The weekly haul: share your latest finds

General
1

Welcome to the weekly haul where every week we’ll be sharing some of the new phishing campaigns found by the Phish Report team.

I’d love to see what you’ve got too. Whether it’s a site using a crafty technique you’ve not seen before, or just hilariously badly coded, let’s see what you’ve found!

1 Like
2

Fake for-sale page “domina”

Does this look familiar? There’s thousands of results on urlscan.io for this page, all for domains relating to postal services.

image
image1600×1200 186 KB

But, it’s actually just a template: Domina - Domain For Sale & Auction Plugin by ThemeAtelier | CodeCanyon, if you instead load the site using a mobile browser, you get the phishing site.

There’s way too many of these sites to all be run by the same person so I reckon this is a phishing kit for sale. If anyone finds a copy, I’d love to see it!

1 Like
6

LiteSpeed “Bot Verification”

LiteSpeed is a popular open source webserver which in version 5.4 (2019) added built-in support for reCAPTCHA:

lightspeed
lightspeed1280×600 17.2 KB

In the last few months there’s been a huge increase in this by phishers to protect their phishing sites from scanners:

litespeed-trend
litespeed-trend914×276 19.1 KB

(results from urlscan.io: Search - urlscan.io)

Using reCAPTCHA to protect phishing sites isn’t new, but this LiteSpeed page causes problems for detection because all pages have identical HTML (whereas with other CAPTCHA systems each phisher would construct their own page and hence it was easier to distinguish specific actors/campaigns).

At the moment, the best way we’ve found to track threat actors is based on the reCAPTCHA API key they’re using.

2 Likes
7

console-ban

Phishers try to make life difficult for defenders and one thing they can do to annoy us is blocking the use of browser developer tools.

There’s many ways to do this, but the console-ban NPM package is one we’ve seen used on a number of phishing sites: console-ban - npm

A phishing kit author simply needs to put code like this into their javascript and when the developer tools are opened you’ll be redirected away from the phishing site:

import { init } from 'console-ban'

ConsoleBan.init({
  redirect: 'https://google.com'
})

Many legitimate sites also use this package so it’s far from a guarantee that a site is malicious, but there’s a ton of phishing to be found here: Search - urlscan.io

1 Like