Miteru – An Experimental Phishing Kit Detection Tool

Miteru is an experimental phishing kit detection tool.How it worksIt collects phishy URLs from the following feeds: CertStream-Suspicious feed via urlscan.ioOpenPhish feed via urlscan.ioPhishTank feed via urlscan.ioAyashige feedIt checks each phishy URL whether it enables directory listing and contains a phishing kit (compressed file) or not. Note: compressed file = *.zip, *.rar, *.7z, *.tar and *.gz.FeaturesPhishing kit detection & collection.Slack notification.Threading.Installation$ gem install miteruUsage$ miteruCommands: miteru execute # Execute the crawler miteru help [COMMAND] # Describe available commands or one specific command$ miteru help executeUsage: miteru executeOptions: [–auto-download], [–no-auto-download] # Enable or disable auto-download of phishing kits [–directory-traveling], [–no-directory-traveling] # Enable or disable directory traveling [–download-to=DOWNLOAD_TO] # Directory to download file(s) # Default: /tmp [–post-to-slack], [–no-post-to-slack] # Post a message to Slack if it detects a phishing kit [–size=N] # Number of urlscan.io’s results. (Max: 10,000) # Default: 100 [–threads=N] # Number of threads to use # Default: 10 [–verbose], [–no-verbose] # Default: trueExecute the crawler$ miteru execute…https://dummy1.com: it doesn’t contain a phishing kit.https://dummy2.com: it doesn’t contain a phishing kit.https://dummy3.com: it doesn’t contain a phishing kit.https://dummy4.com: it might contain a phishing kit (dummy.zip).Using Docker (alternative if you don’t install Ruby)$ git clone https://github.com/ninoseki/miteru.git$ cd miteru/docker$ docker build -t miteru .$ docker run miteru# ex. auto-download detected phishing kit(s) into host machines’s /tmp directory$ docker run -v /tmp:/tmp miteru execute –auto-downloadAasciinema castNoteFor using –post-to-slack feature, you should set the following environment variables:SLACK_WEBHOOK_URL: Your Slack Webhook URL.SLACK_CHANNEL: Slack channel to post a message (default: “#general").Alternativest4d/StalkPhish: The Phishing kits stalker, harvesting phishing kits for investigations.duo-labs/phish-collect: Python script to hunt phishing kits.leunammejii/analyst_arsenal: A tool belt for analysts to continue fighting the good fight.Download Miteru

Link: http://feedproxy.google.com/~r/PentestTools/~3/T974-FHaask/miteru-experimental-phishing-kit.html

A False Sense of Cybersecurity: The Riskiest States in America

Reading Time: ~5 min.Like many Americans, you might think your online habits are safe enough—or, at least, not so risky as to put you in danger for cybercrime. As it happens, most of us in the U.S. are nowhere near as secure as we think we are. We partnered with Wakefield Research to survey 10,000 Americans, ages 18 […]
The post A False Sense of Cybersecurity: The Riskiest States in America appeared first on Webroot Blog.

Link: https://www.webroot.com/blog/2019/05/07/a-false-sense-of-cybersecurity-the-riskiest-states-in-america/

Cyber News Rundown: Phishing Attack on Global IT Outsourcer

Reading Time: ~2 min.Major IT Outsourcer Suffers After Phishing Attack Global IT services provider Wipro announced they are in the process of investigating a data possibly affecting some of their clients. These types of companies are popular for hackers because, by breaching a single IT service company, they gain access to a far larger pool of victims through […]
The post Cyber News Rundown: Phishing Attack on Global IT Outsourcer appeared first on Webroot Blog.

Link: https://www.webroot.com/blog/2019/04/19/cyber-news-rundown-phishing-attack-on-global-it-outsourcer/

2019 tax season phishing scams

Tax time is here again and that means two things: writing big checks to Uncle Sam and, of course, a new season of tax scams brought to you by industrious and persistent malware authors.
Americans feeling the rising panic of ensuring that they are squared up with the federal government before April 15 are searching for help online and downloading the financial statements they need for filing. The bad actors are counting on it and, as you read this, there’s a high probability that somewhere in your inbox is a link to a scam attempting to collect sensitive information from you. The IRS has been warning people about some of the tax scams this season using its annual “Dirty Dozen” compilation of phishing and online scams.
Of the following scenarios, which do you think is more likely? Will you be phished by a dodgy-looking IRS website, or will you get phished by a bogus financial website? Here at Zscaler, the ThreatLabZ research team has been monitoring such traffic and we’ve seen an increase in attempted generic phishing attacks posing as financial institutions. This trend makes sense because tax preparation usually means getting tax documents from several different financial institutions—your bank, your mortgage holder, your retirement and investment accounts, and so on. The following figure depicts financial and tax refund phishing events observed in the Zscaler cloud over the past two months.
Figure 1: Financial (gold) and tax refund (green) phishing events over the past two months
“IRS Login" phishing
Though the majority of phishing sites were for "generic" financial institutions, we did see IRS phishing websites, including the following, which asks the user to enter an email address and then redirects to verify the account and fill in additional information including Social Security Number.
Figure 2: IRS Phishing – Login page
 
Figure 3: IRS Phishing – Personal and SSN details
 
Fake “Apply for EIN” scam and Google SEO poisoning
An EIN (Employer Identification Number) is a Federal Tax ID number required by businesses or other entities to file taxes. Required persons/entities can apply for an EIN on the IRS website and can get it immediately at no cost. Scammers have been active out there, attempting to phish unsuspecting users of their information and money by advertising themselves as experts in filing for Tax IDs.
A Google search of “irs tax id” resulted in multiple scamming websites among the top ads.
Figure 4: Google search results for IRS Tax ID showing ads for scamming websites
 
We noticed a few of these sites, such as irs-tax-id[.]com, gov-irs-ein[.]co, and irs-ein-tax[.]com, using the same phishing template for their homepage, which you can see in the image below.

 
Figure 5: “Apply for EIN” phishing template used by multiple sites
 
Figure 6: Phishing page requesting personal information including SSN
 
Figure 7: Phishing page requesting credit card information
 
Here are a few of the domains that are active in luring users to apply for an Employer Identification Number (EIN).
Figure 8: “Apply for EIN” phishing domains
 
Tax refund phishing campaign – UK
Tax year in the UK has just ended (April 6) and scammers have been preparing to take advantage of users seeking their refunds. One of the phishing domains we have been monitoring, hmrc[.]co[.]uk[.]pendingrefund[.]tk, updated its phishing pages on April 6 to keep up with tax season events. It began with a refund claim form and was changed to a form for "processing" the claim and applying it to the user’s credit card.
Phishing campaign observed before April 6:
Page 1: start.php requesting name and address
Page 2: claim_details.php displaying the information entered in start.php and fake amount
Page 3: details.php requesting detailed personal information and credit card details
 
Figure 9: Phishing pages observed before April 6, 2019
 
And the current page (Tax-Refund.php) served by the phishing website (starting April 6) can be seen in the below image:
Figure 10: Phishing page observed on April 6, 2019
 
Malware campaign
The IRS has warned about a “Tax Transcript” email scam used by attackers to distribute malicious documents containing malware. ThreatLabZ has also noticed tax-themed malicious documents delivering Emotet and Nymiam malware, which are well-known Trojans used for stealing data and credentials, among other malicious functions.
The following is the report of a recent Nymiam malware sample observed in the Zscaler Cloud Sandbox and delivered through a malicious URL: djaccounting[.]tax/wp-admin/98-14691361298-580222944834109973.zip
Figure 11: Cloud Sandbox Report for Nymiam malware sample: 7B80A64E9A106806EE4F62A16A968661
 
Conclusion
Every year during tax season, our researchers identify various kinds of phishing campaigns performing tax-related social engineering tactics in an attempt to collect sensitive information from unsuspecting users. You can read about some of the phishing campaigns that we observed during last year’s tax season here. The IRS has also been alerting tax filers about active tax scams and providing guidelines for safely filing taxes.
At ThreatLabZ, we have been actively monitoring the latest tax scam campaigns and providing protection for Zscaler customers.
 

Link: http://www.zscaler.com/blogs/research/2019-tax-season-phishing-scams