Post · bonfire.cafe

Post

Log in

@neurovagrant@masto.deoan.org · last week

Snagged what looks like attempted phish/CSRF

Portrayed itself as a secure banking message. Initial hyperlink directed to

petroleuminvestigations[.]com

Looks like a VPS with openresty doing some lua-based filtering. Then user's kicked to an AWS address impersonating finance documents, and cookies are pulled in from bin.dreatrithoo[.]online common across finance scam sites today per LookyLoo.

#threatintel

34 more domains associated by MX IP address. CSV for all 36:

https://drive.proton.me/urls/0WH2XJ9DV4#YCHkLWZ3aVlm

Proton Drive

Securely store, share, and access your important files and photos. Anytime, anywhere.

Ian Campbell

@neurovagrant@masto.deoan.org replied · last week

@risottobias funny thing about phishing messages, all you have to do is wait a while and they send 'em right to ya.

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances

Bonfire social · 1.0.1 no JS en

Automatic federation enabled

Log in