⚠️UK police to send 70,000 SMS after taking down ispoof

The UK’s largest fraud operation has brought down a phone number spoofing and OTP capturing site - ispoof[.]cc📱

Full Details and Analysis in Thread⤵️🧵
🕵️UK law enforcement are now preparing to send 70,000 SMS messages to potential victims of the site

ispoof allowed controlling users to intercept OTP and Telepins of victims #⃣#⃣#⃣#⃣

💯This video was uploaded to the ispoof telegram channel and is beyond amazing!!! 😂🤣😂🤣
🔗Alleged site administrator Teejay Fletcher, 35, has been arrested and charged with making or supplying articles for use in fraud and for participating in the activities of an organised crime group

📸Here is the 'original' marketing video ispoof created...
💰ispoof was created in December 2020 and at its peak had 59,000 users, allowing them to pay for the criminal software using Bitcoin, with charges ranging from £150 to £5,000 per month💲
Threat actors paid a subscription to iSpoof.cc to use technology that let them appear as though they were phoning victims from banks such as Barclays, NatWest and Halifax🏦
Of 10 million fraudulent calls made, 40% were in the US🇺🇲, 35% were in the UK🇬🇧 and the rest were spread across other countries🗺️

So far 120 arrests have been made in the UK alone👮🚔
📱On Thursday and Friday, around 70,000 UK phone numbers called by criminals who used the site will be alerted by the Metropolitan Police via text message and asked to contact the force.

However, if a text message comes after that time, it will not be from the force❌
⚡Dutch law enforcement managed to inject a tap onto the website's servers in the Netherlands to intercept the phone calls allowing them to record the calls and recover numbers of incoming and outgoing calls📞
Analysis Time🔍

🔗Any LE action is positive. Disruption is key to preventing fraud and scams from taking over. Although this website has scammed a huge number of people and any actors not arrested after this action will just move to another spoofing service this is good to see👍🏼
📱I am worried about the SMS alerting, it's a great idea in concept but sending an SMS with a link is the same technique threat actors use.

Potentially an SMS alerting a victim and asking them to go to the site as opposed to adding a link might be a better technique🖥️
🕵️I can see this potentially being abused by fast thinking actors, although they only have 2 days to action their scam. However how many people will know that the police are only sending texts for 2 days?
🔥One other highly notable part of this reporting is the Dutch polices malware implant on the websites server. This is offensive blue teaming at its best💥
It's great to see law enforcement taking proactive steps to enrich their investigations by hijacking websites to gather evidence to take down key players as opposed to just taking down the domain name or host🚔
This is disruptive take downs and has multiple other places where this kind of deep action could take place. It's key moving forward to preventing fraud as opposed to playing whack-a-mole all the the with scammers 🔨
🌐The ispoof website is now sitting on IP which also hosts a number of with seized websites controlled and taken down by LE such as z-lib[.]org, kickass[.]to and pfizermx[.]com🔍
I hope you learnt something from this thread 🎓

✅Follow me for more #Phishing News Analysis and the Latest #Phishing IoCs

Back to the top?
Thread by @JCyberSec_ on Thread Reader App threadreaderapp.com/thread/1595715…

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Jake | JCyberSec_

Jake | JCyberSec_ Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @JCyberSec_

Mar 16
I have been able to capture #Flubots deployment code⚠️

🔍This code is used on websites when a victim attempts to download the malicious APK

Here is what I found ⤵️

The code is a single php file with 330 lines...

However after removing hundreds of new lines and padding to 'hide' the code

We are left with this...
My eyes are immediately drawn to the large data blob in the code 👀

Now the first task is to remove some of the obfuscation to understand what is happening here...
Read 15 tweets
Dec 1, 2021
Announcing KIT Intel 📣

🎉A Phishing Kit Intelligence Platform

“Understand the threat actors' playbook and capabilities”


KIT Intel is a tool for phishing kit research...at scale.

📁 Upload, Analyze, Cluster, and Research phishing kits like never before.
🔎 Phishing kits are a wealth of untapped intelligence.

If you deal with phishing you need this tool in your arsenal 👈

KIT Intel gives you the ability to hunt, pivot, and discover new phishing kit activity across our full dataset.
Read 17 tweets
Nov 19, 2021
So you want to learn about phishing kits 🧑‍🎓

🧵 In this thread I will highlight threat hunting skills and IoCs within phishing kits to look for ⤵️

Retweets are appreciated ♻️

🔍Follow me for more #phishing intelligence @Jcybersec_
📁What is a phishing kit?

When a threat actor wants to create a phishing page they will create the page on their own machine.
Zipping it up 🤐
And then putting this zip on a website to then deploy 🌐
🥷Building threat actors create these kits and sell them to other threat actors 💰

Deploying / Controlling threat actors put the kits online and then extract the content to instantly upload a working phishing site 🦹
Read 21 tweets
May 29, 2020
Phishing data analysis can provide an insight into victims and discreet campaign targeting tactics.📊

The following data has been extracted from multiple campaigns from the same SMS based phishing campaign targeting UK victims.📲


#phishing #security #cyber Image
There is a total of 433 victims data analyzed in the research; however, not all fields were submitted or valid so total data ranges will vary throughout. Image
Chart 1 - Age of impacted victims 🎂

The year of birth for the victims with the most impacted being aged between 21-30yrs old. Notably it is not just elderly people who get impacted by phishing which is often assumed.

The second most impacted are victims aged 31-40yrs old. Image
Read 12 tweets
Apr 30, 2020
:: 16Shop Intelligence Thread ::

#16Shop is a prolific and one of the first #Phishing-as-a-Service (PaaS) offerings.

⚠️This is an intelligence thread on notable elements of the kit, the operation, how to test and detect the scam.

16Shop was initially detected in the wild in late 2017 by McAfee security researchers, this kit was using an Apple theme. 🖥️

Initially access to the kit was sold on Facebook 💰
The user selling 16Shop access was part of a group who are attributed as being the creators and main operators of 16Shop know as "Indonesian Cyber Army"💀
Read 14 tweets
Dec 3, 2019
:: Magecart Hunting Thread ::

This is a thread about how to hunt and find #Magecart infected sites using @URLscan. 💰💵

♻️Please retweet to help spread knowledge and feel free to add your own techniques, ideas, and suggestions.

A brief overview of Magecart.

Magecart is an umbrella term for the technique of injecting JavaScript to steal credit card numbers on E-commerce sites. A number of actors/groups operate under the same term implanting JavaScript onto checkout pages all over the world.
To get started we need a foothold.
I have a hunt running looking for a known Magecart hash.

This morning a new site hit the search, looking at the site I then used the filename as a pivot. The filename which is infected with Magecart is "jquery_noconflict.js"
Read 15 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!


0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy


3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!