Phishing Indicator of Compromise list 28-11-2018

This phishingset contains 40 phishing URLs which have been spotted by the phishing hunting community.

The phishing URLs which are listed below should be considered dangerous.

We have noted down phishing attacks in this post which mimic the following environment types:

  • Wellsfargo
  • PayPal
  • Yahoo
  • eBay
  • Banking
  • DropBox
  • Microsoft

Found suspicious domains

  • thek9professional.com
  • nethost.slask.pl
  • przelew.wysylkaw.pl
  • ajkdjueujdjaa.000webhostapp.com
  • www.marinecv.com
  • motherlandhomesghana.com
  • bellreturn-30243.ga
  • banking-bancofalabellaperuonline.choco-tota.com
  • speechandfeeding.org
  • slemanamar576.000webhostapp.com
  • paypal-missing-account-informations.com
  • checking-info.ddns.net
  • autocareplusnz.com
  • estilosatualizacaoestatu-com.umbler.net
  • stefanoordini.com
  • profilzaufany.online
  • 16b146b301.000webhostapp.com
  • m0b1le-b3ll-s3cur3.info
  • precautions.ml
  • bengalimx.com
  • www.dropbox.com
  • mail.m0b1le-b3ll-s3cur3.info
  • rabobankbankieren.com
  • basemento.ipq.co
  • hoakel.com
  • platnosci-24.com
  • terrymillerphotos.com
  • banking.credem.it.hotelfuentedelsol.com
  • app-1543199716.000webhostapp.com
  • hauawg.com
  • ebay.de.milperratyres.dllsmilperratyres.milperratyres.com.au

What is phishing

Phishing is a term which describes attacks which are performed on individuals that may hold information that is valuable to the attacker. The information that is often targeted consists but it is not limited to personally identifiable information, passwords and credit card details.

Types of phishing

There are two types of phishing, the first one is phishing itself, phishing attacks often target a wide range of individuals. The threat actor behind this attack has no specific clue on which individual is being targeted, the only thing the threat actor knows is that there is something to be gained from that user.

The second type is called spear-phishing, this attack focuses on specific individuals, the threat actor has performed research on its target and has setup an attack plan in which the individuals are likely to be lured by the threat actor. This attack is often performed by threat actors which are after intellectual property and credentials.

Protect yourself against phishing

Various security measures have been taken in order to protect you against phishing threats, but the threat actors behind the attacks are not blind, they know that these security measures exist, and they will try to bypass them, so it is important to know what you can do against phishing attacks, and how you can keep yourself safe.

Irregularities

Once you get a message which contains links, make sure to hover above the link, look carefully for any misspelling or other irregularities.

Search for the green lock

If you are requested to provide credentials or any information that is personal or valuable, then make sure that you see the HTTPS protocol in the URL, once you visit the site, the site should clearly show a green lock in the URL section of the browser.

Treat links and attachments with suspicion

Official organizations, friends, family and relatives might send you URLs, but how do you know that they have not been compromised? Well, you don’t until you ask, so make sure that you treat links and attachments with suspicion.

Report suspicious links

Once you have discovered a phishing campaign, it is strongly recommended to report it to the bank, social media network or support desk of that specific environment. Reporting phishing attacks helps the Cybersecurity industry in the pursuit of cybercriminals.

Phishing Indicators of compromise 28-11-2018

In this list, you will find the domains, urls and queries which we have seen from our phishing feed. These indicators of compromise can be used for alerting rules in various cyber security solutions.

This information is provided as is, there is no guarantee that you can blindly copy and paste the details into a blacklist.

Domains

The following domains have been used to host phishing pages, this means that at a certain point the domain was seen hosting a phishing page. This does mean that there is a chance that the domain has already been cleaned from unwanted pages or malicious code.

  • thek9professional.com
  • nethost.slask.pl
  • przelew.wysylkaw.pl
  • ajkdjueujdjaa.000webhostapp.com
  • www.marinecv.com
  • motherlandhomesghana.com
  • bellreturn-30243.ga
  • banking-bancofalabellaperuonline.choco-tota.com
  • speechandfeeding.org
  • slemanamar576.000webhostapp.com
  • paypal-missing-account-informations.com
  • checking-info.ddns.net
  • autocareplusnz.com
  • estilosatualizacaoestatu-com.umbler.net
  • stefanoordini.com
  • profilzaufany.online
  • 16b146b301.000webhostapp.com
  • m0b1le-b3ll-s3cur3.info
  • precautions.ml
  • bengalimx.com
  • www.dropbox.com
  • mail.m0b1le-b3ll-s3cur3.info
  • rabobankbankieren.com
  • basemento.ipq.co
  • hoakel.com
  • platnosci-24.com
  • terrymillerphotos.com
  • banking.credem.it.hotelfuentedelsol.com
  • app-1543199716.000webhostapp.com
  • hauawg.com
  • ebay.de.milperratyres.dllsmilperratyres.milperratyres.com.au

URLS

The following URL structures have been seen in phishing campaigns, these structures can give you an insight on what type of structures the cybercriminals and threat actors use to lure unaware individuals.

  • /login/
  • /verify/bank/4376a995977bebb165ffdd84d635a839/informations/login/login.php
  • /images/noquest/banks/SIMPLII/details.htm
  • /l/scl/AACi78NknITPKsO7LYOwPP25QtY5kVsp5O0
  • /PayPal/PayPal/
  • /pi/dropboxbusiness/dropboxbusiness/dropbox/viewing-access/index.php
  • /new/wp-content/plugins/upspy/interac/banks/SIMPLII/details.htm
  • /wp-includes/aart/newdropbox/00/000/001/index/login.php
  • /directing/www2.scotiaonline.scotiabank.com/online/authentication/confirm.html
  • /BRAw1B-mbank/login.php
  • /gegevens/
  • /bank/bnc/details.html
  • /bank/simpli/details.htm
  • /
  • /directing/www2.scotiaonline.scotiabank.com/online/authentication/index.html
  • /001_verify/wwwyahoo/index.php
  • /signin
  • /ji/tax/bnc/National%20Bank%20Online.html
  • /acme-challenge/FIBANK/
  • /support/paypal/cuenta/kolo/yodfa3939/myaccount/settings/
  • /ti/bnc/National%20Bank%20Online.html
  • /mbank/
  • /PayPal/transfer%25C3%25AAncia/cancelamento/seguro/
  • /wp-admin/css/iteam-page.html
  • /SinIn.htm
  • /_sso/
  • /newvir/
  • /include/latest-onedrive/microsoft.php
  • /fibank/account/
  • /directing/www2.scotiaonline.scotiabank.com/online/authentication/mfaAuth.html
  • /support/paypal/cuenta/kolo/yodfa3258/myaccount/settings/
  • /yahoo/roteiro/esporte/whatsapp/desktop/home.php
  • /city/WellsFargo/wells/wells.htm
  • /dropboxx.folder/dp/
  • /Paypal/Paypal/Paypal/get_started/

Queries

The queries which have been listed here are queries which have been seen in the URL requests of phishing campaigns. Use these queries to your own advantage.

  • cli=&/K9oEnxH7RG/YVYNWfT3L2.php
  • cmd=login_submit&id=11077bafdafed3f64fff514835f908a711077bafdafed3f64fff514835f908a7&session=11077bafdafed3f64fff514835f908a711077bafdafed3f64fff514835f908a7
  • cmd=login_submit&id=3fc76a7690dfa48b3234fc2832cda6e63fc76a7690dfa48b3234fc2832cda6e6&session=3fc76a7690dfa48b3234fc2832cda6e63fc76a7690dfa48b3234fc2832cda6e6
  • eBayISAPI.dll?SignIn&UsingSSL=1&siteid=77
  • cmd=login_submit&id=23a8449d48e4ab41fd4c7682036170e523a8449d48e4ab41fd4c7682036170e5&session=23a8449d48e4ab41fd4c7682036170e523a8449d48e4ab41fd4c7682036170e5
  • pid=J8OTJ83
  • verify_account=session=ES&e631a37b6f53f3e6aa5fdc5bcd84b9ab&dispatch=f505f7ae1ba4f6dde7ef89c24d7171cdcc2f5121
  • cmd=login_submit&id=25c3a8aa982229bc845a41a4807b169825c3a8aa982229bc845a41a4807b1698&session=25c3a8aa982229bc845a41a4807b169825c3a8aa982229bc845a41a4807b1698
  • verify_account=session=DO&ff676ab9d38fe0a7b700b9334f1af17d&dispatch=6b25bc0ff09fede1b43e78a43c68f25bd047acb7

Complete indicator

In the list below you can view the full indicator which was seen, this includes the domain, path and query. We also provide a phishing category matched to the indicator, this category states which environment the phishing attack tried to penetrate.

Target Indicator
PayPal 16b146b301.000webhostapp.com/PayPal/transfer%25C3%25AAncia/cancelamento/seguro/
DropBox autocareplusnz.com/wp-includes/aart/newdropbox/00/000/001/index/login.php
Yahoo motherlandhomesghana.com/001_verify/wwwyahoo/index.php
Banking przelew.wysylkaw.pl/BRAw1B-mbank/login.php?pid=J8OTJ83
Banking hauawg.com/ji/tax/bnc/National%20Bank%20Online.html
Banking thek9professional.com/verify/bank/4376a995977bebb165ffdd84d635a839/informations/login/login.php?cmd=login_submit&id=23a8449d48e4ab41fd4c7682036170e523a8449d48e4ab41fd4c7682036170e5&session=23a8449d48e4ab41fd4c7682036170e523a8449d48e4ab41fd4c7682036170e5
Banking platnosci-24.com/mbank/
Banking thek9professional.com/verify/bank/4376a995977bebb165ffdd84d635a839/informations/login/login.php?cmd=login_submit&id=11077bafdafed3f64fff514835f908a711077bafdafed3f64fff514835f908a7&session=11077bafdafed3f64fff514835f908a711077bafdafed3f64fff514835f908a7
Banking banking-bancofalabellaperuonline.choco-tota.com/_sso/
DropBox nethost.slask.pl/dropboxx.folder/dp/
Banking bengalimx.com/fibank/account/
PayPal app-1543199716.000webhostapp.com/PayPal/PayPal/
Banking m0b1le-b3ll-s3cur3.info/bank/simpli/details.htm
eBay terrymillerphotos.com/wp-admin/css/iteam-page.html?eBayISAPI.dll?SignIn&UsingSSL=1&siteid=77
Banking bellreturn-30243.ga/directing/www2.scotiaonline.scotiabank.com/online/authentication/confirm.html
Banking rabobankbankieren.com/gegevens/
Banking bellreturn-30243.ga/directing/www2.scotiaonline.scotiabank.com/online/authentication/index.html
PayPal paypal-missing-account-informations.com/signin
Banking hoakel.com/ti/bnc/National%20Bank%20Online.html
PayPal checking-info.ddns.net/support/paypal/cuenta/kolo/yodfa3258/myaccount/settings/?verify_account=session=ES&e631a37b6f53f3e6aa5fdc5bcd84b9ab&dispatch=f505f7ae1ba4f6dde7ef89c24d7171cdcc2f5121
DropBox ajkdjueujdjaa.000webhostapp.com/pi/dropboxbusiness/dropboxbusiness/dropbox/viewing-access/index.php
Yahoo estilosatualizacaoestatu-com.umbler.net/yahoo/roteiro/esporte/whatsapp/desktop/home.php?cli=&/K9oEnxH7RG/YVYNWfT3L2.php
Banking banking.credem.it.hotelfuentedelsol.com/newvir/
Banking stefanoordini.com/images/noquest/banks/SIMPLII/details.htm
Banking www.marinecv.com/acme-challenge/FIBANK/
Wellsfargo basemento.ipq.co/city/WellsFargo/wells/wells.htm
Banking speechandfeeding.org/new/wp-content/plugins/upspy/interac/banks/SIMPLII/details.htm
PayPal slemanamar576.000webhostapp.com/Paypal/Paypal/Paypal/get_started/
DropBox www.dropbox.com/l/scl/AACi78NknITPKsO7LYOwPP25QtY5kVsp5O0
Banking thek9professional.com/verify/bank/4376a995977bebb165ffdd84d635a839/informations/login/login.php?cmd=login_submit&id=3fc76a7690dfa48b3234fc2832cda6e63fc76a7690dfa48b3234fc2832cda6e6&session=3fc76a7690dfa48b3234fc2832cda6e63fc76a7690dfa48b3234fc2832cda6e6
Banking bellreturn-30243.ga/directing/www2.scotiaonline.scotiabank.com/online/authentication/mfaAuth.html
Banking banking.credem.it.hotelfuentedelsol.com/login/
Banking mail.m0b1le-b3ll-s3cur3.info/bank/simpli/details.htm
eBay ebay.de.milperratyres.dllsmilperratyres.milperratyres.com.au/SinIn.htm
Banking profilzaufany.online/mbank/
Banking banking-bancofalabellaperuonline.choco-tota.com/
Banking thek9professional.com/verify/bank/4376a995977bebb165ffdd84d635a839/informations/login/login.php?cmd=login_submit&id=25c3a8aa982229bc845a41a4807b169825c3a8aa982229bc845a41a4807b1698&session=25c3a8aa982229bc845a41a4807b169825c3a8aa982229bc845a41a4807b1698
Microsoft precautions.ml/include/latest-onedrive/microsoft.php
PayPal checking-info.ddns.net/support/paypal/cuenta/kolo/yodfa3939/myaccount/settings/?verify_account=session=DO&ff676ab9d38fe0a7b700b9334f1af17d&dispatch=6b25bc0ff09fede1b43e78a43c68f25bd047acb7
Banking m0b1le-b3ll-s3cur3.info/bank/bnc/details.html

Before you go