home.social
Sign in Create account

#netcraftconfirmsit — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #netcraftconfirmsit, aggregated by home.social.

  1. Andrew 🌻 Brandt 🐇 @[email protected] ·

    And I just wanted to give a quick shoutout to our engineering team for noticing this bizarre trick that all of the #phishing pages do that we connect to this #LoggerEIO group.

    The phishing kit in use has several pages that the victims are expected to click through. As one enters information onto the first page, then clicks a Continue button, the browser initiates a WebSocket connection with the server, and transmits the data inside of that WebSocket connection.

    It isn't exactly encryption, but more obfuscation: The compression, while reversible, does have the effect of obfuscating the content of the exfiltrated data. That little bit of effort might prevent a Data Loss Prevention (DLP) tool from recognizing outbound sensitive data before it's too late.

    And the reason we call them #LoggerEIO is because all of the sites that Netcraft connects to this campaign do this on the same URI string: The page makes a connection to the path /logger/?EIO=4&transport=websocket in its GET request - only when the victim sends the data.

    /6

    #smishing #phishing #NetcraftConfirmsIt #Netcraft #threatresearch #WebSocket

    #phishing #loggereio #smishing #netcraftconfirmsit #netcraft #threatresearch
  2. Andrew 🌻 Brandt 🐇 @[email protected] ·

    Germany was not the only non-US country represented in the #LoggerEIO #smishing attack (so far).

    There was one version of a page claiming to be the Spanish highway authority, Dirección General del Tráfico (DGT), that warns you owe a 100 Euro fine (multa) for some kind of driving infraction you committed, that must be paid within 24 hours.

    More recently, I spotted a flood of pages that claim to be from the UK government's Winter Fuel Payment program. The real program helps impoverished people not freeze to death in winter by subsidizing the high cost of heating. But this page simply wants your credit card to "test" charge your card for £1 on the promise that you'll get up to £300.

    /5

    #smishing #phishing #roadtoll #HighwayRobbery #WinterFuelPayment #UK #spain #espana #Netcraft #NetcraftConfirmsIt #NetcraftResearch #Germany

    #loggereio #smishing #phishing #roadtoll #highwayrobbery #winterfuelpayment
  3. Andrew 🌻 Brandt 🐇 @[email protected] ·

    Having recently returned from a trip to #Germany, where I spoke at #VirusBulletin, I have become more familiar with the appearance of some German government operated websites.

    The Bundeszentralamt für Steuern (or BZSt), Germany's federal tax authority, is also represented in these #TaxScam #phishing pages.

    Bizarrely, #LoggerEIO have decided to clone the template of one of the US-themed versions of the #smishing page which prominently features a banner image of a US form #1040 #tax return, and the corner of a $20 bill, neither of which (I suspect) the #BZSt use for tax filing in that country.

    Whoopsie! Or, as my German friends might say, Hoppla!

    /4

    #smishing #phishing #netcraft #NetcraftConfirmsIt #Oops

    #germany #virusbulletin #taxscam #phishing #loggereio #smishing
  4. Andrew 🌻 Brandt 🐇 @[email protected] ·

    In this #scam, the #smishing message informs you that you are owed a reimbursement or refund on overpaid state taxes. The #LoggerEIO group seems to have latched on to the idea of using individual states as the lure, rather than the federal #IRS, which is an interesting choice.

    In the pages I looked at, the following states were represented with custom #phishing pages that use the same stylesheet, color scheme, and logos of the state tax agency they're impersonating.

    Targeted states include Alabama, California, Connecticut, Delaware, Florida, Maryland, Massachusetts, Michigan, Minnesota, Montana, New Jersey, New York, Ohio, Texas, Tennessee, Washington, and Wisconsin.

    /3

    #smishing #netcraft #NetcraftConfirmsIt #taxrefund #taxrefundscam

    #scam #smishing #loggereio #irs #phishing #netcraft
  5. Andrew 🌻 Brandt 🐇 @[email protected] ·

    First of all, this seems to be part of a much wider #smishing campaign that people are more familiar with: Fake road toll collection #scams

    These have been a nuisance all year, and some of the sites hosting the same #phishing kit appear to be using that same ruse, simultaneously with the new one.

    Did you get a message telling you that you owe $6.99 (or $6.69 - nice) in tolls? Probably part of this larger network of scammers.

    Note how they have expanded to a variety of different locales: the City of Los Angeles, Seattle, Columbus (Ohio), and even the Canadian province of Ontario are all reflected, as well as the E-ZPass and SunPass multi-state toll payment systems, which together cover most of the US states that operate toll roads.

    /2

    #phishing #fraud #roadtoll #tollscams #netcraft #NetcraftConfirmsIt #EZPass #SunPass

    #smishing #scams #phishing #fraud #roadtoll #tollscams
  6. Andrew 🌻 Brandt 🐇 @[email protected] ·

    Happy Thursday! I'm celebrating the publication of my first blog post at @Netcraft as Principal Threat Researcher with a story about...#smishing for tax refunds.

    Since the beginning of last month, a threat actor we're calling #LoggerEIO began registering domains for use in #phishing attacks.

    They're now up to more than 850 domains registered, with thousands of websites in use (using a variety of subdomains) that dangle the prospect of a refund of state income tax overpayments as a lure.

    Here's a quick 🧵 about it.

    netcraft.com/blog/taxpayers-dr

    #ThreatResearch #NetcraftConfirmsIt #Netcraft

    #smishing #loggereio #phishing #threatresearch #netcraftconfirmsit #netcraft