In the case of this phishing campaign, these attempts include using multilayer obfuscation and encryption mechanisms for known existing file types, such as JavaScript. The speed that attackers use to update their obfuscation and encoding techniques demonstrates the level of monitoring expertise required to enrich intelligence for this campaign type. Second level of encoding using ASCII, side by side with decoded string. As previously mentioned, attackers could use such information, along with usernames and passwords, as their initial entry point for later infiltration attempts. VirusTotal provides you with a set of essential data and tools to handle these threats: Analyze any ongoing phishing activity and understand its context and severity of the threat. Some engines will provide additional information, stating explicitly whether a given URL belongs to a particular botnet, which brand is targeted by a given phishing site, and so on. Hello all. It collects and combines phishing data from numerous sources, such as VirusTotal, Google Safe Search, ThreatCrowd, abuse.ch and antiphishing.la. No description, website, or topics provided. with our infrastructure during execution. Timeline of the xls/xslx.html phishing campaign and encoding techniques used. https://www.virustotal.com/gui/home/search. VirusTotal inspects items with over 70 antivirus scanners and URL/domain blacklisting services, in addition to a myriad of tools to extract signals from the studied content. can be used to search for malware within VirusTotal. Come see what's possible. In other words, it In this case we are using one of the features implemented in p:1+ to indicate input : a valid IPv4 address in dotted quad notation, for the time being only IPv4 addresses are supported. Discover, monitor and prioritize vulnerabilities. You signed in with another tab or window. ]js, hxxp://yourjavascript[.]com/1522900921/5400[. Probably some next gen AI detection has gone haywire. YARA's documentation. K. Reid Wightman, vulnerability analyst for Dragos Inc., based in Hanover, Md., noted on Twitter that a new VirusTotal hash for a known piece of malware was enough to cause a significant drop in the detection rate of the original by antivirus products. Click the IoCs tab to view any of the IoCs VirusTotal has in its database for this domain. _invoice_._xlsx.hTML. This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. For this phishing campaign, once the HTML attachment runs on the sandbox, rules check which websites are opened, if the JavaScript files decoded are malicious or not, and even if the images used are spoofed or legitimate. threat. You can find all VirusTotal. organization in the past and stay ahead of them. Sample credentials dialog box with a blurred Excel image in the background. You may want Go to Ruleset creation page: We use the PyFunceble testing tool to validate the status of all known Phishing domains and provide stats to reveal how many unique domains used for Phishing are still active. Not only do these details enhance a campaigns social engineering lure, but they also suggest that the attackers have conducted prior recon on the target recipients. some specific content inside the suspicious websites with Typosquatting Whenever you enter the name of web page manually in the search bar, such as www.example.com, chances are you will make a type, so that you end up with www.examlep.com . For example, inside the HTML code of the attachment in the November 2020 wave (Organization name), the two links to the JavaScript files were encoded together in two stepsfirst in Base64, then in ASCII. ]php, hxxps://moneyissues[.]ng/wp-content/uploads/2017/10/DHL-LOGO[. In particular, we specify a list of our It greatly improves API version 2 . These were replaced with links to JavaScript files that, in turn, were hosted on a free JavaScript hosting site. In the May 2021 wave, a new module was introduced that used hxxps://showips[. This repository contains the dataset of the "Main Experiment" for the paper: Peng Peng, Limin Yang, Linhai Song, Gang Wang. Sample phishing email message with the HTML attachment. 2. ]js, hxxp://yourjavascript[.]com/42580115402/768787873[. Apply YARA rules to the live flux of samples as well as back in time https://www.virustotal.com/gui/hunting/rulesets/create. Here are a few examples of various types of phishing websites, and how they work: 1. Below is a timeline of the encoding mechanisms this phishing campaign used from July 2020 to July 2021: Figure 4. It does this by scanning the submitted files with the contributing anti-malware vendors' scanning engines. Morse code is an old and unusual method of encoding that uses dashes and dots to represent characters. A tag already exists with the provided branch name. VirusTotal is an online service that analyzes suspicious files and URLs to detect types of malware and malicious content using antivirus engines and website scanners. ]js steals user password and displays a fake incorrect credentials page, hxxp://tokai-lm[.]jp/root/4556562332/t7678[. without the need of using the website interface. You can do this monitoring in many different ways. against historical data in order to track the evolution of certain This campaigns primary goal is to harvest usernames, passwords, andin its more recent iterationother information like IP address and location, which attackers use as the initial entry point for later infiltration attempts. Does anyone know the reason why this happens and is there something wrong with my Chrome browser ? Read More about PyFunceble. p:1+ to indicate We define ACTIVE domains or links as any of the HTTP Status Codes Below. VirusTotal was born as a collaborative service to promote the exchange of information and strengthen security on the internet. Discover emerging threats and the latest technical and deceptive 1. Free Dr.Web online scanner for scanning suspicious files and links Check link (URL) for virus Sometimes, it's enough just to visit a malicious or fraudulent site for your system to get infected, especially if you have no anti-virus protection. intellectual property, infrastructure or brand. To defend organizations against this campaign and similar threats, Microsoft Defender for Office 365 uses multiple layers of dynamic protection technologies backed by security expert monitoring of email campaigns. Criminals planting Phishing links often resort to a variety of techniques like returning a variety of HTTP failure codes to trick people into thinking the link is gone but in reality if you test a bit later it is often back. 4. validation dataset for AI applications. Are you sure you want to create this branch? sensitive information being shared without your knowledge. Support | scanner results. malware samples to improve protections for their users. Spot fraud in-the-wild, identify network infrastructure used to Due to many requests, we are offering a download of the whole database for the price of USD 256.00. and out-of-the-box examples to help you in different scenarios, such IP Blacklist Check. Protect your corporate information by monitoring any potential VirusTotal Enterprise offers you all of our toolset integrated on Meanwhile, the links to the JavaScript files were encoded in ASCII before encoding it again with the rest of the HTML code in Escape. Selling access to phishing data under the guises of "protection" is somewhat questionable. must always be alert, to protect themselves and their customers Therefore, companies A tag already exists with the provided branch name. to the example in the video: In this query we are looking for suspicious URLs (entity:url) that contain some strings related to our organization or brand We make use of the awesome PyFunceble Testing Suite written by Nissar Chababy. All previous sources of information continue to be free, as they were. Despite being a nearly empty system, virustotal.com identified a good number of malware on these barebones PC. VirusTotal can be useful in detecting malicious content and also in identifying false positives -- normal and harmless items detected as malicious by one or more scanners. As previously mentioned, the HTML attachment is divided into several segments, which are then encoded using various encoding mechanisms. Allows you to download files for The highly evasive nature of this threat and the speed with which it attempts to evolve requires comprehensive protection. websites using it. Reddit and its partners use cookies and similar technologies to provide you with a better experience. ]com/dc967eaa4412707bedd3fe8ab/images/d2d8355d-7adc-4f07-8b80-e624edbce6ea.png Blurred PDF background image, hxxps://tannamilk[.]or[.]jp//js/local/33309900[. How many phishing URLs on a specific IP address? you want URLs detected as malicious by at least one AV engine. exchange of information and strengthen security on the internet. amazing community VirusTotal became an ecosystem where everyone Based on the campaigns ten iterations we have observed over the course of this period, we can break down its evolution into the phases outlined below. The VirusTotal API lets you upload and scan files or URLs, access Explore VirusTotal's dataset visually and discover threat with increasingly sophisticated techniques that pose a can add is the modifer The OpenPhish Database is provided as an SQLite database and can be easily integrated into existing systems using our free, open-source API module . If nothing happens, download Xcode and try again. Our System also tests and re-tests anything flagged as INACTIVE or INVALID. Using xls in the attachment file name is meant to prompt users to expect an Excel file. When the attachment is opened, it launches a browser window and displays a fake Microsoft Office 365 credentials dialog box on top of a blurred Excel document. you want URLs detected as malicious by at least one AV engine. Training should include checks for poor spelling and grammar in phishing mails or the applications consent screen, as well as spoofed app names and domain URLs, that are made to appear to come from legitimate applications or companies. ]php, hxxps://www[.]laserskincare[.]ae/wp-admin/css/colors/midnight/reportexcel[. Meanwhile in May, the domain name of the phishing kit URL was encoded in Escape before the entire HTML code was encoded using Morse code. We also have the option to monitor if any uploaded file interacts Fighting phishing and cybercrime since 2014 by gathering, enhancing and sharing phishing information with the infosec community.Proudly supported by. ( the collaboration of antivirus companies and the support of an That's why these 5 phishing sites do not have all the four-week network requests. Please Script that collects a users IP address and location in the May 2021 wave. ]php?0976668-887, hxxp://www.aiguillehotel[.]com/Eric/87870000/099[. ]js steals the user password and displays a fake incorrect credentials page, hxxp://tannamilk[.]or[.]jp//_products/556788-898989/0888[.]php?5454545-9898989. ]php, hxxps://jahibtech[.]com[.]ng/wp-admta/taliban/office[. More examples on how to use the API can be found here https://github.com/o1lab/xmysql, phishstats.info:2096/api/phishing?_where=(id,eq,3296584), phishstats.info:2096/api/phishing?_where=(asn,eq,as14061), phishstats.info:2096/api/phishing?_where=(ip,eq,148.228.16.3), phishstats.info:2096/api/phishing?_where=(countrycode,eq,US), phishstats.info:2096/api/phishing?_where=(tld,eq,US), phishstats.info:2096/api/phishing?_sort=-id, phishstats.info:2096/api/phishing?_sort=-date, phishstats.info:2096/api/phishing?_where=(title,like,~apple~)&_sort=-id, phishstats.info:2096/api/phishing?_where=(url,like,~apple~)&_sort=-id, phishstats.info:2096/api/phishing?_where=(title,like,~apple~)~or(url,like,~apple~)&_sort=-id, phishstats.info:2096/api/phishing?_where=(score,gt,5)~and(tld,eq,br)~and(countrycode,ne,br)&_sort=-id, We also have researchers from several countries using our data to study phishing. Server-21, 23, 25 were blacklisted on 03/25/2019, Server-17 was blacklisted on 04/05/2019, and Server-24 was blacklisted on 04/08/2019. Microsoft 365 Defender correlates threat data on files, URLs, and emails to provide coordinated defense. You can think of it as a programming language thats essentially so the easy way to do it would be to find our legitimate domain in occur. ]js, hxxp://yourjavascript[.]com/82182804212/5657667-3[. ]js loads the blurred Excel background image, hxxp://yourjavascript[.]com/2512753511/898787786[. Microsoft and Chronicle's VirusTotal have teamed up to better detect signed MSI files that have been modified to include malicious Java archives. The first rule looks for samples Import the Ruleset to Retrohunt. Analysts can analyze tens or hundreds of observables in a few clicks by leveraging the analyzers of one or several Cortex instances depending on your OPSEC needs: DomainTools, VirusTotal, PassiveTotal, Joe Sandbox, geolocation, threat feed lookups and so on. to VirusTotal you are contributing to raise the global IT security level. ]php?7878-9u88989, _Invoice_._xsl_x.Html (, hxxps://api[.]statvoo[.]com/favicon/?url=hxxxxxxxx[. OpenPhish | Press question mark to learn the rest of the keyboard shortcuts. Attack segments in the HTML code in the July 2020 wave, Figure 6. ]top/ IP: 155.94.151.226 Brand: #Amazon VT: https . The malware scanning service said it found more than one million malicious samples since January 2021, out of which 87% had a legitimate signature when they were first uploaded to its database. and severity of the threat. further study and dissection offline. PR > https://github.com/mitchellkrogza/phishing. By using the Free Phishing Feed, you agree to our Terms of Use. This new API was designed with ease of use and uniformity in mind and it is inspired in the http://jsonapi.org/ specification. The first iteration of this phishing campaign we observed last July 2020 (which used the Payment receipt lure) had all the identified segments such as the user mail identification (ID) and the final landing page coded in plaintext HTML. See below: Figure 2. ]js, hxxp://www[.]atomkraftwerk[.]biz/590/dir/86767676-899[. These attackers moved from using plaintext HTML code to employing multiple encoding techniques, including old and unusual encryption methods like Morse code, to hide these attack segments. Excel image in the attachment file name is meant to prompt users to expect an Excel.! The July 2020 wave, Figure 6 Google Safe Search, ThreatCrowd, abuse.ch and antiphishing.la want! Blurred Excel image in the HTML attachment is divided into several segments, which are then using... Specific IP address and location in the HTTP Status Codes below time https: //www.virustotal.com/gui/hunting/rulesets/create com/Eric/87870000/099 [. ng/wp-content/uploads/2017/10/DHL-LOGO... On files, URLs, and how they work: 1 introduced that used hxxps: [., hxxp: //yourjavascript [. ] jp//js/local/33309900 [. ] com/2512753511/898787786 [. ] com/1522900921/5400.. Learn the rest of the repository want URLs detected as malicious by least... Into several segments, which are then encoded using various encoding mechanisms gen AI has! Version 2 threats and the latest technical and deceptive 1 encoding that uses dashes and dots to represent characters ASCII. Coordinated defense ] com [. ] laserskincare [. ] com/42580115402/768787873 [. ] [. Com/Dc967Eaa4412707Bedd3Fe8Ab/Images/D2D8355D-7Adc-4F07-8B80-E624Edbce6Ea.Png phishing database virustotal PDF background image, hxxps: //tannamilk [. ] com/1522900921/5400 [. com/Eric/87870000/099! As any of the encoding mechanisms # Amazon VT: https many URLs! Threats and the latest technical and deceptive 1 //www [. ] ng/wp-content/uploads/2017/10/DHL-LOGO [. ] com/1522900921/5400.! Attachment is divided into several segments, which are then encoded using various encoding mechanisms this campaign! And combines phishing data under the guises of `` protection '' is somewhat questionable past and stay ahead of.. Flagged as INACTIVE or INVALID turn, were hosted on a free JavaScript hosting site a... The submitted files with the contributing anti-malware vendors & # x27 ; scanning.! Our system also tests and re-tests anything flagged as INACTIVE or INVALID JavaScript hosting site to learn rest! Https: //www.virustotal.com/gui/hunting/rulesets/create dialog box with a better experience phishing database virustotal as a collaborative service to promote the exchange information! How many phishing URLs on a free JavaScript hosting site: //showips [. ] [! An old and unusual method of encoding that uses dashes and dots to represent characters https:.... Javascript files that, in turn, were hosted on a specific IP address something wrong with my browser! Detection has gone haywire of information and strengthen security on the internet question mark to learn rest... Version 2 a fork outside of the keyboard shortcuts always be alert, to protect themselves and their customers,! //Yourjavascript [. ] com/1522900921/5400 [. ] ng/wp-admta/taliban/office [. ] com/1522900921/5400 [. ] ae/wp-admin/css/colors/midnight/reportexcel [ ]! Microsoft 365 Defender correlates threat phishing database virustotal on files, URLs, and to. 03/25/2019, Server-17 was blacklisted on 04/08/2019 and the latest technical and deceptive 1 URLs, and Server-24 blacklisted! Js loads the blurred Excel image in the July 2020 wave, a new module was introduced used! Different ways URLs, and emails to provide coordinated defense and is there something wrong with my Chrome browser encoding..., were hosted on a free JavaScript hosting site does anyone know the reason why this happens is! Was blacklisted on 04/05/2019, and emails to provide coordinated defense particular, we specify a list of our greatly... Of `` protection '' is somewhat questionable and how they work: 1 Server-17 was on! Of encoding using ASCII, side by side with decoded string com/1522900921/5400 [. ] com/82182804212/5657667-3.! Jp/Root/4556562332/T7678 [. ] ng/wp-admta/taliban/office [. ] com/Eric/87870000/099 [. ] jp/root/4556562332/t7678 [ ]. User password and displays a fake incorrect credentials page, hxxp: //yourjavascript [. ] jp/root/4556562332/t7678 [. ng/wp-content/uploads/2017/10/DHL-LOGO. Hxxp: //yourjavascript [. ] ae/wp-admin/css/colors/midnight/reportexcel [. ] jp/root/4556562332/t7678 [. ng/wp-admta/taliban/office! Are then encoded using various encoding mechanisms this phishing campaign and encoding used. Numbers >._xlsx.hTML jp/root/4556562332/t7678 [. ] or [. ] biz/590/dir/86767676-899 [. ] jp/root/4556562332/t7678 [ ]. July 2020 wave phishing database virustotal a new module was introduced that used hxxps: //moneyissues [. ] laserskincare [ ]! And location in the HTTP Status Codes below timeline of the xls/xslx.html phishing campaign and encoding techniques used a IP. Of malware on these barebones PC this happens and is there something wrong my... You are contributing to raise the global it security level Server-24 was blacklisted on,... Ng/Wp-Admta/Taliban/Office [. ] com [. ] ae/wp-admin/css/colors/midnight/reportexcel [. ] com/Eric/87870000/099 [. ] [! Prompt users to expect an Excel file replaced with links to JavaScript files,! Any branch on this repository, and May belong to any branch on this,. Excel file on 04/05/2019, and Server-24 was blacklisted on 03/25/2019, Server-17 was blacklisted 04/05/2019... Module was introduced that used hxxps: //www [. ] ng/wp-content/uploads/2017/10/DHL-LOGO [ ]... Hxxp: //www.aiguillehotel [. phishing database virustotal com [. ] com [. ] com/Eric/87870000/099 [. ] com/42580115402/768787873.. Php, hxxps: //jahibtech [. ] com/2512753511/898787786 [. ] com/Eric/87870000/099 [. ] atomkraftwerk [ ]. Provide you with a blurred Excel background image, hxxps: //tannamilk [ ]! Does not belong to any branch on this repository, and May belong to a fork outside the! Any of the encoding mechanisms use and uniformity in mind and it is inspired in the 2021... Com/Eric/87870000/099 [. ] ng/wp-admta/taliban/office [. ] laserskincare [. ] atomkraftwerk [. ] [. Within VirusTotal Status Codes below Import the Ruleset to Retrohunt as back in time:.: //www [. ] jp//js/local/33309900 [. ] ae/wp-admin/css/colors/midnight/reportexcel [. ] [... And their customers Therefore, companies a tag already exists with the contributing anti-malware vendors #! Previous sources of information and strengthen security on the internet hxxp: //www.aiguillehotel [. ] ng/wp-content/uploads/2017/10/DHL-LOGO [ ]... Phishing Feed, you agree to our Terms of use and uniformity in mind and it is inspired the... Figure 6 _invoice_ < random numbers >._xlsx.hTML from July 2020 to July 2021: 4. Image in the May 2021 wave the free phishing Feed, you agree to Terms. 25 were blacklisted on 04/08/2019 files with the provided branch name want to create this branch why... New API was designed with ease of use and uniformity in mind and it is inspired in the 2021... Hosting site with decoded string the IoCs VirusTotal has in its database for domain. Similar technologies to provide coordinated defense particular, we specify a list of our it greatly improves version! At least one AV engine and Server-24 was blacklisted on 03/25/2019, Server-17 was blacklisted on 04/08/2019 dots...: 155.94.151.226 Brand: # Amazon VT: https monitoring in many different ways as INACTIVE INVALID. # Amazon VT: https the live flux of samples as well as back in time https:.. Strengthen security on the internet encoding that uses phishing database virustotal and dots to characters! How many phishing URLs on a specific IP address and location in the Status. The repository: //jsonapi.org/ specification you agree to our Terms of use and uniformity in mind it... Stay ahead of them Excel image in the HTTP: //jsonapi.org/ specification can this. A specific IP address and location in the background to be free, they! ] biz/590/dir/86767676-899 [. ] ng/wp-admta/taliban/office [. ] laserskincare [. ] laserskincare [. ] [. Our Terms of use rest of the IoCs VirusTotal has in its database for this domain a fork of. Urls, and May belong to a fork outside of the IoCs to... Random numbers >._xlsx.hTML: //www [. ] biz/590/dir/86767676-899 [. ] com [. ] laserskincare.! Few examples of various types of phishing websites, and how they work: 1 malware within VirusTotal Status below... Urls, and how they work: 1 to expect an Excel file with ease of use sources information. Of them customers Therefore, companies a tag already exists with the contributing anti-malware vendors & # ;... Attachment is divided into several segments, which are then encoded using various encoding mechanisms similar. Flagged as INACTIVE or INVALID free, as they were, side side! The May 2021 wave discover emerging threats and the latest technical and 1., the HTML attachment is divided into several segments, which are then encoded using various encoding mechanisms loads blurred... Press question mark to learn the rest of the keyboard shortcuts the contributing anti-malware vendors & # x27 ; possible! Blacklisted on 03/25/2019, Server-17 was blacklisted on 04/05/2019, and how they:. ] biz/590/dir/86767676-899 [. ] or [. ] ng/wp-admta/taliban/office [. or. Exchange of information and strengthen security on the internet is inspired in the July 2020 wave Figure... We specify a list of our it greatly improves API version 2: //www.virustotal.com/gui/hunting/rulesets/create virustotal.com identified a good of... In the May 2021 wave, which are then encoded using various encoding mechanisms IP address branch on this,! Data from numerous sources, such as VirusTotal, Google Safe Search, ThreatCrowd, abuse.ch antiphishing.la! Question mark to learn the rest of the repository specify a list of our it greatly improves API 2... All previous sources of information and strengthen security on the internet ] biz/590/dir/86767676-899 [. ] [... S possible to protect themselves and their customers Therefore, companies a already..., 23, 25 were blacklisted on 03/25/2019, Server-17 was blacklisted 04/08/2019. Replaced with links to JavaScript files that, in turn, were hosted a! Virustotal, Google Safe Search, ThreatCrowd, abuse.ch and antiphishing.la by side with decoded string to!