Joseph C

@Namecheap The subdomains I referenced match IP addresses in the infoblox report infoblox.com/blog/threat-in…, I also have my own blogpost about this at j027.net/hunting-evilgi…

@ThrowAw70207174 Hello, thank you for the report. We will investigate the matter and the actions will be taken in accordance to our findings.

@Namecheap I see AitM attacks against universities being setup at the following domain api-ac9fc019[.]pdxs[.]emconstruct[.]com mfilssoas[.]pdxs[.]emconstruct[.]com mycainstdi[.]pdxs[.]emconstruct[.]com mycanvas[.]pdxs[.]emconstruct[.]com sso[.]pdxs[.]emconstruct[.]com

@Namecheap I have identified phishing infrastructure being setup to attack universities at the following domain: api-268194b0[.]uhhy[.]margofritz[.]com lvoginucsc[.]uhhy[.]margofritz[.]com myd2csc[.]uhhy[.]margofritz[.]com ux-asset-commercial[.]uhhy[.]margofritz[.]com

@Namecheap I am observing infra setup for AitM attacks against universities. api-ac9fc019[.]pddeop[.]icltextiles[.]com mfilssoas[.]pddeop[.]icltextiles[.]com mycainstdi[.]pddeop[.]icltextiles[.]com mycanvas[.]pddeop[.]icltextiles[.]com sso[.]pddeop[.]icltextiles[.]com

@Namecheap Hello Namecheap, this is phishing infrastructure through Evilginx. As a result, it cannot be viewed without the direct phishing URL. I have been tracking these attacks through CT logs, you can read more about it here j027.net/hunting-evilgi….

@ThrowAw70207174 Hello)) It seems the reported content is no longer available at the links specified. Please check it on your end and let us know if further assistance is required

@Namecheap I am observing AitM attacks against universities using this domain. api-ac9fc019[.]deop[.]icltextiles[.]com mycanvas[.]deop[.]icltextiles[.]com sso[.]deop[.]icltextiles[.]com

@Namecheap I am observing AitM attacks against universities using this domain. api-529aed63[.]ucdr[.]cathcarttrucking[.]com ssoucsb[.]ucdr[.]cathcarttrucking[.]comux-asset-commercial[.]ucdr[.]cathcarttrucking[.]com

@Namecheap I am observing AitM phishing attacks against universities from this domain api-529aed63[.]ucget[.]webschriften[.]com ssoucsb[.]ucget[.]webschriften[.]com ux-asset-commercial[.]ucget[.]webschriften[.]com

@Namecheap I am observing AitM phishing attacks against universities from this namecheap domain api-529aed63[.]ucndn[.]erfolgscodes[.]com ssoucsb[.]ucndn[.]erfolgscodes[.]com ux-asset-commercial[.]ucndn[.]erfolgscodes[.]com

@Namecheap There's a tech support scam popup with the domain housewindowf.monster from namecheap, here's a screenshot and a urlscan urlscan.io/result/6740247… showing this behavior.

@Namecheap I have provided more information in DM, let me know if it is sufficient.

@ThrowAw70207174 Hi! Could you please provide us with more information regarding the issue in DM?

@Namecheap There's a tech support scam popup redirect at greengooutrr.com from namecheap. Here's a screenshot showing this behavior. This behavior can only be reproduced from a residential ip in the US. Additionally, the domain of popup is from namecheap too.

@Namecheap There's a tech support scam popup with the domain masterclassesforexperts31.xyz from namecheap, here's a urlscan showing this behavior urlscan.io/result/a9852f9…

@Namecheap There's a tech support scam popup with the domain masterclassesforexperts30.xyz from namecheap, here's a urlscan urlscan.io/result/22cd067… and a screenshot of this behavior

@Namecheap The domain poliskjesder.xyz from namecheap has a tech support scam popup, here's a urlscan showing this behavior urlscan.io/result/4aabdbe… along with a screenshot

@Namecheap There's a tech support scam popup with the domain masterclassesforexperts24.xyz from namecheap, here's a screenshot showing this behavior

@Namecheap The domain 3mkjeepoiiu.xyz from namecheap redirects to a tech support scam popup when visited from a residential ip in the US, here's a screenshot showing this behavior

@Namecheap The domain polishkislekw.xyz from namecheap has a tech support scam popup, here's a screenshot showing this behavior