I published the following diary on isc.sans.org: “Adaptive Phishing Kit“: Phishing kits are everywhere! If your server is compromised today, they are chances that it will be used to mine cryptocurrency, to deliver malware payloads or to host a phishing kit. Phishing remains a common attack scenario to collect valid
I published the following diary on isc.sans.org: “Phishing Kit (Ab)Using Cloud Services“: When you build a phishing kit, they are several critical points to address. You must generate a nice-looking page which will match as close as possible to the original one and you must work stealthily to not be blocked
Just a quick post about an interesting file found in a phishing kit. Bad guys use common techniques to prevent crawlers, scanners or security companies from accessing their pages. Usually, they deploy a .htaccess file to achieve this. Today, I found a phishing kit related to a bank (ANZ) with such
I published the following diary on isc.sans.org: “Analysis of a Paypal phishing kit“. They are plenty of phishing kits in the wild that try to lure victims to provide their credentials. Services like Paypal are nice targets and we can find new fake pages almost daily. Sometimes, the web server isn’t
I published the following diary on isc.sans.org: “Phishing Campaigns Follow Trends“. Those phishing emails that we receive every day in our mailboxes are often related to key players in different fields (…) But the landscape of online services is ever changing and new actors (and more precisely their customers) become
Today, while hunting, I found a malicious HTML page in my spam trap. The page was a fake JP Morgan Chase bank. Nothing fancy. When I found such material, I usually search for “POST” HTTP requests to collect URLs and visit the websites that receive the victim’s data. As usual, the
The Internet Archive is a well-known website and more precisely for its “WaybackMachine” service. It allows you to search for and display old versions of websites. The current Alexa ranking is 262 which makes it a “popular and trusted” website. Indeed, like I explained in a recent SANS ISC diary, whitelists
I published the following diary on isc.sans.org: “Logical & Physical Security Correlation“. Today, I would like to review an example how we can improve our daily security operations or, for our users, how to help in detecting suspicious content. Last week, I received the following email in my corporate mailbox.
I published the following diary on isc.sans.org: “Nicely Obfuscated JavaScript Sample“. One of our readers sent us an interesting sample that was captured by his anti-spam. The suspicious email had an HTML file attached to it. By having a look at the file manually, it is heavily obfuscated and the payload
I published the following diary on isc.sans.org: “Quick Analysis of Data Left Available by Attackers“. While hunting for interesting cases, I found the following phishing email mimicking an UPS delivery notification… [Read more]
