Welcome to the weekly haul where every week we’ll be sharing some of the new phishing campaigns found by the Phish Report team.
I’d love to see what you’ve got too. Whether it’s a site using a crafty technique you’ve not seen before, or just hilariously badly coded, let’s see what you’ve found!
Fake for-sale page “domina”
Does this look familiar? There’s thousands of results on urlscan.io for this page, all for domains relating to postal services.
But, it’s actually just a template: Domina - Domain For Sale & Auction Plugin by ThemeAtelier | CodeCanyon, if you instead load the site using a mobile browser, you get the phishing site.
There’s way too many of these sites to all be run by the same person so I reckon this is a phishing kit for sale. If anyone finds a copy, I’d love to see it!
LiteSpeed “Bot Verification”
LiteSpeed is a popular open source webserver which in version 5.4 (2019) added built-in support for reCAPTCHA:
In the last few months there’s been a huge increase in this by phishers to protect their phishing sites from scanners:
(results from urlscan.io
: Search - urlscan.io
Using reCAPTCHA to protect phishing sites isn’t new, but this LiteSpeed page causes problems for detection because all pages have identical HTML (whereas with other CAPTCHA systems each phisher would construct their own page and hence it was easier to distinguish specific actors/campaigns).
At the moment, the best way we’ve found to track threat actors is based on the reCAPTCHA API key they’re using.