neurovagrant, 27 days ago Whole lot of IDN Homoglyph Attack registrations via GoDaddy and hosted on Amazon the past few days. Examples from yesterday and today: xn--fcbook-pta36b[.]com (fácębook[.]com) xn--xnt-rmal15isb[.]com (xƭínïtƴ[.]com) xn--xnt-vmag15isb[.]com (xƭînïtƴ[.]com) xn--goole-b3b[.]com (gooǵle[.]com) #cybersecurity #infosec #threatintel
Whole lot of IDN Homoglyph Attack registrations via GoDaddy and hosted on Amazon the past few days. Examples from yesterday and today:
xn--fcbook-pta36b[.]com (fácębook[.]com)
xn--xnt-rmal15isb[.]com (xƭínïtƴ[.]com)
xn--xnt-vmag15isb[.]com (xƭînïtƴ[.]com)
xn--goole-b3b[.]com (gooǵle[.]com)
#cybersecurity #infosec #threatintel
neurovagrant, 27 days ago Also seeing a Cloudflare-protected IDN targeting the Binance "smartchain" minucoin: xn--minucin-gx4c[.]com (minucọin[.]com) A Namecheap-registered, Limenet-hosted IDN impersonating fedex: xn--fdx-krab[.]com (fėdėx[.]com) #threatintel
Also seeing a Cloudflare-protected IDN targeting the Binance "smartchain" minucoin:
xn--minucin-gx4c[.]com (minucọin[.]com)
A Namecheap-registered, Limenet-hosted IDN impersonating fedex:
xn--fdx-krab[.]com (fėdėx[.]com)
#threatintel
neurovagrant, 27 days ago This is a neat one. Not an IDN, but thanks to the fine folks at Squarespace: maersk-internal[.]com Something tells me Maersk isn't running internal software on... Squarespace. (A reminder that Maersk is one of the most-impersonated brands out there, along with Fedex). #threatintel
This is a neat one. Not an IDN, but thanks to the fine folks at Squarespace:
maersk-internal[.]com
Something tells me Maersk isn't running internal software on... Squarespace.
(A reminder that Maersk is one of the most-impersonated brands out there, along with Fedex).
neurovagrant, 27 days ago (edited 27 days ago) Seeing an actor register a bunch of domains through OwnRegistrar, protected by Cloudflare, that contain both "okta" and "segment" - several are already marked as active phishing sites. gateway-okta-segment[.]com segment-okta-gateway[.]com segment-okta-portal[.]co segment-okta-access[.]com segment-okta-portal[.]com #threatintel
Seeing an actor register a bunch of domains through OwnRegistrar, protected by Cloudflare, that contain both "okta" and "segment" - several are already marked as active phishing sites.
gateway-okta-segment[.]com segment-okta-gateway[.]com segment-okta-portal[.]co segment-okta-access[.]com segment-okta-portal[.]com
neurovagrant, 27 days ago Also seeing a cluster of Namesilo registrations of okta-company or company-okta domains and similar. okta-keap[.]com and keap-okta[.]com (small biz CRM) okta-plaid[.]com and plaid-okta[.]com (payments) astranis-okta[.]app (satcom) bizzabo-okta[.]com (event mgmt) adasupport-okta[.]com and okta-adasupport[.]com (cust service platform) okta-verified[.]com #threatintel
Also seeing a cluster of Namesilo registrations of okta-company or company-okta domains and similar.
okta-keap[.]com and keap-okta[.]com (small biz CRM)
okta-plaid[.]com and plaid-okta[.]com (payments)
astranis-okta[.]app (satcom)
bizzabo-okta[.]com (event mgmt)
adasupport-okta[.]com and okta-adasupport[.]com (cust service platform)
okta-verified[.]com
neurovagrant, 27 days ago Gotta go do SecOps stuff now. Lots and lots of badness out there, y'all be careful! (And as always, hit up @DomainTools if you're looking to see what's out there or protect your brand.)
Gotta go do SecOps stuff now. Lots and lots of badness out there, y'all be careful!
(And as always, hit up @DomainTools if you're looking to see what's out there or protect your brand.)
Add comment