williamcortez.net.ve

URLS

The following URL structures have been seen in phishing campaigns, these structures can give you an insight on what type of structures the cybercriminals and threat actors use to lure unaware individuals.

  • /secure/verify/confirmation/879880559b1eba13fd8e5fa2873f367f/auth/view/document
  • /verified/paypal.com/myaccount/5e827/home
  • /manage/verify/webapps/
  • /webapps/60e3e/signin
  • /webapps/b2b26/websrc
  • /cgi-paypal.logs/webapps/Login/
  • /ita/online/banking/id/verification
  • /Confim/webapps/secure.php
  • /
  • /dropbox/happy/
  • /webapps/51d23/websrc
  • /wp/veriyahoo.html
  • /paypal-security/webapps/59b19/websrc
  • /%3fsuntrustsecuredportal%3f/usbankonlinesecurityprotocolportal7364647484848464
  • /53rd/Home/62i83dr26j/
  • /webapps/efafe/websrc
  • /jps/651ce984ba99a3abef6070b9c5d203dd/payment.php
  • /paypal-com-verification/webapps/db1af/websrc
  • /webapps/b75a9/websrc
  • /webapps/9d837/websrc
  • /webapps/6e602/websrc
  • /paypal/
  • /bank-america-credit=pn4339/
  • /layouts/hgu/agreement_docs2/specialdocs/MicrosoftOneDrive_files/emailhrd.html
  • /associated-bank-online-banking-sign-in.php
  • /webapps/7fd67/websrc
  • /webapps/48af5/websrc
  • /webapps/3c1c5/websrc
  • /wp-content/upgrade/Dropbox/index.php
  • /=http:/www-santander.com.br/br/Atendimento-Online/Pessoa-Fisica/Select/VanGogh/PrivateBanking/Resolva-Online/br/1_acessar.php
  • /signin/
  • /secure/verify/confirmation/879880559b1eba13fd8e5fa2873f367f/auth/view/document/
  • /webapps/054de/websrc
  • /webapps/34ac2/websrc

Queries

The queries which have been listed here are queries which have been seen in the URL requests of phishing campaigns. Use these queries to your own advantage.

  • cmd=_account-details
  • Paypal
  • dispatch=

Complete indicator

In the list below you can view the full indicator which was seen, this includes the domain, path and query. We also provide a phishing category matched to the indicator, this category states which environment the phishing attack tried to penetrate.



Target Indicator
Banking www.bryanstonprimary.co.za/=http:/www-santander.com.br/br/Atendimento-Online/Pessoa-Fisica/Select/VanGogh/PrivateBanking/Resolva-Online/br/1_acessar.php
Microsoft www.gimnasiolaarboleda.edu.co/layouts/hgu/agreement_docs2/specialdocs/MicrosoftOneDrive_files/emailhrd.html
PayPal www.verification.paypal-service.com.signins-activitys.com/webapps/6e602/websrc
PayPal www.cjouets.fr/paypal-security/webapps/59b19/websrc
Banking myfairbankonline.com/secure/verify/confirmation/879880559b1eba13fd8e5fa2873f367f/auth/view/document
DropBox www.srtoys.com/wp-content/upgrade/Dropbox/index.php
Banking abpayday2017.us/bank-america-credit=pn4339/
PayPal unusualverification.ga/paypal/
PayPal www.verification.paypal-service.com.signins-activitys.com/webapps/054de/websrc
Banking 53rdbank-online-alerts0001.esy.es/53rd/Home/62i83dr26j/
PayPal paypal-closed.com-signin-country.com/webapps/60e3e/signin
Payment www.360arquitetura.com.br/jps/651ce984ba99a3abef6070b9c5d203dd/payment.php?dispatch=
PayPal paypal.cynth.oo.gd/manage/verify/webapps/?Paypal
Banking williamcortez.net.ve/ita/online/banking/id/verification
PayPal www-paypal-com-conflrmation.com/
PayPal ryanottney.com/cgi-paypal.logs/webapps/Login/
Banking myfairbankonline.com/secure/verify/confirmation/879880559b1eba13fd8e5fa2873f367f/auth/view/document/
PayPal paypal.com.limiteed-account-resolver.com/
PayPal www.verification.paypal-service.com.signins-activitys.com/webapps/efafe/websrc
PayPal service-account-security.paypal.com.cafeonthepark.org.au/Confim/webapps/secure.php
Banking uscash2017.loan/associated-bank-online-banking-sign-in.php
PayPal www.paypal.com.cgi-bin.webapps.tuj3m8.tk/
PayPal www.paypal.com.cgi-bin.webapps.tuj3m8.tk/webapps/3c1c5/websrc
PayPal www-paypal-com-conflrmation.com/webapps/48af5/websrc
PayPal www.verification.paypal-service.com.signins-activitys.com/webapps/34ac2/websrc
PayPal paypal.com.websecure.ver78it.tk/webapps/51d23/websrc
PayPal paypal.secureintl-servicesaccount.com/webapps/b2b26/websrc
PayPal paypal.systemfraudinfoyouraccountaccess.com/
Payment www.paypal.com-manager-payment.live/
Yahoo www.vazzolermirella.com/wp/veriyahoo.html
Banking sunntrustnotice.myjino.ru/%3fsuntrustsecuredportal%3f/usbankonlinesecurityprotocolportal7364647484848464
PayPal https.www-paypal-service-account-secure.acoount.webapss.removelimited.pp.com-cgi-bin-media-home-mpp-323-security-meassure-limited-access.confir-account-infortant.com/signin/
PayPal paypal.co.updatempik.com/webapps/9d837/websrc
PayPal paypal.com-websecurely-login.com/webapps/7fd67/websrc
PayPal paypal.com-websecurely-login.com/
PayPal paypal.com.1lesdnjfetuet.tk/
DropBox www.timberlaketrails.com/dropbox/happy/
PayPal verification-paypal.cf/verified/paypal.com/myaccount/5e827/home?cmd=_account-details
PayPal paypal.com.signin-update.info/webapps/b75a9/websrc
PayPal fieldpiece.com.au/paypal-com-verification/webapps/db1af/websrc

Before you go