Phishing page using Apple’s name identified targeting USA, Tunisia, India
Phishing is today no more limited to a conservative way of extracting sensitive information. In fact it has become one of the most innovative and complex process of social engineering. During my recent web stroll to understand the complexity of contemporary phishing techniques, I identified a phishing page that would certainly had the potential to retract sensitive information on a single click.
The phishing page was identified as the Customer-apple-verification.dedicatedserverssupport.com . The page identified was using the name of a top notch brand “apple” to tract browsers. The doubt of it being a phishing page rose because this url is not belong to Facebook, also not configure with SSL certificate. After entering username and password this domain is redirected to official facebook page.
On further investigation, it was identified that this page was supported by domain name (dedicatedserverssupport.com) which was hosted by 198.27.68.100 IP address. A detailed investigation later brought us to the point wherein we realized that the phishing page IP 198.27.68.100 was associated with more than 30 domain which is used for phishing the social media/ sites, and credit card information which were identified as follows:
Domain Name
advertreport.com
alargetvforyou.com
amirnekoee.com
amzonsec.com
apple-setup.com
checkoutthenote.info
central-usa-news.com
card-checker.com
checkoutthenote.info
cookingupstyle.info
crypto4win.com
corneraroundstore.info
craftsmanlowvoltage.com
cupatthecup.info
dedicated-server-buy.com
mailsaccount.com
myaccess-support.co
program-usa.com
reportapple.info
secure-customer-verification.com
secure-verify-information.com
security-9398839303029.info
update-account-password-fb.com
waytogetthisnow.info
webmail1server.com
forthenextsixfuel.today
verizonsupport.net
intl-secure.com
face-spy.com/
secure-customer-verification.com
secureusa16.com
airfarm.co.za
sharonmenary.com
amylacaze.com
modesuites.com
caychautreo.com
handcraftedkid.com
tonyahyde.com
hydeoutdesigns.com
All these 30 domains have same property and are used for phishing fb, gmail, apple.
A deeper investigation of the update-account-password-fb.com and secure-customer-verification.com. amzonsec.com which was found to be associated with michellegaleas2018@yandex.com, and thriftyth@gmail.com email was also linked to craftsmanlowvoltage.com,handcraftedkid.com,tonyahyde.com, hydeoutdesigns.com.
It was found that airfarm.co.za was firstly purchased using jeanette@sprigg.co.za email ID and secureusa16.com was found to be associated with domainmanagers@outlook.com however earlier this email was associated with Gith1965@einrot.com where Einrot.com was just a temporary email service.
We received two domains in this exercise
First Domain (secure-customer-verification.com).We received a source code and in that source code there is an apple phishing page and a key in a name of YouTube link ( Philipple behvier) and Second Domain (update-account-password-fb.com). When we scanned this domain and receive info.txt file which is present inside the public html directly & when we downloaded it we get USA, Tunisia, and India IP in it. The way of creating info.txt in the server is same source code as in Customer-apple-verification.dedicatedserverssupport.com
This proves the case that the received phishing page was much more complex and was associate with multiple entities extracting sensitive information through a complex channel.
As per investigated details and system logs which are present inside public_html directory ,we got a text file, wherein all information was stored. This file is publicly available. Which also indicates that targeted countries of the phishing page were USA, Tunisia, India. Though we are still under the process of investigating the actual phishing entity.
