OneCert Cyber Security

@Namecheap Observes, writes 2 km of text, but does not take action to combat phishing.

@Namecheap #phishing and #malware attack against Saham Edalat Domain: jetvib[.]com hXXps://jetvib[.]com/Source/dashbord/ User agent: Android Proxy: Iran Payload URLs: hXXps://jetvib[.]com/Source/dashbord/app.apk @Namecheap

#phishing and #malware attack against Saham Edalat Domain: specbest[.]com hXXps://specbest[.]com/Source/dashbord/ User agent: Android Proxy: Iran Payload URLs: hXXps://specbest[.]com/Source/dashbord/app.apk @Namecheap

@Namecheap #phishing and #malware attack against Saham Edalat Domain: rowata[.]com hXXps://rowata[.]com/Source/dashbord/ User agent: Android Proxy: Iran Payload URLs: hXXps://rowata[.]com/Source/dashbord/app.apk @Namecheap

@NDA0E @Namecheap Spot on!

@onecert_ir @Namecheap Similar phishing: hXXps://45[.]147[.]230[.]41/ hXXp://sana-ir.wicaso6530[.]workers[.]dev/ Malware payloads: https://45[.]147[.]230[.]41/app.apk hXXps://github[.]com/iosyu01/okdash/raw/main/assets/eblagh.apk Samples: bazaar.abuse.ch/browse/tag/San…

#phishing and #malware attack against Electronic Judicial Services System Iran Domain: engljsh[.]com hXXps://tci-adsl.[.]engljsh[.]com/anon User agent: Android Proxy: Iran @Namecheap

#phishing and #malware attack against Electronic services of the Iranian government Domain: whiii[.]me hXXps://adi[.]whiii[.]me User agent: Android Proxy: Iran Payload URLs: hXXps://adi[.]whiii[.]me/app[.]apk @spaceship @Namecheap

#phishing and #malware attack against Electronic Judicial Services System Iran Domain: irav[.]org hXXps://au[.]irav[.]org/ User agent: Android Proxy: Iran Payload URLs: hXXps://au[.]irav[.]org/%F0%9D%90%9C%E2%80%8C%E2%80%8C/getapk[.]php @Namecheap

@NDA0E @banthisguy9349 It's a variant of #IRATA. By impersonating an Iranian bank, they deceive clients and drain their bank accounts through phishing hosted on IRATA. The APKs used in this operation are designed to intercept the victims' banking 2FA codes. onecert.ir/portal/blog/ir…

cc: @onecert_ir @banthisguy9349

As for now, the 10 active domains are delivering the same #GossRAT payload. URLhaus: urlhaus.abuse.ch/browse/tag/Gos… Mellat.apk: bazaar.abuse.ch/sample/b97dfd2…

@HostPapa @ColoCrossing We are still waiting to receive a response from you, but so far, nothing!

@onecert_ir @ColoCrossing Greetings, I've notified our Abuse team to further investigate and update you on the previously mentioned ticket. Thanks!

@HostPapa How do you handle #phishing and #malware campaigns? and how does your team respond to reports of abuse? why do you close our ticket without any response how can a server use over 550 malicious domains, and your team overlook it? #irata

@HostPapa @ColoCrossing We still have not received any response from your team!

@HostPapa @ColoCrossing You haven't responded to our emails since March 30th! What kind of support is this? Why are abuse emails not important to you?

@onecert_ir @ColoCrossing Alternatively, you may send us an email at support@hostpapasupport.com. Kindly put this ticket ID: 9586448 in the subject line. Looking forward to your email, thank you!

#phishing and #malware attack against Saham Edalat Iran Domain: maaeshyti[.]click hXXps://maaeshyti.click/z‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌ User agent: Android Proxy: Iran Payload URLs: hXXps://maaeshyti.click/z‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌/app.apk @Namecheap

#phishing #malware attack against Saham Edalat Domain: amirkhan[.]rest hXXp://wweb.amirkhan.rest/%F0%9D%90%9C%E2%80%8C%E2%80%8C%E2%80%8C/dashbord/ Payload URLs hXXp://wweb.amirkhan.rest/%F0%9D%90%9C%E2%80%8C%E2%80%8C%E2%80%8C/%D9%85%D8%B9%D9%8A%D8%B4%D8%AA%DB%92.apk @Namecheap

#phishing and #malware attack against Electronic Judicial Services System Iran Domain: tuxne[.]org hXXps://tuxne.org/%F0%9D%90%9C%E2%80%8C%E2%80%8C User agent: Android Proxy: Iran Payload URLs: hXXps://tuxne.org/app.apk @Namecheap

#phishing and #malware attack against Saham Edalat Iran Domain: eidaneh[.]org hXXp://eidaneh.org/%f0%9d%90%9c/ hXXp://eidaneh.org/%f0%9d%90%9c/Mellat/start.php Payload URLs: hXXps://eidaneh.org/%f0%9d%90%9c/Files/app.apk @Namecheap

@OVHcloud @ovh_support_en @OVHcloud_FR @ovh_support_fr abuse report #XZGQHTCLMN

If you're considering engaging in phishing activities, we suggest using @OVHcloud for hosting. they have consistently shown disregard for abuse reports and exhibit a lack of commitment to closing them. It's disheartening that ovh appears indifferent towards enabling cybercrime.

#phishing and #malware attack against Saham Edalat Domain: kalobarg[.]com hXXp://kalobarg.com/ User agent: Android Proxy: Iran @Namecheap

#phishing and #malware attack against Saham Edalat Domain: shm1402[.]com hXXp://shm1402.com/ User agent: Android Proxy: Iran @Namecheap