easyDNS Profile picture
28 Jul, 12 tweets, 4 min read
Mini-thread on how hybrid phishing, phone-hooking, malware infecting campaigns look these days: 👇
#infosec #fraud #phishing #CyberSecurity 1/12
A few weeks ago we notice a pattern of new domain signups coming onto the system (we notice this because we manually inspect every single #bitcoin transaction that comes into the system):
2/12
They're all for new domains, different accounts, with the pattern XXsupportcare[dot]com, where XX is anything: 1 char, 2 chars, a word ("geek"), etc.
3/12
These obviously smell funny so we add the pattern to our prescreening filters to slam the breaks on any new ones coming on. When we look at the website, we're not seeing an obvious phish, it's just a non-descript generic page, asking for an input code:
4/12
So, we can't really take stuff down "because it smells funny" (company policy), but we start putting out inquiries via seclists and compiling the list of all the domains on the system (multiple domains added within a few hours)
5/12
About a week and half later, we get the first wave of complaints on a Saturday morning. On friday night, the emails started going out telling people about a fake transaction on their Paypal account for various Big Box stores:
6/12
Simple habitual scans can help here: the "From" envelope is from a gmail address, but the email is ostensibly from Paypal, hmmmm.
7/12
The target calls the number ("Hey, waitaminute, I didn't order this") and the call agent will tell them their personal data has been hacked and used to open a fake @Paypal account..... and here comes the scam:
8/12
Somehow this fake PayPal account withdrew your money from your real account, and they need you to go to this website (earlier tweet) to enter a reference code so that "they can unblock your IP".
9/12
Beyond that, our assumption is that will prompt you to download malware to your computer.

These multi-variant attacks (email -> phone -> website) are well organized and the call agents rehearsed and on-script (we called them when we got one of their later iterations)
10/12
Of course, once we saw the first complaint, we terminated everything across all accounts as per our Plain English Terms of Service (easydns.com/terms)
11/12
The domains were past the 5-day AGP so we're stuck with them. They remain in our cyber-gibbet as a cautionary tale. If you ever wind up on this page, it means whatever you were about to do, it would have ended badly:
12/12 EOM

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with easyDNS

easyDNS Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

:(