Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add additional USPS lure hosts to IP block lists #516

Merged
merged 4 commits into from
Nov 28, 2024
Merged

add additional USPS lure hosts to IP block lists #516

merged 4 commits into from
Nov 28, 2024

Conversation

g0d33p3rsec
Copy link
Contributor

@g0d33p3rsec g0d33p3rsec commented Nov 26, 2024
edited
Loading

Phishing Domain/URL/IP(s):

129.226.206.133
https://uspscom-freighut.top/track/
https://uspscom-freighu.top/track/
https://uspscom-freight.top/track/

198.11.183.177
https://usps.com-info-addk.cfd/x/
https://usps.com-info-addz.cfd/x/
https://usps.com-info-addm.cfd/x/
https://usps.com-info-addp.cfd/x/
https://usps.com-info-addq.cfd/x/
https://usps.com-info-addn.cfd/x/
https://usps.com-info-adda.cfd/x/
https://usps.com-info-addo.cfd/x/
https://usps.com-l.win/x/
https://usps.com-k.win/x/
https://usps.com-d.win/x/
https://usps.com-e.win/x/
https://usps.com-c.win/x/
https://usps.com-i.win/x/
https://usps.com-j.win/x/
https://usps.com-f.win/x/
https://usps.com-m.win/x/
https://usps.com-b.win/x/
https://usps.com-g.win/x/
https://usps.com-h.win/x/
https://examinecheck.com-street-addw.cfd/x/
https://examinecheck.com-street-adi.cfd/x/
https://examinecheck.com-street-addj.cfd/x/
https://examinecheck.com-street-addh.cfd/x/
https://examinecheck.com-street-addi.cfd/x/
https://examinecheck.com-street-addg.cfd/x/
https://examinecheck.com-street-adl.cfd/x/
https://examinecheck.com-street-ade.cfd/x/
https://examinecheck.com-street-addo.cfd/x/
https://information.com-street-addp.cfd/x/
https://information.com-street-addq.cfd/x/
https://information.com-street-addb.cfd/x/
https://information.com-street-add.cfd/x/
https://information.com-street-addc.cfd/x/
https://information.com-street-ads.cfd/x/
https://information.com-street-adds.cfd/x/
https://information.com-street-addt.cfd/x/
https://information.com-street-addf.cfd/x/

8.221.106.55
https://uspswakg.top/I/
https://uspswakf.top/I/ 
https://uspswakd.top/I/
https://uspswaks.top/I/
https://uspswakb.top/I/
https://uspswakv.top/I/ 
https://uspswakc.top/I/
https://uspswakx.top/I/
https://uspswako.top/I/
https://uspswaki.top/I/ 
https://uspswaku.top/I/
https://uspswaky.top/I/
https://uspswakr.top/I/
https://uspswake.top/I/ 
https://uspsekwg.top/I/
https://uspsekwf.top/I/
https://uspsekwd.top/I/
https://uspsekws.top/I/
https://uspsekwb.top/I/
https://uspsekwv.top/I/
https://uspsekwc.top/I/
https://uspsekwx.top/I/
https://uspsekwz.top/I/ 
https://uspsekwo.top/I/
https://uspsekwi.top/I/
https://uspsekwu.top/I/
https://uspsekwy.top/I/ 
https://uspsekwr.top/I/
https://uspsekwa.top/I/
https://uspswenr.top/I/
https://uspswkef.top/I/
https://uspswkeg.top/I/
https://uspswked.top/I/
https://uspswkes.top/I/
https://uspswkev.top/I/
https://uspswkec.top/I/
https://uspswkex.top/I/
https://uspswkez.top/I/
https://uspswkeo.top/I/
https://uspswkei.top/I/
https://uspswkeu.top/I/
https://uspswkey.top/I/
https://uspswker.top/I/
https://uspswkea.top/I/
https://uspswzrb.top/I/ 
https://uspswzrc.top/I/
https://uspswzro.top/I/

Impersonated domain

tools.usps.com

Describe the issue

Adding additional IP addresses hosting USPS phishing lures and staged domains. Related to #513

Related external source

https://urlscan.io/ip/129.226.206.133
https://urlscan.io/result/a4e67132-a6e5-48a7-864b-e277eacc9950/
https://urlscan.io/result/2ff28aea-b04a-4894-a84d-39f637805af9/
https://urlscan.io/result/067d53d1-7f84-4c81-abe6-e1f6c523c946/
https://urlscan.io/result/587c417a-773d-4095-a2a7-db6f3bbcc23a/
https://urlscan.io/result/5dc09927-ffa0-4d16-ac72-cd6365530132/
https://urlscan.io/result/77f2dbc8-b56f-4093-a5df-5ef57f160049/
https://urlscan.io/result/b1536579-c931-46e5-b1ac-cf40e8ac996c/
https://urlscan.io/result/d9bb7c6b-0197-4272-9c40-42496f507b03/
https://urlscan.io/result/1f87e62d-db58-4228-815f-06b8848203fa/
https://urlscan.io/result/a5328220-f9ea-4368-aa67-6479a15d8020/
https://urlscan.io/result/944a7361-30fb-40b7-b22d-b33ff30f7113/
https://urlscan.io/result/22f4cb18-1f14-4ac0-94f6-3a3cb9ccd25a/
https://urlscan.io/result/656c810e-99fc-4d19-ad97-4b52a254ae76/
https://urlscan.io/result/c299a61d-1682-40fd-92cd-10e82aeb25ff/
https://urlscan.io/result/1dab10e2-f1bf-42be-8c24-2bf37e00d82e/
https://urlscan.io/result/2c69d6ba-8fb3-461c-b320-9b25caef7cb4/
https://urlscan.io/result/2ca23b56-43e7-46b4-b821-8bfd3bf43867/
https://urlscan.io/result/debeb24f-5d71-4213-8f01-09add1e74920/
https://urlscan.io/result/f90910a2-6fe5-4498-8ac4-b0fb740444e5/
https://urlscan.io/result/4073a35f-309e-4a3a-b661-6a4df031ede8/
https://urlscan.io/result/2a27b795-2d33-4337-b778-1baf16a54e4e/
https://urlscan.io/result/488de46d-2fca-4008-9fb0-437fcc8098bf/
https://urlscan.io/result/488de46d-2fca-4008-9fb0-437fcc8098bf/
https://urlscan.io/result/23beedf8-8437-421e-8831-079e0b7bc33f/
https://urlscan.io/result/d8802f50-85f5-4316-ab73-caf8ddcc2023/
https://urlscan.io/result/7266e177-692a-448b-8e44-424000ba7957/
https://urlscan.io/result/cd23352d-a32f-44d6-a6ed-5b65b829d701/
https://urlscan.io/result/9ff726d7-2cdc-423e-a8d1-a4cfc67df035/
https://urlscan.io/result/ed5b814a-70de-472f-a724-5b85e1d12890/
https://urlscan.io/result/3e0857f0-864b-46b2-94f5-6cd17af2be0e/
https://urlscan.io/result/6224ee5c-f83c-4867-a6ae-1830d4775d61/
https://urlscan.io/result/0ab17259-3ba0-4b2d-bf38-b0cce7d2c275/
https://urlscan.io/result/df039960-26d1-4e2a-b209-2c4b330085fb/
https://urlscan.io/result/7a8c770e-6935-4d9b-8176-37c8af25aa7b/
https://urlscan.io/result/5c4505f9-400a-417a-a372-b05447f2c658/
https://urlscan.io/result/f14f4f2b-1ca0-4c39-90da-d84220341171/
https://urlscan.io/result/ac93e889-6091-40c4-a756-ca67a511b541/
https://urlscan.io/result/3c4766ab-e936-4a23-a19e-5f79efa1f087/
https://urlscan.io/result/d01cd9e2-28e3-4e1a-bb6b-86c93c671def/
https://urlscan.io/result/99b3f757-1c08-4490-98ff-d8c205184bcb/
https://urlscan.io/result/7c2de7d8-d949-4df6-9a78-0d169123d189/
https://urlscan.io/result/923487b1-148b-404b-911a-c7166010ce21/
https://urlscan.io/result/ecd4eb86-d306-4f77-9ef7-4a75d09cb10b/
https://urlscan.io/ip/8.221.106.55
https://urlscan.io/result/dda97927-f6fb-4843-a1ee-ae7579096076/
https://urlscan.io/result/6c09d033-b987-4939-b57f-5fa8b1b41560/
https://urlscan.io/result/d4f69329-2de0-4265-8f20-c4bdd4ea5898/
https://urlscan.io/result/ea44a683-181d-4717-b517-50ba1dd103f0/
https://urlscan.io/result/bcd75229-4ff1-48ad-9227-89bc2496959b/
https://urlscan.io/result/78ff1a2c-9608-47b9-96dc-d7b87fc7a2d4/
https://urlscan.io/result/dd893f4d-b9ec-47c9-a8fb-4b54f98383a0/
https://urlscan.io/result/9a7e0bc7-3286-4a64-aaf7-e2cc1c249230/
https://urlscan.io/result/81e6f4cb-0058-4a7a-976f-2c2cea8b10a9/
https://urlscan.io/result/15dffe78-9350-45fc-9988-cdfcf785b622/
https://urlscan.io/result/f5ad945f-e780-474c-9a38-a5df9b618678/
https://urlscan.io/result/9c67a98f-0155-42f8-bad9-7270f0e3fcfe/
https://urlscan.io/result/555aee95-5905-470b-8a7a-8170e3eb01a3/
https://urlscan.io/result/37e47578-9106-4cef-b7d9-04bd066d4691/
https://urlscan.io/result/f38f05b8-f199-4fb4-84e3-93147b0ad7ff/
https://urlscan.io/result/e7a54b41-4404-4f09-9759-0fd6dc0722ef/
https://urlscan.io/result/a8cf8534-f66e-4dea-9185-577c3c80532b/
https://urlscan.io/result/3fa74839-f224-43ba-8ba0-b35787365b85/
https://urlscan.io/result/56368d5d-699c-4f21-93e1-296c78c7ee5c/
https://urlscan.io/result/a8e39f69-7de7-4547-b5fd-7c70a23387fc/
https://urlscan.io/result/ecf2f91d-384a-4604-b27b-3c272815167b/
https://urlscan.io/result/5ec33670-b0ae-4a50-a224-85da5e740123/
https://urlscan.io/result/fb7d81a6-a680-4408-865c-4fac83d09e4a/
https://urlscan.io/result/21013c54-1264-4378-a67c-9fec2d4e4498/
https://urlscan.io/result/06342b23-39f0-437e-93d7-c67bf5de0569/
https://urlscan.io/result/6ed59302-3311-4ca2-9156-afed129bc0ae/
https://urlscan.io/result/8f3cee41-1016-4be5-b051-ce8b99610628/
https://urlscan.io/result/9dcad3fb-7f06-47d7-828c-353dfe6e3dd6/
https://urlscan.io/result/8daaa90e-c3ac-44d7-b6ba-8e10029677f4/
https://urlscan.io/result/23853e33-e13b-4a17-b45d-3070c7b9e3af/
https://urlscan.io/result/4e7231e5-6a5a-4786-9c86-f0dfe1e91248/
https://urlscan.io/result/eca67c0a-9f88-4e90-9698-b63f078bf6bc/
https://urlscan.io/result/ce95854a-86a1-4996-b661-c5780488769e/
https://urlscan.io/result/9f69605c-4426-47aa-af7a-c6cadeb23c50/
https://urlscan.io/result/869fd2e1-9b12-424d-a6e0-095af5da9857/
https://urlscan.io/result/fefa2192-9325-475b-9245-01e4fa174fc1/
https://urlscan.io/result/cdb835cf-72a7-4512-b3fc-05e383ef537a/
https://urlscan.io/result/e994efbd-570e-4d2b-aeaf-78b7db2565d1/
https://urlscan.io/result/6ad05d81-da2e-4034-93ec-2c8980ce1685/
https://urlscan.io/result/88dfd4dd-8cb1-4bcf-873f-35d2d63eb119/
https://urlscan.io/result/d15cdb4a-90ac-4e8f-979f-20eec7b9fadb/
https://urlscan.io/result/894857f3-c6f0-4e8f-a05e-3f620f1ceff6/
https://urlscan.io/result/0e4672b5-a8bc-4e0f-9031-d4c13d6bf819/
https://urlscan.io/result/04b9e09d-c5c0-4ab9-b555-1ee13e24fd58/
https://urlscan.io/result/7ecabdc9-2e80-4d83-9af8-062e6f3a23b8/
https://urlscan.io/result/18d3686e-2c2f-467d-a020-782bed7aee21/
https://urlscan.io/result/d7a58269-cf2e-45a6-bcd0-5cfd1d3e42ee/

Screenshot

Click to expand

a4e67132-a6e5-48a7-864b-e277eacc9950-1

@g0d33p3rsec g0d33p3rsec changed the title add 129.226.206.133 to IP block lists add additional USPS lure hosts to IP block lists Nov 26, 2024
iam-py-test added a commit to iam-py-test/my_filters_001 that referenced this pull request Nov 27, 2024
@iam-py-test
Fix Phishing-Database/phishing#516
bc9362b
@spirillen
Copy link
Contributor

No matter how I test these, they all seems inactive... Do you have anything "Fresh" you can add?

Subject                                                                                              Status      Source
---------------------------------------------------------------------------------------------------- ----------- ----------
usps.com-info-addk.cfd                                                                               INACTIVE    STDLOOKUP
usps.com-info-addz.cfd                                                                               INACTIVE    STDLOOKUP
usps.com-info-addm.cfd                                                                               INACTIVE    STDLOOKUP
usps.com-info-addp.cfd                                                                               INACTIVE    STDLOOKUP
usps.com-info-addq.cfd                                                                               INACTIVE    STDLOOKUP
usps.com-info-adda.cfd                                                                               INACTIVE    STDLOOKUP
usps.com-info-addn.cfd                                                                               INACTIVE    STDLOOKUP
usps.com-l.win                                                                                       INACTIVE    STDLOOKUP
usps.com-k.win                                                                                       INACTIVE    STDLOOKUP
usps.com-info-addo.cfd                                                                               INACTIVE    STDLOOKUP
usps.com-e.win                                                                                       INACTIVE    STDLOOKUP
usps.com-c.win                                                                                       INACTIVE    STDLOOKUP
usps.com-d.win                                                                                       INACTIVE    STDLOOKUP
usps.com-i.win                                                                                       INACTIVE    STDLOOKUP
usps.com-j.win                                                                                       INACTIVE    STDLOOKUP
usps.com-f.win                                                                                       INACTIVE    STDLOOKUP
usps.com-b.win                                                                                       INACTIVE    STDLOOKUP
usps.com-m.win                                                                                       INACTIVE    STDLOOKUP
usps.com-g.win                                                                                       INACTIVE    STDLOOKUP
usps.com-h.win                                                                                       INACTIVE    STDLOOKUP
examinecheck.com-street-addw.cfd                                                                     INACTIVE    STDLOOKUP
examinecheck.com-street-addj.cfd                                                                     INACTIVE    STDLOOKUP
examinecheck.com-street-addh.cfd                                                                     INACTIVE    STDLOOKUP
examinecheck.com-street-adi.cfd                                                                      INACTIVE    STDLOOKUP
examinecheck.com-street-addi.cfd                                                                     INACTIVE    STDLOOKUP
examinecheck.com-street-adl.cfd                                                                      INACTIVE    STDLOOKUP
examinecheck.com-street-addg.cfd                                                                     INACTIVE    STDLOOKUP
examinecheck.com-street-ade.cfd                                                                      INACTIVE    STDLOOKUP
examinecheck.com-street-addo.cfd                                                                     INACTIVE    STDLOOKUP
information.com-street-addp.cfd                                                                      INACTIVE    STDLOOKUP
information.com-street-addq.cfd                                                                      INACTIVE    STDLOOKUP
information.com-street-addb.cfd                                                                      INACTIVE    STDLOOKUP
information.com-street-add.cfd                                                                       INACTIVE    STDLOOKUP
information.com-street-ads.cfd                                                                       INACTIVE    STDLOOKUP
information.com-street-addc.cfd                                                                      INACTIVE    STDLOOKUP
information.com-street-addf.cfd                                                                      INACTIVE    STDLOOKUP
information.com-street-adds.cfd                                                                      INACTIVE    STDLOOKUP
information.com-street-addt.cfd                                                                      INACTIVE    STDLOOKUP
uspscom-freight.top                                                                                  ACTIVE      NETINFO
uspscom-freighut.top                                                                                 ACTIVE      NETINFO
uspscom-freighu.top                                                                                  ACTIVE      NETINFO
Subject                                                                                              Status      Source     Expiration Date   HTTP Code  Checker
---------------------------------------------------------------------------------------------------- ----------- ---------- ----------------- ---------- -------------
https://uspscom-freighut.top/track/                                                                  INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://uspscom-freighu.top/track/                                                                   INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://uspscom-freight.top/track/                                                                   INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://usps.com-info-addk.cfd/x/                                                                    INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://usps.com-info-addz.cfd/x/                                                                    INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://usps.com-info-addp.cfd/x/                                                                    INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://usps.com-info-adda.cfd/x/                                                                    INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://usps.com-info-addo.cfd/x/                                                                    INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://usps.com-info-addm.cfd/x/                                                                    INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://usps.com-d.win/x/                                                                            INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://usps.com-c.win/x/                                                                            INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://usps.com-info-addq.cfd/x/                                                                    INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://usps.com-info-addn.cfd/x/                                                                    INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://usps.com-e.win/x/                                                                            INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://usps.com-i.win/x/                                                                            INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://usps.com-j.win/x/                                                                            INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://usps.com-f.win/x/                                                                            INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://usps.com-l.win/x/                                                                            INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://usps.com-m.win/x/                                                                            INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://usps.com-k.win/x/                                                                            INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://usps.com-h.win/x/                                                                            INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://usps.com-b.win/x/                                                                            INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://usps.com-g.win/x/                                                                            INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://examinecheck.com-street-addw.cfd/x/                                                          INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://examinecheck.com-street-adi.cfd/x/                                                           INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://examinecheck.com-street-addh.cfd/x/                                                          INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://examinecheck.com-street-addi.cfd/x/                                                          INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://examinecheck.com-street-addj.cfd/x/                                                          INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://examinecheck.com-street-addg.cfd/x/                                                          INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://examinecheck.com-street-adl.cfd/x/                                                           INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://examinecheck.com-street-ade.cfd/x/                                                           INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://information.com-street-addp.cfd/x/                                                           INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://examinecheck.com-street-addo.cfd/x/                                                          INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://information.com-street-addq.cfd/x/                                                           INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://information.com-street-addb.cfd/x/                                                           INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://information.com-street-add.cfd/x/                                                            INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://information.com-street-ads.cfd/x/                                                            INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://information.com-street-addc.cfd/x/                                                           INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://information.com-street-adds.cfd/x/                                                           INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://information.com-street-addt.cfd/x/                                                           INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY
https://information.com-street-addf.cfd/x/                                                           INACTIVE    DNSLOOKUP  Unknown           Unknown    AVAILABILITY

@g0d33p3rsec
Copy link
Contributor Author

g0d33p3rsec commented Nov 27, 2024
edited
Loading

The domains seem to be rotated pretty quickly, which is why I've been hesitant to add the individual domains (at least those that look to be intentionally disposable) to the matrix and instead block by IP here. Some of the inactive URLs are from tabs I was working to clear out, but still go to show the intent and history of that IP.

https://urlscan.io/search/#page.ip:%22198.11.183.177%22 shows the scan history at urlscan.

https://urlscan.io/ip/198.11.183.177 shows the dates the various related domains were registered. https://search.censys.io/hosts/198.11.183.177/data/table can be used to confirm.

https://urlscan.io/result/45f9d166-e6f4-4404-af7a-dd8cdf68971e/ is a scan I just did.

The following are other scans from yesterday that should still also be active:
https://urlscan.io/result/656c810e-99fc-4d19-ad97-4b52a254ae76/
https://urlscan.io/result/c299a61d-1682-40fd-92cd-10e82aeb25ff/
https://urlscan.io/result/2c69d6ba-8fb3-461c-b320-9b25caef7cb4/
https://urlscan.io/result/2ca23b56-43e7-46b4-b821-8bfd3bf43867/
https://urlscan.io/result/f90910a2-6fe5-4498-8ac4-b0fb740444e5/
https://urlscan.io/result/2a27b795-2d33-4337-b778-1baf16a54e4e/
https://urlscan.io/result/4073a35f-309e-4a3a-b661-6a4df031ede8/
https://urlscan.io/result/488de46d-2fca-4008-9fb0-437fcc8098bf/
https://urlscan.io/result/23beedf8-8437-421e-8831-079e0b7bc33f/
https://urlscan.io/result/d8802f50-85f5-4316-ab73-caf8ddcc2023/
https://urlscan.io/result/7266e177-692a-448b-8e44-424000ba7957/
https://urlscan.io/result/cd23352d-a32f-44d6-a6ed-5b65b829d701/
https://urlscan.io/result/3e0857f0-864b-46b2-94f5-6cd17af2be0e/
https://urlscan.io/result/6224ee5c-f83c-4867-a6ae-1830d4775d61/
https://urlscan.io/result/0ab17259-3ba0-4b2d-bf38-b0cce7d2c275/
https://urlscan.io/result/9ff726d7-2cdc-423e-a8d1-a4cfc67df035/
https://urlscan.io/result/ed5b814a-70de-472f-a724-5b85e1d12890/

To find these, I just identified the IP and recently associated domains and scanned using the URI pattern of other known lures hosted at that IP address. The most common patterns I have been seeing are /i/, /x/, /track/, and /us/. All lures on the same IP should follow the same pattern.

@g0d33p3rsec
Copy link
Contributor Author

I'd also happily ban the entire .top gTLD and use an allow-list for the few sites using the registrar for legitimate purposes.
https://krebsonsecurity.com/2024/07/phish-friendly-domain-registry-top-put-on-notice/

@g0d33p3rsec
Copy link
Contributor Author

g0d33p3rsec commented Nov 27, 2024
edited
Loading 

examinecheck.com-street-addw.cfd

sites you are showing as inactive still have recent urlscan.io hits

image
image
image
image

I wonder if you are hitting a geofence. Do you have a way to try from an U.S. IP address?

@g0d33p3rsec
Copy link
Contributor Author

g0d33p3rsec commented Nov 27, 2024
edited
Loading

https://www.virustotal.com/gui/ip-address/129.226.206.133
https://www.virustotal.com/gui/ip-address/198.11.183.177

It'll be a few before the most recent IP is detected by most of the engines on VirusTotal, but it shouldn't take long. I just added the IOC URLs. Look at how many related domains the single IP has hosted this month https://www.virustotal.com/gui/ip-address/8.221.106.55/relations
image

@g0d33p3rsec
Copy link
Contributor Author

g0d33p3rsec commented Nov 28, 2024
edited
Loading

Interesting, I'm also getting 404's when trying from some other services. If you want to try playing with what I'm seeing, try an IP I haven't added yet. Here's some of the other one's that are active today that I haven't enumerated yet:
https://urlscan.io/ip/49.51.200.214 is using /track/ so rescanning any of the domains from the IP page with that added should return a lure.
https://urlscan.io/ip/43.153.93.24 uses /i/
https://urlscan.io/ip/49.51.186.70 /us/
https://urlscan.io/ip/156.244.41.195 /us/
https://urlscan.io/ip/49.51.71.26 /track/
https://urlscan.io/ip/43.135.128.131 /update/

The screenshots all have different package numbers so urlscan is able to reach them somehow. Anyrun and VirusTotal both often 404. Also, noticing a bunch of domains listing Mandiant instead of VirusTotal as the resolver on the VT relations pages.
image
image
image

@g0d33p3rsec
Copy link
Contributor Author

g0d33p3rsec commented Nov 28, 2024
edited
Loading

@sprillen check this out. A link that returns the lure on urlscan.io https://urlscan.io/result/b05c7c4d-22cd-4678-a7a4-023f497c769b/#summary
image

404 on VT https://www.virustotal.com/gui/url/90ffdfcaaabda5d8d36b3bd630abf2cee665538d330552f747fec37674c0da68/details
image

looking at the DOM on urlscan
image
and scanning the referenced javascript file from VirusTotal https://www.virustotal.com/gui/url/f29b3aaf91e16d190774c406bf1b3be45d74c81e20bad5ac39a9c97c2a7dd8e3/details
image

https://www.virustotal.com/gui/file/a560c663abdff084c2f9017af0b5593ebee394ddfe3ad3dda62e4f4481fadae0/behavior

@spirillen
Copy link
Contributor

I'd also happily ban the entire .top gTLD and use an allow-list for the few sites using the registrar for legitimate purposes. https://krebsonsecurity.com/2024/07/phish-friendly-domain-registry-top-put-on-notice/

😄

image

@spirillen spirillen reopened this Nov 28, 2024
@spirillen spirillen merged commit e31be7b into Phishing-Database:main Nov 28, 2024
2 checks passed
@spirillen
Copy link
Contributor

Phishing domains are annoying, the are on, then off, then on... But @mypdns do handle IP blacklisting as well, just remember to use the label for IP IP Range

Or the url= https://github.com/mypdns/matrix/issues/new?assignees=spirillen&labels=Phishing,IP%20Range&milestone=Phishing&template=domain_blacklist.yml&title=

@g0d33p3rsec
Copy link
Contributor Author

Phishing domains are annoying, the are on, then off, then on...

Then sprinkle in the fun introduced by malicious traffic distribution systems and cloudflare.

But @mypdns do handle IP blacklisting as well, just remember to use the label for IP IP Range

Or the url= https://github.com/mypdns/matrix/issues/new?assignees=spirillen&labels=Phishing,IP%20Range&milestone=Phishing&template=domain_blacklist.yml&title=

Very nice! That should make both of our lives easier. Adding by domain would have been a sort of self-DoS due to the volume and their ephemeral nature. I think with this sort of thing, I have enough confidence from the supporting evidence, like passive DNS replication or certificate transparency logs, that the action could be legally justified/ easily defended.

@g0d33p3rsec
Copy link
Contributor Author

I'd also happily ban the entire .top gTLD and use an allow-list for the few sites using the registrar for legitimate purposes. https://krebsonsecurity.com/2024/07/phish-friendly-domain-registry-top-put-on-notice/

😄

image

https://web.archive.org/web/20240726003701/https://krebsonsecurity.com/2024/07/phish-friendly-domain-registry-top-put-on-notice/

The Chinese company in charge of handing out domain names ending in “.top” has been given until mid-August 2024 to show that it has put in place systems for managing phishing reports and suspending abusive domains, or else forfeit its license to sell domains. The warning comes amid the release of new findings that .top was the most common suffix in phishing websites over the past year, second only to domains ending in “.com.”

On July 16, the Internet Corporation for Assigned Names and Numbers (ICANN) sent a letter to the owners of the .top domain registry. ICANN has filed hundreds of enforcement actions against domain registrars over the years, but in this case ICANN singled out a domain registry responsible for maintaining an entire top-level domain (TLD).
Among other reasons, the missive chided the registry for failing to respond to reports about phishing attacks involving .top domains.

ICANN letter to .top registrar

@spirillen
Copy link
Contributor

Can see we'll need another kind of system to handle ~500.000 phishing domains pr year...

Thanks for sharing.

And I love see the death of the Chinese company behind all these phishing attacks, it just indicates, that one individual could blacklist Jiangsu Bangning Science & Technology Co. Ltd. DNS servers without loosing a hole lot

@g0d33p3rsec g0d33p3rsec mentioned this pull request Nov 28, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@g0d33p3rsec @spirillen