Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Usps phishing #524

Merged
merged 6 commits into from
Dec 9, 2024
Merged

Usps phishing #524

merged 6 commits into from
Dec 9, 2024

Conversation

g0d33p3rsec
Copy link
Contributor

@g0d33p3rsec g0d33p3rsec commented Dec 8, 2024
edited
Loading

Phishing Domain/URL/IP(s):

43.153.72.198
https://usps.com-trackjfj.top/us/
https://usps.com-trackmfm.top/us/
https://usps.com-trackhly.top/us/
https://usps.com-trackvjb.top/us/
https://usps.com-trackhly.top/us/
https://usps.com-trackuwn.top/us/
https://usps.com-tracklgg.top/us/ 
https://usps.com-trackdhz.top/us/
https://usps.com-trackndi.top/us/
https://usps.com-trackpzc.top/us/
https://usps.com-trackoso.top/us/

170.106.199.220
https://usps.com-trackdet.top/us/ 
https://usps.com-trackmhg.top/us/
https://usps.com-tracknuj.top/us/
https://usps.com-trackjzo.top/us/ 
https://usps.com-tracktwt.top/us/ 
https://usps.com-trackyxd.top/us/
https://usps.com-trackzwn.top/us/ 
https://usps.com-trackthd.top/us/
https://usps.com-trackajq.top/us/
https://usps.com-trackrmo.top/us/

162.62.222.251
https://usps.com-trackiiv.top/us/
https://usps.com-trackoui.top/us/ 
https://usps.com-trackueb.top/us/
https://usps.com-trackoui.top/us/
https://usps.com-trackwbz.top/us/ 
https://usps.com-trackony.top/us/
https://usps.com-trackswn.top/us/
https://usps.com-trackkvz.top/us/
https://usps.com-trackzkt.top/us/ 
https://usps.com-trackkcw.top/us/
https://usps.com-trackcwx.top/us/ 

43.135.138.109
https://usps.com-trackgzz.top/us/
https://usps.com-trackezm.top/us/
https://usps.com-trackeoc.top/us/
https://usps.com-trackcoc.top/us/
https://usps.com-trackhfc.top/us/ 
https://usps.com-trackfqd.top/us/
https://usps.com-trackegl.top/us/
https://usps.com-trackqgi.top/us/
https://usps.com-trackgbf.top/us/
https://usps.com-trackvqj.top/us/ 
https://usps.com-trackvxa.top/us/
https://usps.com-trackwwv.top/us/
https://usps.com-tracktqt.top/us/
https://usps.com-trackdjw.top/us/

43.153.5.150
https://uspskejj.top/us/ 
https://uspsnkca.top/us/
https://uspszgrs.top/us/
https://uspszufs.top/us/
https://uspssjne.top/us/ 
https://uspsztgd.top/us/
https://uspsydas.top/us/
https://uspskejj.top/us/
https://uspszgrs.top/us/
https://uspsydas.top/us/
https://uspsztgd.top/us/

43.130.2.48
https://uspsfghj.cfd/us/
https://uspsfghj.top/us/
https://uspsfghj.lat/us/
https://uspsfghjapp.xyz/us/ 
https://uspsfghjapp.click/us/
https://uspsfghj.sbs/us/
https://uspsfghj.pics/us/
https://uspsfghj.lol/us/
https://uspsfghj.lat/us/
https://usps-fghj.quest/us/
https://usps-fghj.club/us/
https://usps-fghj.biz/us/

Impersonated domain

tools.usps.com

Describe the issue

Continuing to add IP addresses hosting multiple domains for USPS delivery failure lures. Instead of enumerating all of the recently generated disposable domain registrations associated with each IP, I have tried to include at least 10 examples from each, but most have many more that can be found on the related urlscan link for the IP listed in the external sources.

Related external source

https://urlscan.io/ip/43.153.72.198
https://urlscan.io/result/dce818c6-ce9b-47f8-b2b7-2b976adf9602/
https://urlscan.io/result/17ceb3f6-e487-4a5a-9644-2d281551bb52/
https://urlscan.io/result/122584a3-b692-4d68-a71a-e5d2817e8a1d/
https://urlscan.io/result/88ae2729-3826-4242-b1a5-962d2f68f0f7/
https://urlscan.io/result/122584a3-b692-4d68-a71a-e5d2817e8a1d/
https://urlscan.io/result/0534e0b4-b094-4cd1-890e-e67dd0e8b032/
https://urlscan.io/result/fcc35a8d-63fb-4178-9553-86aac5763370/
https://urlscan.io/result/500561e5-1dfc-4aae-b9c5-585bfff336f2/
https://urlscan.io/result/f342f54a-2933-4c8a-b39c-aa53bf1b4123/
https://urlscan.io/result/f139af32-d611-4c82-ac7f-4d8599f8b7ed/
https://urlscan.io/result/827d769e-6dc6-40b4-95e1-0690c99c416e/
https://urlscan.io/ip/170.106.199.220
https://urlscan.io/result/4a58a4b7-647d-4e8d-aaf3-980d4425b75c/
https://urlscan.io/result/bdc2d839-425b-48aa-835d-abe7518296e8/
https://urlscan.io/result/37f0eecf-a584-4ca3-a278-639989afa577/
https://urlscan.io/result/d3acd5bf-9371-4474-8137-c14435a86b61/
https://urlscan.io/result/2acb30ee-ec3b-4267-8ef3-27a409157b75/
https://urlscan.io/result/1f5d030a-7961-4f6b-bc07-e6416237359f/
https://urlscan.io/result/44f3dc0e-1a44-41ac-9484-1c9303007cbe/
https://urlscan.io/result/611381b2-fbeb-4105-b890-f233a2293497/
https://urlscan.io/result/2e928537-4964-44af-a708-6ec8ecc5dbce/
https://urlscan.io/result/82295328-5c80-4afe-900f-c4ca0bb823ae/
https://urlscan.io/ip/162.62.222.251
https://urlscan.io/result/dabe0f76-992e-4dd9-ab44-97328005919e/
https://urlscan.io/result/2e937f2b-bfef-4cf3-b101-942a4552261e/
https://urlscan.io/result/ff708447-7c90-4ea3-8009-b31e06802489/
https://urlscan.io/result/923d100e-1553-4a6b-b631-c63c8f35aa79/
https://urlscan.io/result/81aeac96-525d-41e1-a9e4-8a146ba92816/
https://urlscan.io/result/ed7a62f1-b5e5-4362-b581-6b86f5393727/
https://urlscan.io/result/6c3fb109-a14c-4018-8f3c-60bc839b082f/
https://urlscan.io/result/4efa57d9-8cad-4002-a3eb-5f8b8fc6bd5f/
https://urlscan.io/result/df7fe148-6bb6-469d-b0af-42bf5df7739b/
https://urlscan.io/result/f8acf032-685c-4d8a-99c1-49682b3a6caf/
https://urlscan.io/result/881d187d-4131-41cf-bcd8-b6c83f9a4b2a/
https://urlscan.io/ip/43.135.138.109
https://urlscan.io/result/9aee188f-8ba6-4e6f-bdf3-4a2f5cc5cc2b/
https://urlscan.io/result/935daf73-c98d-403e-aae6-1437e99f183b/
https://urlscan.io/result/73284f40-f6ed-4a84-bc05-9b03f131d9d8/
https://urlscan.io/result/627a48c8-dc33-491c-89bb-9c47a36581c5/
https://urlscan.io/result/d48465e7-be5a-47bf-b815-917b672dce58/
https://urlscan.io/result/1f246919-273c-4eed-9afb-6933feb421b3/
https://urlscan.io/result/77de340d-12aa-4c34-b75a-8e31dba603ed/
https://urlscan.io/result/76618151-044d-4e1b-9cf7-33aa5048e158/
https://urlscan.io/result/a8a385b8-9869-470b-8881-720b09a8dff1/
https://urlscan.io/result/92e26280-87ff-4cbc-be1c-e9a5ca15d269/
https://urlscan.io/result/39292607-8655-4bb4-8b83-0651f6b4e255/
https://urlscan.io/result/b56800a0-c76c-4abe-993c-5634678f48dd/
https://urlscan.io/result/02587227-99e7-4888-bf08-7f1f6c8754a2/
https://urlscan.io/result/76c9ee0c-e3d6-4679-b222-6afc46edbb85/
https://urlscan.io/ip/43.153.5.150
https://urlscan.io/result/a78f2209-0aac-4e12-8280-291d4476ae80/
https://urlscan.io/result/5b122e7e-aef6-4391-865d-dc7446f2f208/
https://urlscan.io/result/ed700f03-37ec-4222-9307-0bc8d29b5a7e/
https://urlscan.io/result/1cc21d12-630b-4eb6-ac12-c1ee7528c855/
https://urlscan.io/result/3d367f5c-b3aa-46f5-a35b-a6166ffca31e/
https://urlscan.io/result/600aed6a-d1be-47d6-bf9a-170f136e399e/
https://urlscan.io/result/5571f48f-7bc2-4686-9835-b9974ed62ea7/
https://urlscan.io/result/29574e6c-0743-437a-8283-75cae11e48da/
https://urlscan.io/result/aaf48030-d997-4d1d-bbc2-594d8103203f/
https://urlscan.io/result/c6d3421d-218b-4dcd-9b6f-cacb36859290/
https://urlscan.io/result/9991792d-ae68-4ed1-86a5-37afe8e91967/
https://urlscan.io/ip/43.130.2.48
https://urlscan.io/result/3d95ddd5-6d38-4e9d-868c-3d2942a15de0/
https://urlscan.io/result/bf3c92a9-abab-475c-9487-53c505ee659b/
https://urlscan.io/result/5b169fc0-941e-438c-abd5-ed1743ac0099/
https://urlscan.io/result/791b65dd-a0a1-4cb9-a2d4-6b4a4c66e1f8/
https://urlscan.io/result/13af434c-137b-4043-b377-8e0b5833f208/
https://urlscan.io/result/b0245fbe-8452-48de-9514-56e0df3a0a3a/
https://urlscan.io/result/31d4c231-3458-4997-af87-d05853aeb7fe/
https://urlscan.io/result/e27d08c0-dc42-4b41-9bfd-a2ad0c7ddbca/
https://urlscan.io/result/d0ec9d49-85ef-49db-90a3-e2187eeca292/
https://urlscan.io/result/92a79e69-c40b-4b28-b5c6-167d96464346/
https://urlscan.io/result/b7d5c61b-8aad-47d2-a124-e02c259af819/
https://urlscan.io/result/882d3038-1b13-495e-ac5f-fe392dc74d37/

Screenshot

Click to expand

9991792d-ae68-4ed1-86a5-37afe8e91967

@g0d33p3rsec
Copy link
Contributor Author

@spirillen I need to head out for a while to try to wrap up a final project for the semester. I'll come back to these this evening and transfer them over to the matrix. Krebs mentioned the surge in USPS lures in a post last week which referenced a report you may find interesting. The report highlighted the trend that we have also observed of threat actors moving from registering domains to abusing free subdomain providers.
image

This was referenced Dec 8, 2024
Closed
Closed
Closed
Closed
Closed
@g0d33p3rsec g0d33p3rsec mentioned this pull request Dec 8, 2024
Closed
spirillen added a commit to mypdns/matrix that referenced this pull request Dec 9, 2024
@spirillen
Phishing IP addresses
dd3344b 
Fixing #1392
Fixing #1393
Fixing #1394
Fixing #1395
Fixing #1396
Fixing #1397

Related: Phishing-Database/phishing#524

Credit:

- @g0d33p3rsec

---------

You can always be following My Privacy DNS at https://kb.mypdns.org/issues?u=1

Sponsor us by Donate to My Privacy DNS https://kb.mypdns.org/articles/MTX-A-3/DONATION
@spirillen spirillen merged commit 02d568e into Phishing-Database:main Dec 9, 2024
1 check passed
@spirillen
Copy link
Contributor

Thanks for the link, interesting article, thew it is just proving our suspicion on google and cloudflare for knowingly hosting and protecting this stuff

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@g0d33p3rsec @spirillen