Spear Phishing Handlers for Username/Password, (Sat, Feb 18th)

Phishing
Depicting phishing of information from a computer

Reviewing my ISC mail inbox, I noticed that I had been receiving multiple phishing email that were very similar. Putting my cursor over each embedded pictures, I noticed the domain involved was the same for all of them. I copied the URL and started checking around for known threat intel on ipfs[.]io against various sites and found on urlscan.io [1], there was over 10000+ samples listed.

All these emails are asking the recipient to login to capture email address and password and the entries are Secured by Norton! 

First Email (Received 2 copies with the same URL)
https://ipfs[.]io/ipfs/Qma2GtsUgbKKCxnLNjZv8euBKM1BK7Y48zX3BBjUQqpc26?filename=OWGH%20PIU1%20PJHMD%20QHGK%20UUG%20QGUP%20WPOKG.htm#[email protected]

Second Email
https://ipfs[.]io/ipfs/QmaU5FjjeFiDzWs2s6gZ5SyPqL2wvQa2652LHPb3d1U3XC?filename=QUPG%20WGWG%20WDOUH%20UDGW%20URZ%20PKDB%20UKLM.htm#[email protected]

Third Email

https://ipfs[.]io/ipfs/Qma2GtsUgbKKCxnLNjZv8euBKM1BK7Y48zX3BBjUQqpc26?filename=OWGH%20PIU1%20PJHMD%20QHGK%20UUG%20QGUP%20WPOKG.htm#[email protected]

Indicator

ipfs[.]io

Final Word

Last, a blog post by Lance Spitzner published on the 13 Feb 2023 about “Phishing – It’s No Longer About Malware (or Even Email)” [5] highlight some of the changes on the phishing goals and some of the common indicators worth reading including two indicators are no longer recommended: misspellings and hovering of the link “except for highly technical audiences. One problem with this method is that you have to teach people how to decode a URL, which can be a confusing, time consuming, and technical skill.”[5

[1] https://urlscan.io/search/#page.domain%3Aipfs.io
[2] https://www.virustotal.com/gui/url/2c8a881b916d2396ff68ed18c41a6b8a13ba8e869de65d87a23b869a95fd0c63?nocache=1
[3] https://www.virustotal.com/gui/domain/ipfs.io/detection
[4] https://cybergordon.com/result.html?id=12ef23f1-a775-4619-81ec-c7aaaae7e4a4
[5] https://www.sans.org/blog/phishing-its-no-longer-about-malware-or-even-email/

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Alex Post