For the past three months, I’ve repeatedly received the same phishing email posing as a PayPal notification stating, “your account has been suspended,” attempting to steal my login details.
The email arrives from “service@paypal.com” and looks very convincing for the average user.
Here is the current phishing chain the threat actors are currently using in these types of attacks:
Fortunately, there are several steps involved in this attack. Hopefully this will give unsuspecting users more of a chance to recognise they are being targeted. Flow of the phishing chain (NB the credential harvesting page is replace with the YouTube video):
The interesting part of this attack to me, is that it leveraged one of MySpace’s domains to redirect users to the next stage. However, if you try to visit one of the links – without clicking on the button in the URL – it will redirect you to the same YouTube video.
Example YouTube comment from these videos:
Interestingly, I also used URLscan.io here for to check for pages that also redirect to this odd YouTube video. Looking at how often it has been submitted this appears to be an active, ongoing campaign.
Using OSINT techniques such as checking WHOIS data of the malicious domains, we can also learn more about who is behind these attacks. From this, we learn both of the domains were registered through an Indonesian Registrar and hosted with ASNs that are notorious for allowing malicious content and slow for takedowns.
WHOIS Data:
Domain bloodformercy.id
Age 112 days old
IPv4 192.119.80.250
Location Washington – Seattle – Hostwinds Llc.
ASN AS54290 HOSTWINDS, US
DNS DNS1.REGISTRAR-SERVERS.COM, DNS2.REGISTRAR-SERVERS.COM
Domain umbrellacorp.id
Age 136 days old
IPv4 192.64.113.199
Location Georgia – Atlanta – Namecheap Inc.
ASN AS22612 NAMECHEAP-NET, US
DNS DNS1.REGISTRAR-SERVERS.COM, DNS2.REGISTRAR-SERVERS.COM
Sponsoring Registrar PANDI ID: H8100226
Sponsoring Registrar Organization: Jagat Informasi Solusi (int)
Sponsoring Registrar City: Jakarta
Sponsoring Registrar State/Province: Jakarta Pusat
Sponsoring Registrar Postal Code: 10220
Sponsoring Registrar Country: Indonesia
Sponsoring Registrar Phone 2129388505
Sponsoring Registrar Contact Email: info@belidomain.co.id
Conclusion:
Although I have blocked the sender and have submitted takedown requests it appears I am doomed to continue to receive this PayPal phish 😂
If you enjoyed this, may I invite you to check out my recent talk at BeerCon2 regarding the phishing threat landscape. It is available here and the TL;DR can be found here.
Indicators of Compromise (IOCs):
Domain: umbrellacorp[.]id
Domain: bloodformercy[.]id
Domain: acwqva[.]com
URL: hxxp://umbrellacorp[.]id/killbot/saymon.php
URL: hxxp://umbrellacorp[.]id/killbot/thomas13.php
URL: hxxp://portal[.]bloodformercy[.]id/mobile-signin
IPv4: 192.64.113.199
IPv4: 192.119.80.250
MySpace Redirector Links:
URL: hxxps://mysp.ac/4fylg
URL: hxxps://mysp.ac/4evC9
References:
