I'm playing with phishing infrastructure OPSEC topic, hunting gophish on shodan... and found this:
GoPhish servers hosted in Moscow, configurated with same, self-signed "PZU" certificate.
IPs are not resolving for any domain rn, but it might be backend. #gophish#phishing 1/x
2/x Another interesting thing is that for 2nd IP, the gophish management service is open for the world. emailAddress indicates that someone who deployed this gophish at least know popular Polish services. But take a look on the 'O' and 'OU', 'OOH'. Does this look familiar?
3/x 'OOH' was used as 'Organization' for domains registered in UNC1151 #ghostwriter phishing campaing.
This isn't indicator of course, but it's not usual organization name in SSL, as there are only 3 of them (3rd IP from screen is FP, I'm not into get censys query scheme)
4/x and guess what: 45.156.23[.]131 and 185.173.94[.]12 are also #gophish servers. accounts.safe-control[.]space resolves to 45.156.23[.]131. Multiple domains from the screenshot resolves to 185.173.94[.]12.
All of them refers to 'user or security verification', but...
5/x ...note the subdomains. 'Poczta' may refer both to emails or Polish Post, 'interia' is popular email service. But 'PIS' may refer to ruling Polish Political Party @pisorgpl or 'Państwowa Inspekcja Sanitarna', which translates to 'The State Sanitary Inspection'...
6/6 Domains are already down, however all of the listeners are still up, probably waiting for new domains...
Another interesting fact is that PZU is actually using Gophish for internal security awareness: