Rewterz Threat Alert – List of Active Phishing Sites

Severity

Medium

Analysis Summary

Threat actors are actively making phishing sites to rob users off from their important data and steal personal and financial information for their gain. This has been an ongoing process by the threat actors to gather personal information using deceptive e-mails and websites. Attackers are targeting victims with malicious sites that masquerade well known platforms like paypal, amazon, apple etc..Successful phishing attack could lead to credentials theft, account compromise and financial loss.

Impact

• Credentials theft
• Account compromise
• Financial loss
• Exposure of sensitive data

Indicators of Compromise

URL

• http[:]//freepaypallogin53[.]biz/
• http[:]//facebookes[.]xyz/
• http[:]//hmrc[.]secure-rebate[.]uk/
• http[:]//myapple[.]cfbx[.]jp/
• http[:]//paypal-com-securityserviceaccount[.]yakinsemuaberubah[.]com/
• http[:]//update-payment-revesion-paypal[.]giize[.]com/
• http[:]//allow-secureforamazon-feedback[.]asyantigetshop[.]com/
• http[:]//paypal-limited-user-service[.]giize[.]com/
• http[:]//app2-redirect-amazon-login[.]duckdns[.]org/
• http[:]//appletaxisgatwick[.]co[.]uk/
• http[:]//billing-update[.]kozow[.]com/
• http[:]//billing[.]3dsecure[.]uk/
• http[:]//paypal[.]3dsecure[.]uk/
• http[:]//paypal1active[.]myftp[.]org/
• http[:]//facebook[.]com[.]cdn-c[.]xyz/
• http[:]//mghw-amazonservis9k[.]servebeer[.]com/
• http[:]//service-tempcovid-amazon[.]giize[.]com/
• http[:]//paypal-verification[.]applmanager[.]com/
• http[:]//secure-billing[.]giize[.]com/
• http[:]//primeamazonid[.]giize[.]com/
• http[:]//appleid[.]apple[.]com-verifyacayf8432hrufjnnaiklj[.]memekajgbgsd05[.]com/
• http[:]//cvkw-amazonservis9k[.]servebeer[.]com/
• http[:]//secure[.]paypal[.]com-login-overview[.]elayti[.]com/
• http[:]//secure[.]paypal[.]login-overview[.]dashboard[.]elayti[.]com/
• http[:]//fitwitter[.]com/
• http[:]//secure-paypalaccountverification[.]com/
• http[:]//web-loginsecureamazonserviceacc[.]ooguy[.]com/
• http[:]//eebillingupdates[.]com/
• http[:]//page[.]cgi[.]verification[.]amazon[.]billing-problem[.]info/
• http[:]//littleamazon[.]lukewendt[.]a2hosted[.]com/
• http[:]//paypalmanagementsecurity[.]com/
• http[:]//apple[.]com-ios[.]icu/
• http[:]//webmail-manageserviceaccount-amazonservice[.]giize[.]com/
• http[:]//steamcs-store[.]info/
• http[:]//page[.]cgi[.]verification[.]amazon[.]billing-problem[.]co/
• http[:]//m[.]facebook[.]loginsecureaccount[.]ro/
• http[:]//instagramfromsupport[.]tk/
• http[:]//prch-amazon[.]terms[.]login-auth[.]htsa8237[.]gbrvr[.]com/
• http[:]//webmail-customerserviceaccount-amazonsupport[.]giize[.]com/
• http[:]//apple[.]security[.]account[.]securezappappslogin[.]com/
• http[:]//appleid[.]apple[.]security[.]account[.]securezappappslogin[.]com/
• http[:]//supporthelpinstagram[.]ml/
• http[:]//facebookupdate[.]driverhunter[.]com/
• http[:]//signin[.]amazon[.]supportverificationcenter[.]pdanvd[.]com/
• http[:]//page[.]verification[.]amazon[.]account-update[.]center/
• http[:]//amazon[.]com-systemretry[.]com[.]lockedaccount[.]repair[.]tlsestado[.]xyz/
• http[:]//amazonkpbosb[.]top/
• http[:]//secure[.]pay[.]appleld[.]com[.]apvsregiaodoslagos[.]com/

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about links/attachments sent by unknown senders.
• Never click on links/attachments sent by unknown senders.