EKFiddle

160 posts

EKFiddle

@EKFiddle

An extension/rules for the Fiddler Classic and Fiddler Everywhere web debuggers | Tweets by @malwareinfosec

Fiddler Katılım Ocak 2017

1 Takip Edilen1.1K Takipçiler

EKFiddle@EKFiddle·8 Eki

Added 'Mag_cache' skimmer detection to EKFiddle (ref: twitter.com/MBThreatIntel/…) Rules for Fiddler Classic and Fiddler Everywhere: github.com/malwareinfosec…

ThreatDown@Threat_Down

ℹ️ We found a #Magecart skimmer that was new to us via @urlscanio ➡️ Seen ITW and tagged by @sansecio: #transactions" target="_blank" rel="nofollow noopener">urlscan.io/result/9d8b406… ➡️ Exfiltrates data via: gs27usa[.]com/translations/tw/mails.php ➡️ Raw: github.com/MBThreatIntel/… ➡️ Beautified: github.com/MBThreatIntel/…

English

EKFiddle@EKFiddle·1 Eki

ℹ️ Updated FakeUpdates/SocGholish rules for both Fiddler Classic and Fiddler Everywhere ➡️ github.com/malwareinfosec…

English

EKFiddle@EKFiddle·6 Eyl

#FakeUpdates .breatheinnew[.]life .roles.thepowerofgodswhisper[.]com 77.91.127[.]52

English

EKFiddle@EKFiddle·13 Ağu

💡 The latest update for #FiddlerEverywhere adds a similar feature known as the 'TextWizard' in Fiddler Classic. ➡️ Select a string and right-click 'Decode Selection'

English

EKFiddle@EKFiddle·13 Tem

ℹ️ It looks like the SSL certificate for maps .windows .com (Bing maps) expired 2 days ago

English

EKFiddle@EKFiddle·12 Tem

💡 New version of Fiddler Everywhere adds horizontal view mode.

English

EKFiddle@EKFiddle·7 Tem

#EKFiddle rules updates for a couple of #Magecart skimmers (greatz/Magneto) github.com/malwareinfosec…

English

EKFiddle@EKFiddle·5 Tem

New #Magecart domain jsconfigur[.]net ➡️ JavaScript: jsconfigur[.]net/js/config.js ➡️ Exfiltration: jsconfigur[.]net/configure/collecting.php

English

EKFiddle@EKFiddle·5 Tem

@CTI_Marc Blog: blog.malwarebytes.com/threat-intelli… mousemove: twitter.com/sansecio/statu…

Sansec@sansecio

⚠️ New malicious domain found in use: quickespark[.net This malware loads only when a user interacts with the infected #ecommerce store, using 'onmousemove' and 'ontouchstart'. Full URL: hxxps://cdn[.quickespark[.net/static/base[.js

English

Marc@CTI_Marc·5 Tem

@EKFiddle Do you have any publication for this antisandbox cluster ?

English

EKFiddle@EKFiddle·4 Tem

New hostnames related to the 'Anti-sandbox' #Magecart skimmer js[.]knowledgecdn[.]org m[.]sale-alerts[.]com s[.]geotac[.]net 185.253.33[.]176 185.63.190[.]141 89.108.109[.]26

English

EKFiddle@EKFiddle·5 Tem

#Magecart exfiltration with image (hash: ad7f76306b7deced1aea2cafb9e0cdfd00716ba713b382a079c7d743a396cf87) links to previous Porkbun infrastructure. dxloc[.]buzz dylorean[.]cyou 141.98.82[.]244 5.188.62[.]10

English

EKFiddle@EKFiddle·30 Haz

💡 #EKFiddle tip ➡️ Flag traffic by IP address with exact match or regular expression. Works for both Fiddler Classic and Fiddler Everywhere

English

EKFiddle@EKFiddle·30 Haz

@PaulWebSec @pancak3lullz Depends what exactly you need it for, but EKFiddle can parse the page content in real time and find patterns that you can define as well

English

Paul Sec.jpeg .exe@PaulWebSec·30 Haz

@pancak3lullz @EKFiddle Interesting, I will check this and meanwhile, I heard about Lighthouse which is built-in Chrome, works like a charm!

English

Paul Sec.jpeg .exe@PaulWebSec·30 Haz

Hey tweeps, any recommendation for a tool to analyze web page loading? (and not web inspector from the browser itself)

English

EKFiddle@EKFiddle·29 Haz

Late to the game, but #EKFiddle detection for CVE-2022-30190 (Follina) added. github.com/malwareinfosec…

English

EKFiddle@EKFiddle·29 Haz

Seeing a lot of 'Bom' #Magecart infections right now. Injections in compromised stores are located before the </head> tag. Article on Bom skimmer: community.riskiq.com/article/743ea7… IOCs: apfeltee[.]de www.usaayurveda[.]com

English

EKFiddle@EKFiddle·27 Haz

Fake slideshow #Magecart skimmer (ref: twitter.com/AffableKraut/s…) ➡️ Skimmer JS: code2a[.]com/js/lib/translate.js ➡️ Exfiltration: bsvholdingsa[.]com

Eric Brandel@AffableKraut

This skimmer is really pretty convincing that it's nothing malicious. Looks like it's a slideshow or something.

Dansk

EKFiddle@EKFiddle·24 Haz

New #Magecart domain contactsform[.]com ➡️ Skimmer loaded inside GIF image ➡️ Exfiltration via WebSocket Related to this twitter.com/unmaskparasite…

Denis@unmaskparasites

Another skimmer with HTTP and WSS exfils found in DB of a WordPress site (the malware loaded JS from a fake .png file). hxxps://appcloudflare[.com/app/ wss://livehotjars[.com/api/v2/client/ws Re: twitter.com/unmaskparasite…

English

EKFiddle@EKFiddle·24 Haz

'Mirasvit' Magecart skimmer. Maybe tied to exploitation of the Mirasvit plugin? ➡️ Exfiltration: hubberstore[.]com

English

EKFiddle@EKFiddle·23 Haz

'Recaptcha' Magecart skimmer ➡️ JavaScript: cafeunido[.]com/pub/media/flag/flag.js candlemaking[.]com/media/email/logo/default/az1.js ➡️ Exfiltration: cafeunido[.]com/pub/errors/default/403.php ariaperfume[.]com/errors/default/403.php

English

EKFiddle@EKFiddle·23 Haz

New 'Bom' Magecart skimmer domain (compromised site) ➡️ apfeltee[.]de/js/prototype/form.js Regexes for Fiddler Classic/Everywhere available at: github.com/malwareinfosec…

English

Keşfet

@CTI_Marc @PaulWebSec @pancak3lullz @elonmusk @BarackObama @taylorswift13 @cristiano @BillGates