Mini-thread on how hybrid phishing, phone-hooking, malware infecting campaigns look these days: 👇
#infosec #fraud #phishing #CyberSecurity 1/12
#infosec #fraud #phishing #CyberSecurity 1/12
A few weeks ago we notice a pattern of new domain signups coming onto the system (we notice this because we manually inspect every single #bitcoin transaction that comes into the system):
2/12
2/12
They're all for new domains, different accounts, with the pattern XXsupportcare[dot]com, where XX is anything: 1 char, 2 chars, a word ("geek"), etc.
3/12
3/12
These obviously smell funny so we add the pattern to our prescreening filters to slam the breaks on any new ones coming on. When we look at the website, we're not seeing an obvious phish, it's just a non-descript generic page, asking for an input code:
4/12
4/12
So, we can't really take stuff down "because it smells funny" (company policy), but we start putting out inquiries via seclists and compiling the list of all the domains on the system (multiple domains added within a few hours)
5/12
5/12
About a week and half later, we get the first wave of complaints on a Saturday morning. On friday night, the emails started going out telling people about a fake transaction on their Paypal account for various Big Box stores:
6/12
6/12
Simple habitual scans can help here: the "From" envelope is from a gmail address, but the email is ostensibly from Paypal, hmmmm.
7/12
7/12
The target calls the number ("Hey, waitaminute, I didn't order this") and the call agent will tell them their personal data has been hacked and used to open a fake @Paypal account..... and here comes the scam:
8/12
8/12
Somehow this fake PayPal account withdrew your money from your real account, and they need you to go to this website (earlier tweet) to enter a reference code so that "they can unblock your IP".
9/12
9/12
Beyond that, our assumption is that will prompt you to download malware to your computer.
These multi-variant attacks (email -> phone -> website) are well organized and the call agents rehearsed and on-script (we called them when we got one of their later iterations)
10/12
These multi-variant attacks (email -> phone -> website) are well organized and the call agents rehearsed and on-script (we called them when we got one of their later iterations)
10/12
Of course, once we saw the first complaint, we terminated everything across all accounts as per our Plain English Terms of Service (easydns.com/terms)
11/12
11/12
The domains were past the 5-day AGP so we're stuck with them. They remain in our cyber-gibbet as a cautionary tale. If you ever wind up on this page, it means whatever you were about to do, it would have ended badly:
12/12 EOM
12/12 EOM
• • •
Missing some Tweet in this thread? You can try to
force a refresh
