-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy path2024-11-08-domains-for-Japan-targeted-phishing.txt
98 lines (83 loc) · 3.32 KB
/
2024-11-08-domains-for-Japan-targeted-phishing.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
2024-11-08 (FRIDAY): NEWLY REGISTERED DOMAINS IN JAPAN-TARGETED PHISHING
AUTHORS:
- Fang Liu
REFERENCES:
- https://www.linkedin.com/posts/unit42_phishing-activity-7261828808884801536-pVJQ/
- https://x.com/Unit42_Intel/status/1856063191203057995
NOTES:
- This is a long-running phishing campaign targeting Japan-based companies and organizations.
- The attackers frequently register new domains for sites that are frequently hosted on the public cloud.
- These phishing sites are short-lived, and the threat actor continues registering a large amount of new domains.
- For example, we found more than 50 new domains active and resolving to 43.153.149[.]164 on Friday 2024-11-08.
- Several of these phishing sites only work on mobile browsers, and they do not show content on a desktop browser.
EXAMPLES OF NEWLY REGISTERED DOMAINS
- asdfghjklzxcvbnmqwertyuiopmlkhnas[.]com
- asdfghjklzxcvbnmqwertyuiopnlkasuopas[.]com
- iunjeanjed[.]com
- iwmaasdioas[.]com
- tinfrnub[.]com
- ybrjaobs[.]com
- ybrjaonjws[.]com
- yngsowusad[.]com
EXAMPLES OF URLS FOR THE PHISHING PAGES
- hxxps[:]//a2.jcbmnksasd[.]com/FjgDET/
- hxxps[:]//a3.uisna[.]com/CaACrB/
- hxxps[:]//dianyneksa[.]com/ele
- hxxps[:]//oveksaama[.]com/ama
- hxxps[:]//oveksadian[.]com/ele
- hxxps[:]//oveksamaomao[.]com/yaya
- hxxps[:]//oveksasanjng[.]com/sj
- hxxps[:]//sanjinyneksa[.]com/sj
- hxxps[:]//tkwouiasf[.]com/
- hxxps[:]//ynjkwama[.]com/ama
- hxxps[:]//ynjkwmaom[.]com/yaya
EXAMPLES OF URLS FOR THIS CAMPAIGN DELIVERED THROUGH EMAIL:
- hxxps[:]//www.smbc-card.compctjcpyndamyntbasquvczdjegcsflwhugcfmai@inkiunf[.]com/
- hxxps[:]//jpyzhsh.comjdlppqploqayhmkeqsklvshkalnhvzhqvpmlmln@tinfrnnjic[.]com?loginid=hxwqvccnuraxgnkeeprdyguartlxxtegwbnuktfwjznezjkiei9000188595xujlbdvzbq
- hxxps[:]//bllrkco.comsivrdctigsupylijeidyeqjnprojhxtpzglruhl@tinfrns[.]com?loginid=nafkgfmajbxfktdehpmqqrinrcjmbxnownyciifwmbjywvjpnh7444598292msypxiwwoc
- hxxps[:]//www.smbc-card.comewsbqmsttsfhfmedaagcdfncbbfqmfylshzfwkm@masrpjw[.]com/
- hxxps[:]//www.smbc-card.comtihjporzafkaiueyuzyvoxkhxklhjbwpnjjshmy@wernhgb[.]com/
- hxxps[:]//yahoo.co.jpybexxlqlrorrekqpwiqrdsgxcvvtfvfjcbogaot@electpmw[.]com/
- hxxps[:]//yahoo.co.jpagfblgsnimurlzxbzcecdaozxcuknpzmkacvhql@kpjpns[.]com/
- Note 1: In the above URL list, when a URL has @ anywhere in the domain area, the actual domain is after the @ symbol.
-- For example, hxxps[:]//something@somethingbad[.]com/ would go to hxxps[:]//somethingbad[.]com/
- Note 2: In the above URL ist, the ? symbol marks the end of the domain area.
-- For example, hxxps[:]//something@somethingbad[.]com?loginid=123 would go to hxxps[:]//somethingbad[.]com/?loginid=123
IP ADDRESSES HOSTING THESE PHISHING DOMAINS:
- 101.36.105[.]44
- 101.36.105[.]98
- 124.156.212[.]175
- 165.154.231[.]17
- 165.154.231[.]34
- 165.154.231[.]62
- 165.154.231[.]96
- 165.154.231[.]99
- 165.154.231[.]175
- 165.154.231[.]184
- 43.128.237[.]191
- 43.128.237[.]235
- 43.130.232[.]219
- 43.130.245[.]23
- 43.133.12[.]183
- 43.133.13[.]115
- 43.133.13[.]196
- 43.133.173[.]108
- 43.133.193[.]162
- 43.133.193[.]3
- 43.133.196[.]251
- 43.133.8[.]139
- 43.153.140[.]10
- 43.153.147[.]20
- 43.153.149[.]164
- 43.153.168[.]126
- 43.153.176[.]165
- 43.153.178[.]121
- 43.153.183[.]161
- 43.153.185[.]146
- 43.163.198[.]51
- 43.163.204[.]5
- 43.163.212[.]225
- 43.163.221[.]38
- 43.163.234[.]142
- 43.163.238[.]42
- 43.167.237[.]47