Jake | JCyberSec_ Profile picture
Nov 24, 2022 17 tweets 6 min read Read on X
⚠️UK police to send 70,000 SMS after taking down ispoof

The UK’s largest fraud operation has brought down a phone number spoofing and OTP capturing site - ispoof[.]cc📱

Full Details and Analysis in Thread⤵️🧵
🕵️UK law enforcement are now preparing to send 70,000 SMS messages to potential victims of the site

ispoof allowed controlling users to intercept OTP and Telepins of victims #⃣#⃣#⃣#⃣

💯This video was uploaded to the ispoof telegram channel and is beyond amazing!!! 😂🤣😂🤣
🔗Alleged site administrator Teejay Fletcher, 35, has been arrested and charged with making or supplying articles for use in fraud and for participating in the activities of an organised crime group

📸Here is the 'original' marketing video ispoof created...
💰ispoof was created in December 2020 and at its peak had 59,000 users, allowing them to pay for the criminal software using Bitcoin, with charges ranging from £150 to £5,000 per month💲
Threat actors paid a subscription to iSpoof.cc to use technology that let them appear as though they were phoning victims from banks such as Barclays, NatWest and Halifax🏦
Of 10 million fraudulent calls made, 40% were in the US🇺🇲, 35% were in the UK🇬🇧 and the rest were spread across other countries🗺️

So far 120 arrests have been made in the UK alone👮🚔
📱On Thursday and Friday, around 70,000 UK phone numbers called by criminals who used the site will be alerted by the Metropolitan Police via text message and asked to contact the force.

However, if a text message comes after that time, it will not be from the force❌
⚡Dutch law enforcement managed to inject a tap onto the website's servers in the Netherlands to intercept the phone calls allowing them to record the calls and recover numbers of incoming and outgoing calls📞
Analysis Time🔍

🔗Any LE action is positive. Disruption is key to preventing fraud and scams from taking over. Although this website has scammed a huge number of people and any actors not arrested after this action will just move to another spoofing service this is good to see👍🏼
📱I am worried about the SMS alerting, it's a great idea in concept but sending an SMS with a link is the same technique threat actors use.

Potentially an SMS alerting a victim and asking them to go to the site as opposed to adding a link might be a better technique🖥️
🕵️I can see this potentially being abused by fast thinking actors, although they only have 2 days to action their scam. However how many people will know that the police are only sending texts for 2 days?
🔥One other highly notable part of this reporting is the Dutch polices malware implant on the websites server. This is offensive blue teaming at its best💥
It's great to see law enforcement taking proactive steps to enrich their investigations by hijacking websites to gather evidence to take down key players as opposed to just taking down the domain name or host🚔
This is disruptive take downs and has multiple other places where this kind of deep action could take place. It's key moving forward to preventing fraud as opposed to playing whack-a-mole all the the with scammers 🔨
🌐The ispoof website is now sitting on IP 66.212.148.115 which also hosts a number of with seized websites controlled and taken down by LE such as z-lib[.]org, kickass[.]to and pfizermx[.]com🔍
I hope you learnt something from this thread 🎓

✅Follow me for more #Phishing News Analysis and the Latest #Phishing IoCs

Back to the top?
Thread by @JCyberSec_ on Thread Reader App threadreaderapp.com/thread/1595715…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jake | JCyberSec_

Jake | JCyberSec_ Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @JCyberSec_

Jul 19
Threat Actors using the global CrowdStrike outage to spin up new domains 🌐

👁️Keep an eye out for malware posing to 'fix' the issue
🔒Malicious phishing pages posing as a fixing site

#Phishing Image
IoCs for people to monitor:
/crowdstrikebluescreen.com
/crowdstrike0day.com
/crowdstrike-bsod.com
/crowdstrikedoomsday.com
/crowdstrikedoomsday.com
/crowdstrikefix.com
/crowdstrikedown.site
/crowdstriketoken.com
One site is a IT repair shop offering their services to help impacted companies. Image
Read 8 tweets
Jan 18
I got phished. Not a training phish a REAL #phishing site⚠️

I am a security expert but I still fell for it🫡

⛔️You shouldn't blame users everyone can get tricked.

Here is what happened....🧵⤵️
I was selling some items of clothes on Vinted👚

✉️I got an email from Vinted saying one of my items had been sold and to click here to process the order.

I clicked on the link without thinking and got to a page which asked for my card details💳 Image
Still no suspicion as I assumed Vinted would pay the money into this card account.💰 Image
Read 10 tweets
Mar 16, 2022
I have been able to capture #Flubots deployment code⚠️

🔍This code is used on websites when a victim attempts to download the malicious APK

Here is what I found ⤵️

1/n
The code is a single php file with 330 lines...

However after removing hundreds of new lines and padding to 'hide' the code

We are left with this...
My eyes are immediately drawn to the large data blob in the code 👀

Now the first task is to remove some of the obfuscation to understand what is happening here...
Read 15 tweets
Dec 1, 2021
Announcing KIT Intel 📣

🎉A Phishing Kit Intelligence Platform

“Understand the threat actors' playbook and capabilities”

#KITIntel

🧵 THREAD ⤵️
KIT Intel is a tool for phishing kit research...at scale.

📁 Upload, Analyze, Cluster, and Research phishing kits like never before.
🔎 Phishing kits are a wealth of untapped intelligence.

If you deal with phishing you need this tool in your arsenal 👈

KIT Intel gives you the ability to hunt, pivot, and discover new phishing kit activity across our full dataset.
Read 17 tweets
Nov 19, 2021
So you want to learn about phishing kits 🧑‍🎓

🧵 In this thread I will highlight threat hunting skills and IoCs within phishing kits to look for ⤵️

Retweets are appreciated ♻️

🔍Follow me for more #phishing intelligence @Jcybersec_
📁What is a phishing kit?

When a threat actor wants to create a phishing page they will create the page on their own machine.
Zipping it up 🤐
And then putting this zip on a website to then deploy 🌐
🥷Building threat actors create these kits and sell them to other threat actors 💰

Deploying / Controlling threat actors put the kits online and then extract the content to instantly upload a working phishing site 🦹
Read 21 tweets
May 29, 2020
Phishing data analysis can provide an insight into victims and discreet campaign targeting tactics.📊

The following data has been extracted from multiple campaigns from the same SMS based phishing campaign targeting UK victims.📲

<THREAD>

#phishing #security #cyber Image
There is a total of 433 victims data analyzed in the research; however, not all fields were submitted or valid so total data ranges will vary throughout. Image
Chart 1 - Age of impacted victims 🎂

The year of birth for the victims with the most impacted being aged between 21-30yrs old. Notably it is not just elderly people who get impacted by phishing which is often assumed.

The second most impacted are victims aged 31-40yrs old. Image
Read 12 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(