May 30 2024

Teams across the world leverage CYBER904 to combat weaponized URLs. The technology is constantly analyzing suspicious web artifacts to identify risks in the form of drive-by attacks, phishing portals, and other threats that materialize while browsing. The following report highlights recently detected sites that were deemed suspicious: 

• hxxps://cloudflareipfs[.]com/ipfs/bafkreialyt4xbu5uetxaf3hhrxzomeexjnzpwcpjmt5w3kewiblao7io4i
  IP:104.17.64[.]14 SHA-256: 0bc4f970d3b424ee02ece78df2e610974b72fb09e964fb6da8964056077d0ee2

[image 1]

This URL was first detected by CYBER904 on February 16th, the same day that other security vendors started reporting on it. It was initially detected by 10 security vendors, and sixteen are now reporting the page as malicious. CYBER904 successfully intervened with a 14% risk assessment. 

This is a classic example of credential phishing. The site copies the exact format of the Microsoft single sign on page to steal credentials from unsuspecting users. To make the page more believable, attackers will verify that the email address is valid before proceeding to ask a password. This makes it harder to check the page for legitimacy, which is why it is crucial to have protection in place that blocks user input such as CYBER904. 

Recommendation: Detection of phishing sites is not enough, you need to actively block users from entering credentials into suspected credential theft sites like you can do with the Isolation feature in CYBER904.

• hxxp://trustflayer3[.]online/api/v1/px
  IP: 3.33.192[.]145 SHA-256: 52c1e7a2c36be28c42455fe1572d7d7918c3180cad99a2b82daa2a38a7e7bb23

[image 2]

This URL was detected by CYBER904 on February 16th with a 28% risk assessment. It was first detected by one security vendor on February 7th and currently is detected by two vendors. CYBER904 intervened due to phishing and suspicious activity.

While the page is currently blank, the IP address is connected to multiple instances of malicious pop-ups. These pop-ups often imitate Microsoft, and demand that the user call a phone number to fix it. These scams often tell the user to download remote access software onto their computer, resulting in both a financial loss and the theft of personal information.

Recommendation: Block the IP address and the URL using CYBER904 and monitor software being downloaded onto company machines. Additionally, Users should inform their IT team whenever they are prompted to conduct an action. Remember, any vendor contact should be routed through the IT team.

• hxxps://chouthep[.]net/
  IP: 139.45.197[.]243
  SHA-256: 3938c63e8b782001c4b451b439634c1380b1e262d919e11ba7374862835d83e4

[image 3]

This URL was detected by ConcealBrowse on February 13th. It was first detected by one security vendor on January 9th, and there are currently four security vendors reporting this page for malicious activity. ConcealBrowse intervened with a 32% risk assessment due to malware and proximity to malicious IP addresses. 

The IP address connected to this page was recently flagged for hosting a form of ransomware through a malicious popup. Users would click on the popup, and the executable file would download to their computer. Ransomware can be devastating, especially in cases where computers are connected to each other on a network and the malicious software can spread. Although the page is now down, ConcealBrowse still intervened to protect users in the future if the site becomes active again.

Recommendation: Rely on active defense solutions such as CYBER904. When CYBER904 intervenes on a page, all download attempts are blocked to protect users from malware such as this. Live analysis of the site allows for early intervention and prevents malicious downloads