Seattle Computer Repair by Emerald City IT
enardeitjaptrues

(206) 657-6685

Spear Phishing Handlers for Username/Password, (Sat, Feb 18th)

Details
Support Field: Computer Repair and Tech Support
Support Category: Virus, Spyware, & Malware Removal

Reviewing my ISC mail inbox, I noticed that I had been receiving multiple phishing email that were very similar. Putting my cursor over each embedded pictures, I noticed the domain involved was the same for all of them. I copied the URL and started checking around for known threat intel on ipfs[.]io against various sites and found on urlscan.io [1], there was over 10000+ samples listed.

email_cursor_ipfs_io Spear Phishing Handlers for Username/Password, (Sat, Feb 18th) | Computer Repair, Networking, and IT Support in Seattle, WA

All these emails are asking the recipient to login to capture email address and password and the entries are Secured by Norton!

Login_email1 Spear Phishing Handlers for Username/Password, (Sat, Feb 18th) | Computer Repair, Networking, and IT Support in Seattle, WA


First Email (Received 2 copies with the same URL)
https://ipfs[.]io/ipfs/Qma2GtsUgbKKCxnLNjZv8euBKM1BK7Y48zX3BBjUQqpc26?filename=OWGH%20PIU1%20PJHMD%20QHGK%20UUG%20QGUP%20WPOKG.htm#handlers@isc.sans.edu

phish_email1 Spear Phishing Handlers for Username/Password, (Sat, Feb 18th) | Computer Repair, Networking, and IT Support in Seattle, WA

Second Email
https://ipfs[.]io/ipfs/QmaU5FjjeFiDzWs2s6gZ5SyPqL2wvQa2652LHPb3d1U3XC?filename=QUPG%20WGWG%20WDOUH%20UDGW%20URZ%20PKDB%20UKLM.htm#handlers@isc.sans.edu

phish_email2 Spear Phishing Handlers for Username/Password, (Sat, Feb 18th) | Computer Repair, Networking, and IT Support in Seattle, WA

Third Email

https://ipfs[.]io/ipfs/Qma2GtsUgbKKCxnLNjZv8euBKM1BK7Y48zX3BBjUQqpc26?filename=OWGH%20PIU1%20PJHMD%20QHGK%20UUG%20QGUP%20WPOKG.htm#handlers@isc.sans.edu

phish_email3 Spear Phishing Handlers for Username/Password, (Sat, Feb 18th) | Computer Repair, Networking, and IT Support in Seattle, WA

Indicator

ipfs[.]io

Final Word

Last, a blog post by Lance Spitzner published on the 13 Feb 2023 about "Phishing - It's No Longer About Malware (or Even Email)" [5] highlight some of the changes on the phishing goals and some of the common indicators worth reading including two indicators are no longer recommended: misspellings and hovering of the link "except for highly technical audiences. One problem with this method is that you have to teach people how to decode a URL, which can be a confusing, time consuming, and technical skill."[5]

[1] https://urlscan.io/search/#page.domain%3Aipfs.io
[2] https://www.virustotal.com/gui/url/2c8a881b916d2396ff68ed18c41a6b8a13ba8e869de65d87a23b869a95fd0c63?nocache=1
[3] https://www.virustotal.com/gui/domain/ipfs.io/detection
[4] https://cybergordon.com/result.html?id=12ef23f1-a775-4619-81ec-c7aaaae7e4a4
[5] https://www.sans.org/blog/phishing-its-no-longer-about-malware-or-even-email/

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Reviewing my ISC mail inbox, I noticed that I had been receiving multiple phishing email that were very similar. Putting my cursor over each embedded pictures, I noticed the domain involved was the same for all of them. I copied the URL and started checking around for known threat intel on ipfs[.]io against various sites and found on urlscan.io [1], there was over 10000+ samples listed.

email_cursor_ipfs_io Spear Phishing Handlers for Username/Password, (Sat, Feb 18th) | Computer Repair, Networking, and IT Support in Seattle, WA

All these emails are asking the recipient to login to capture email address and password and the entries are Secured by Norton!

Login_email1 Spear Phishing Handlers for Username/Password, (Sat, Feb 18th) | Computer Repair, Networking, and IT Support in Seattle, WA


First Email (Received 2 copies with the same URL)
https://ipfs[.]io/ipfs/Qma2GtsUgbKKCxnLNjZv8euBKM1BK7Y48zX3BBjUQqpc26?filename=OWGH%20PIU1%20PJHMD%20QHGK%20UUG%20QGUP%20WPOKG.htm#handlers@isc.sans.edu

phish_email1 Spear Phishing Handlers for Username/Password, (Sat, Feb 18th) | Computer Repair, Networking, and IT Support in Seattle, WA

Second Email
https://ipfs[.]io/ipfs/QmaU5FjjeFiDzWs2s6gZ5SyPqL2wvQa2652LHPb3d1U3XC?filename=QUPG%20WGWG%20WDOUH%20UDGW%20URZ%20PKDB%20UKLM.htm#handlers@isc.sans.edu

phish_email2 Spear Phishing Handlers for Username/Password, (Sat, Feb 18th) | Computer Repair, Networking, and IT Support in Seattle, WA

Third Email

https://ipfs[.]io/ipfs/Qma2GtsUgbKKCxnLNjZv8euBKM1BK7Y48zX3BBjUQqpc26?filename=OWGH%20PIU1%20PJHMD%20QHGK%20UUG%20QGUP%20WPOKG.htm#handlers@isc.sans.edu

phish_email3 Spear Phishing Handlers for Username/Password, (Sat, Feb 18th) | Computer Repair, Networking, and IT Support in Seattle, WA

Indicator

ipfs[.]io

Final Word

Last, a blog post by Lance Spitzner published on the 13 Feb 2023 about "Phishing - It's No Longer About Malware (or Even Email)" [5] highlight some of the changes on the phishing goals and some of the common indicators worth reading including two indicators are no longer recommended: misspellings and hovering of the link "except for highly technical audiences. One problem with this method is that you have to teach people how to decode a URL, which can be a confusing, time consuming, and technical skill."[5]

[1] https://urlscan.io/search/#page.domain%3Aipfs.io
[2] https://www.virustotal.com/gui/url/2c8a881b916d2396ff68ed18c41a6b8a13ba8e869de65d87a23b869a95fd0c63?nocache=1
[3] https://www.virustotal.com/gui/domain/ipfs.io/detection
[4] https://cybergordon.com/result.html?id=12ef23f1-a775-4619-81ec-c7aaaae7e4a4
[5] https://www.sans.org/blog/phishing-its-no-longer-about-malware-or-even-email/

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu