Imperva: Массовая фишинговая кампания

Специалисты израильской компании Imperva, предлагающей услуги в области кибербезопасности, обнаружили, что за фишинговыми атаками по всему миру стоят россияне. Создав крупную модульную платформу для фишинга, хакеры пытаются выдавать себя за украинцев.

Содержание

В кампании было задействовано более 800 различных мошеннических доменов, которые выдавали себя за около 340 легитимных компаний по всему миру, включая известные банки, почтовые службы, службы доставки, социальные сети и сайты электронной коммерции, такие как Facebook, Booking.com и другие популярные сайты с большим трафиком.

Используя высококачественное одностраничное приложение, мошенники смогли динамически создать убедительный сайт, выдающий себя за легитимный, и обмануть пользователей, внушив им ложное чувство безопасности.

В ходе расследования была выявлена фишинговая кампания, в которой использовалась сложная тактика взаимодействия с человеком, чтобы обмануть своих жертв и похитить их данные кредитных карт и банковских реквизитов. Несмотря на то, что происхождение кампании было российским, участники угроз выдавали себя за украинцев.

В ходе расследования Imperva проанализировали несколько мошеннических доменов и провели реверс-инжиниринг внешнего приложения.

Imperva выявили пять IP-адресов и 800 различных мошеннических доменов, связанных с этой кампанией. Imperva проследили эту кампанию как минимум до мая 2022 года. Кампания продолжается и регулярно обновляется.

В общей сложности мы обнаружили фишинговые сайты на более чем 48 языках, выдающие себя за более чем 340 компаний.

Если принять во внимание продолжительность кампании, количество используемых доменов, а также разнообразие используемых языков, то можно предположить, что жертвами фишинга стали тысячи людей.

Indicators of Compromise

IPv4

185.106.93.21
185.106.93.93
185.229.66.68
185.4.66.166
85.119.149.127

Domains

*.11852.eu
*.17283812.com
*.1838299.com
*.3ds.finance
*.3ds-order.online
*.3dssafety.online
*.accept15423.cfd
*.accept31243.cfd
*.a-deal.online
*.a-load.cyou
*.a-pay.cfd
*.a-pay.cyou
*.a-payment.cfd
*.a-payment.cyou
*.a-payments.cfd
*.a-payments.online
*.a-pays.cfd
*.a-resiw.cfd
*.a-resiwe.cfd
*.b-deal.cyou
*.b-pay.cfd
*.b-resiwe.cfd
*.briansclub.cm
*.c-deal.cyou
*.c-deliver.cyou
*.c-deliver.online
*.conferm.online
*.confirmc.online
*.c-pay.cfd
*.c-pay.cyou
*.c-payments.cyou
*.c-taker.online
*.d-deal.cyou
*.deaal-3ds.online
*.deal-b.cyou
*.deal-express.cyou
*.deal-express.icu
*.dealf.online
*.deal-guard.online
*.deali-3ds.online
*.dealj.online
*.deall.cyou
*.deall-3ds.online
*.deally-safety.online
*.deal-order.online
*.deal-ordery.online
*.deal-safe.cyou
*.deal-safety.store
*.deal-secure.online
*.dealy.cyou
*.dealy-3ds.online
*.dealy-fast.cyou
*.dealy-s.cyou
*.dealy-safety.online
*.dealz-3ds.online
*.deliiver.cfd
*.deliver-a.top
*.deliveri.cfd
*.deliver-p.cyou
*.deliver-q.cfd
*.deliver-q.cyou
*.deliver-send.ink
*.deliver-t.cyou
*.deliver-y.cfd
*.deliver-y.cyou
*.delivery-a.cyou
*.deliverya.online
*.deliverya.site
*.deliveryb.site
*.delivery-e.cfd
*.deliverye.online
*.delivery-expressu.on
*.deliveryf.online
*.deliveryfa.com
*.deliveryfh.online
*.deliveryfr.online
*.deliverygf.online
*.delivery-guard.online
*.delivery-guardl.onlin
*.delivery-h.cfd
*.delivery-h.cyou
*.deliveryh.site
*.deliveryi.cam
*.deliveryi.site
*.deliveryi.store
*.deliveryjb.online
*.deliveryk.site
*.delivery-l.cfd
*.delivery-l.cyou
*.deliveryl.in
*.deliverylj.online
*.deliverylk.online
*.deliverylv.online
*.deliveryly.online
*.deliverylz.online
*.deliveryns.online
*.deliverynt.online
*.deliveryo.store
*.deliveryp.store
*.deliveryph.online
*.deliverypj.online
*.deliverypz.online
*.delivery-q.cyou
*.deliveryq.online
*.deliveryq.site
*.deliveryr.site
*.deliveryri.online
*.deliverys.icu
*.deliveryst.online
*.deliverysu.online
*.deliverysw.online
*.deliveryt.cam
*.deliveryu.online
*.deliveryu.site
*.deliveryup.online
*.deliveryuq.online
*.deliveryuz.online
*.deliveryv.online
*.deliveryv.site
*.delivery-w.cyou
*.deliveryw.online
*.delivery-y.cfd
*.delivery-y.cyou
*.delivery-y.online
*.deliveryyc.online
*.delivery-z.online
*.deliveryzj.online
*.deliveryzo.online
*.deliverz-t.cfd
*.deliverz-t.cyou
*.delvieryg.cyou
*.delvieryg.online
*.detailtrust.com
*.dispatch-to.online
*.d-order.online
*.d-payment.cfd
*.d-payment.cyou
*.d-takel.top
*.e-deal.cyou
*.e-load.cyou
*.e-resele.cfd
*.e-send.online
*.eutruste.com
*.eutrusteds.co
*.eutrusteds.com
*.express-deal.site
*.express-deali.cyou
*.express-deall.cyou
*.express-deals.cyou
*.express-dealy.cyou
*.express-deliveryl.online
*.express-deliveryv.online
*.express-payment.online
*.express-paymentl.online
*.express-paymenty.online
*.express-safety.online
*.expressy-deals.online
*.fast-delivery.cc
*.faster-delivery.online
*.faster-deliveryt.online
*.fasters-deal.cyou
*.fasters-delivery.online
*.fast-ordery.online
*.fast-payments.online
*.f-deal.cfd
*.f-dealy.cyou
*.f-payments.cfd
*.f-payments.cyou
*.f-resew.top
*.f-take.online
*.g-deal.cyou
*.g-dealy.cfd
*.g-resewe.cfd
*.guad-deals.cyou
*.guard-deal.cyou
*.guard-deal.icu
*.guard-deal.online
*.guard-deall.cyou
*.guard-pay.online
*.guard-paym.online
*.guard-paymentl.online
*.guards-payment.online
*.guardy-deal.cyou
*.guardy-delivery.online
*.guart-delivery.online
*.h-deal.cyou
*.h-loade.online
*.h-taker.top
*.i-deal.cyou
*.info13725.online
*.info13849.online
*.info15697.online
*.info16517.cfd
*.info16547.online
*.info21421.online
*.info26912.cfd
*.info35625.online
*.info36545.cfd
*.info36547.online
*.info45678.online
*.info46412.cfd
*.info52569.cyou
*.info74125.cfd
*.i-pay.cyou
*.i-payment.online
*.i-payments.cfd
*.i-payments.online
*.i-send.cfd
*.i-send.online
*.j-deliver.cfd
*.j-order.online
*.j-orders.online
*.j-send.cyou
*.j-taker.cfd
*.kazpozt.fun
*.kazpozt.site
*.k-loade.online
*.kzpost.website
*.laod12412.online
*.link-payr.online
*.link-pays.online
*.l-load.cfd
*.l-load.cyou
*.l-load.online
*.load-12414.online
*.load13241.info
*.load21421.online
*.load41245.cyou
*.load48341.online
*.load-b.cfd
*.load-b.cyou
*.load-b.online
*.load-c.cfd
*.load-c.cyou
*.loadc-out.cfd
*.loade.top
*.loade-t.site
*.load-f.online
*.loadf-out.cfd
*.load-i.cfd
*.load-i.cyou
*.load-i.site
*.load-m.cfd
*.loadn.cfd
*.load-o.cfd
*.load-o.cyou
*.loado.online
*.loadoyt.cfd
*.loadr-out.online
*.loadr-safe.cfd
*.load-s.cfd
*.loads19421.online
*.load-safe.cfd
*.loads-e.cfd
*.loads-g.cfd
*.loads-r.cfd
*.loads-r.cyou
*.loadt.cfd
*.load-t.cfd
*.load-t.cyou
*.load-t.online
*.load-w.cfd
*.load-w.cyou
*.load-w.online
*.load-y.site
*.loady-a.online
*.loady-m.cfd
*.loady-out.online
*.loady-u.world
*.lode-out.online
*.l-payments.online
*.l-resewe.cfd
*.l-takel.cfd
*.m-payments.online
*.n-payment.online
*.n-payments.online
*.n-resewe.cfd
*.o-deal.cyou
*.o-deal.online
*.o-dealy.cfd
*.o-dealy.cyou
*.o-dealy.online
*.odery-deal.online
*.o-paument.cfd
*.o-pay.online
*.o-payment.cfd
*.o-payments.online
*.order11177.online
*.order12431.online
*.order12474.cyou
*.order1587.cfd
*.order23440.online
*.order3001.site
*.order44512.cfd
*.order45124.cyou
*.order47852.online
*.order56321.online
*.order65454.online
*.order68712.cfd
*.order69833.cyou
*.order77945.cyou
*.order88745.cfd
*.order96511.online
*.order96545.cyou
*.order-b.cfd
*.order-b.cyou
*.orderb.online
*.order-b.online
*.orderce.online
*.order-dealc.online
*.ordere.online
*.orderf-3ds.online
*.orderf-dealy.online
*.orderfx.online
*.order-h.cyou
*.order-i.cfd
*.order-i.online
*.ordern.online
*.orderp.online
*.orderq.online
*.orders.cam
*.orders347.com
*.orders47896.org
*.order-safer.cfd
*.order-safety.icu
*.ordert.online
*.ordertrusted.com
*.ordervs.online
*.orderw.online
*.orderyq.online
*.o-recipient.cyou
*.o-resewe.cfd
*.o-sendo.cfd
*.out-sendi.cfd
*.out-sendi.online
*.outz-load.online
*.pamentl-express.online
*.paybg.online
*.payc.cfd
*.pay-c.cfd
*.pay-c.cyou
*.paycl.online
*.payd.cfd
*.pay-e.cfd
*.pay-e.cyou
*.payf.online
*.paygv.online
*.paygy.online
*.pay-h.cfd
*.pay-h.online
*.payho.online
*.pay-i.cfd
*.pay-i.cyou
*.payi.site
*.payiy.online
*.pay-j.cyou
*.payji.online
*.payjt.online
*.pay-k.cfd
*.pay-k.cyou
*.payk.site
*.payke.online
*.pay-l.online
*.paymenlt.online
*.paymentc.cfd
*.paymentc.cyou
*.paymentc.online
*.payment-delivery.online
*.payment-delivery.su
*.paymente.cyou
*.paymenth.cfd
*.paymenth.cyou
*.paymenti.online
*.payment-j.cfd
*.payment-j.cyou
*.payment-l.cfd
*.payment-l.cyou
*.paymento.cfd
*.payment-p.cfd
*.payment-p.cyou
*.paymentpl.gives
*.payment-receive.online
*.payment-safety.cfd
*.payment-safety.cyou
*.payments-e.cfd
*.payments-e.cyou
*.payments-express.online
*.payments-expressy.online
*.payments-h.cfd
*.payments-h.cyou
*.payment-sl.cyou
*.payment-sl.online
*.payments-p.cfd
*.payments-p.cyou
*.payments-receve-it.com
*.payments-t.cfd
*.payments-t.cyou
*.paymentt-u.cfd
*.paymentt-u.cyou
*.payment-u.cfd
*.payment-u.cyou
*.paymentu-l.cfd
*.paymentu-l.cyou
*.paymentv.cfd
*.paymentv.cyou
*.paymentv.online
*.payment-x.cfd
*.payment-x.cyou
*.payment-y.cfd
*.paymenty-e.cfd
*.paymenty-e.cyou
*.paymentyl-safe.online
*.paymenty-m.cfd
*.paymentz-n.cfd
*.paymentz-n.cyou
*.paymentz-safe.online
*.paymery.cfd
*.paymetv.cyou
*.paymk.online
*.payn.cfd
*.paynb.online
*.payng.online
*.pay-o.online
*.pay-order.online
*.payorderc.online
*.payoy.online
*.pay-p.cfd
*.pay-p.online
*.payp.store
*.payp-3ds.online
*.payq.online
*.pay-r.cfd
*.pay-r.cyou
*.payr-3ds.site
*.payre.online
*.payrg.online
*.payrh.online
*.payrr.online
*.payrt.online
*.pays.guru
*.pay-safety.online
*.pay-safetyl.online
*.pay-safetyy.online
*.paysecure.link
*.payso.online
*.pays-q.cfd
*.pays-q.cyou
*.pays-u.cfd
*.pays-u.cyou
*.payt.shop
*.paytb.online
*.payti.online
*.paytr.online
*.paytz.online
*.pay-u.cfd
*.pay-u.cyou
*.pay-u.online
*.payu-3ds.site
*.payu-3ds.store
*.payub.online
*.payur.online
*.pay-v.cfd
*.pay-v.cyou
*.payvk.online
*.paywu.online
*.payy-3ds.store
*.payyt.online
*.payzg.online
*.payzo.online
*.payz-r.cfd
*.p-deliver.cfd
*.p-pays.online
*.processing.tel
*.przelew-srodki.store
*.p-send.cfd
*.p-send.online
*.p-takes.cfd
*.q-deal.cyou
*.q-payment.cfd
*.q-pays.online
*.r-delivery.cfd
*.r-delivery.cyou
*.receive-p.com
*.receive-payment.onlin
*.recewe-p.online
*.resel-w.cfd
*.reservation10411.cfd
*.reserve-s.online
*.reserwe-g.online
*.reserwe-g.site
*.resev-b.cfd
*.reseve-p.cfd
*.resew-d.top
*.resew-dealy.top
*.resewe.info
*.resewe.top
*.resewe-o.cfd
*.resewe-o.online
*.resewer-y.cfd
*.resewet.top
*.resew-o.cfd
*.resewo.top
*.resew-r.top
*.resew-t.top
*.resew-v.online
*.resewy.top
*.resiveg.online
*.resive-j.online
*.resiver.online
*.resiwe-f.online
*.resiwe-p.site
*.resiwe-q.top
*.resiw-y.cfd
*.risewe-t.online
*.r-order.online
*.r-sendy.cfd
*.sabitopays3ds.fun
*.safe-3ds.online
*.safe-deliver.online
*.safe-delivery.cfd
*.safe-delivery.cyou
*.safe-loady.cfd
*.safe-orderh.online
*.safe-orders.cyou
*.safe-ordery.online
*.safe-pay.online
*.safe-payt.online
*.safe-payyment.online
*.safe-sends.online
*.safet-sendt.online
*.safety-deal.cam
*.safety-deal.click
*.safety-dealj.online
*.safety-dealu.online
*.safety-dealy.online
*.safety-dealz.online
*.safety-deliver.cfd
*.safety-delivery.online
*.safetyi-pay.online
*.safetyl-pay.online
*.safety-order.online
*.safety-pay.online
*.safety-payl.online
*.safety-payt.online
*.safety-payz.online
*.safetyy-order.online
*.safetyy-pay.online
*.s-deal.cfd
*.s-delivery.cyou
*.s-delivery.online
*.secure3ds-2151124.space
*.secure3ds-71581.com
*.securepayment.one
*.secure-s.online
*.send21431.online
*.send25112.online
*.send25434.online
*.send-45212.cfd
*.send87934.online
*.senda.cfd
*.send-a.life
*.send-a.site
*.senda-y.cfd
*.send-c.life
*.send-c.online
*.send-deliver.cyou
*.send-e.site
*.sendej.xyz
*.send-g.cfd
*.send-g.online
*.send-i.cyou
*.sendi-s.online
*.sendj-safe.cfd
*.send-k.cfd
*.send-load.online
*.send-nl.online
*.send-o.cfd
*.send-o.cyou
*.sendout.cfd
*.sendouts.cfd
*.send-outs.online
*.send-p.cfd
*.send-p.online
*.send-payment.online
*.sendr-safe.cfd
*.sends-deliver.ink
*.sends-e.cyou
*.sends-i.cfd
*.sends-m.cfd
*.sends-m.cyou
*.sends-q.online
*.sends-z.cfd
*.sendsz.online
*.sendt-v.cfd
*.send-u.cfd
*.send-u.online
*.send-v.cyou
*.send-v.online
*.sendw.online
*.send-z.cfd
*.send-z.cyou
*.send-z.top
*.ship-load.ink
*.shipmentl.online
*.shipmentz.online
*.simplestrys.com
*.site-order.info
*.s-ordert.online
*.s-pay.cfd
*.s-pay.cyou
*.s-shipment.online
*.subito-it-tradesafe.site
*.take12421.cfd
*.take-c.life
*.take-c.site
*.take-r.site
*.taker-b.top
*.taker-n.world
*.take-y.cfd
*.t-dealy.cyou
*.to-diispatch.online
*.to-dispatch.ink
*.to-dispatch.online
*.to-pay.ink
*.to-pay.online
*.track12234.cyou
*.track12324.online
*.track14365.cyou
*.track14387.cfd
*.track14526.online
*.track14685.cfd
*.track15687.online
*.track156987.cfd
*.track23541.online
*.track25431.info
*.track26517.cyou
*.track36711.cyou
*.track42134.online
*.track-42722.com
*.track45895.cfd
*.track-66622.cyou
*.track96347.online
*.tradeitcold.online
*.t-recipient.online
*.trust-order.com
*.trysenders.com
*.u-payments.cfd
*.u-resew.cfd
*.verification-m.online
*.verif-v.online
*.verify-card-booking.com
*.v-loade.cfd
*.v-pay.cyou
*.v-taker.online
*.w-deal.cyou
*.w-delivery.cfd
*.w-take.cfd
*.y-loads.cyou
*.y-loads.online
*.y-resewe.cfd
*.y-resiwe.cfd
*.y-send.cfd
*.y-sends.cfd
*.z-deal.cyou
*.z-dealy.cyou
*.z-deliver.online
*.z-sends.cfd
*.UPAY.CFD
ebay.eutrusteds.com
testSDNservssfg.com

Technical report

Behind-the-Scenes-of-a-Tailor-Made-Massive-Phishing-Campaign_IOCs.pdf