Fig.2 Phishing Email<\/em><\/p>\n <\/p>\n
In the above mail, shortened malicious URL is embedded which leads to a phishing attack.<\/p>\n
https[:]\/\/bit.ly\/3l2vkND<\/b><\/strong><\/p>\nThis bitly URL redirects the user to another phishing website-<\/p>\n
URL: \u00a0https[:]\/\/webdomainsrvcs.com<\/b><\/strong><\/p>\n <\/p>\n
Information about the above URL and their respective:<\/b><\/strong><\/p>\nURL:<\/strong>\u00a0\u00a0https[:]\/\/webdomainsrvcs.com<\/p>\n\n- IP: <\/strong>105.65.125<\/li>\n
- Server Type: <\/strong>Apache<\/li>\n
- Country: <\/strong>Russia<\/li>\n
- City: <\/strong>Moscow<\/li>\n
- ISP: <\/strong>HOSTKEY B.V.<\/li>\n
- Organization: <\/strong>LLC Server v arendy (hostkey.ru)<\/li>\n<\/ul>\n
\u00a0<\/b><\/strong><\/p>\n![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Picture3-300x174.png\")
<\/p>\n
Fig.3 Phishing Site<\/em><\/p>\n <\/p>\n
This redirected website asks the victim to fill in some basic information like Domain name, Email address, Phone Number, and Digital signature, as shown below.<\/p>\n
<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Picture4-300x195.png\")
<\/p>\n
\u00a0\u00a0\u00a0Fig.4 User Info page<\/em><\/p>\n <\/p>\n
After submitting details in the given form and clicking on submit button, it redirects to a page that will show some plans for domain renewal.<\/p>\n
<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Picture5-300x165.png\")
<\/p>\n
\u00a0\u00a0Fig.5: \u00a0Domain renewal plans<\/em><\/p>\n <\/p>\n
After clicking on PAY NOW<\/b><\/strong>\u00a0on any of the plans this page redirects the user to the payment page (PayPal).<\/p>\n <\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Picture6-300x158.png\")
<\/p>\n
\u00a0\u00a0\u00a0\u00a0Fig.6: \u00a0Payment page<\/em><\/p>\n <\/p>\n
VT Graph<\/b><\/strong><\/p>\n![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Picture7-300x169.png\")
<\/p>\n
Fig.7 VT Graph<\/em><\/p>\n <\/p>\n
Here, we can see the Root node<\/b><\/strong>\u00a0https[:]\/\/bit.ly\/3l2vkND is communicating with the malicious files.<\/p>\n <\/p>\n
How Can We Catch and Avoid Falling for these types of Phishing Scams?<\/b><\/strong><\/h2>\n\n- <\/b>Validate Links and Attachment: <\/b><\/strong>Don’t click and open any Link and attachments attached in Mail validate it, then open it.<\/li>\n
- <\/b>Set up Auto-renewal: <\/b><\/strong>Use domain name auto-renewal services. So, you can ignore all renewal mails, which might be Phishing mail.<\/li>\n
- <\/b>Use Registrar\u2019s website: <\/b><\/strong>Renew your domain name through the official registrar\u2019s website only.<\/li>\n
- <\/b>Registration information: <\/b><\/strong>Use Domain privacy protection. It\u2019s worth it.<\/li>\n<\/ul>\n
<\/p>\n
IOCs:<\/b><\/strong><\/p>\nShort URLs: <\/b><\/strong>These Shorten bit.ly<\/b><\/strong>\u00a0URLs redirect to the below given malicious URLs.<\/p>\n\n- https[:]\/\/bit.ly\/3l2vkND<\/li>\n
- https[:]\/\/bit.ly\/38sIQVM<\/li>\n
- https[:]\/\/bit.ly\/2PSyhVH<\/li>\n
- https[:]\/\/bit.ly\/3raUDj5<\/li>\n
- https[:]\/\/bit.ly\/3qDXcc6<\/li>\n
- https[:]\/\/bit.ly\/38tbshO<\/li>\n
- https[:]\/\/bit.ly\/3pNezHb<\/li>\n<\/ul>\n
\u00a0<\/b><\/strong><\/p>\nMalicious URLs:<\/b><\/strong><\/p>\n\n- http[:]\/\/domainsrvcsexpiry.com\/<\/li>\n
- https[:]\/\/domainsrvcsexpiry.com\/03\/09\/2021be<\/li>\n
- http[:]\/\/domainsrvcsexpiry.com\/03\/09\/2021bj\/<\/li>\n
- https[:]\/\/domainsrvcsexpiry.com\/03\/09\/2021ae<\/li>\n
- http[:]\/\/domainsrvcsexpiry.com\/03\/09\/2021ab<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
Have you received an email notification that your domain is about to expire? Most website owners have. But do you pay close attention to who it is from and the renewal fee? If not, you may be throwing money away to a scammer. Quick Heal Security Labs has recently come across a phishing scam related […]<\/p>\n","protected":false},"author":90,"featured_media":90126,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1739,24],"tags":[1838,1837,1839,49,25],"class_list":["post-90084","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-malware","tag-domain","tag-domainname","tag-expiration","tag-malware","tag-phishing"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/90084"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/90"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=90084"}],"version-history":[{"count":19,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/90084\/revisions"}],"predecessor-version":[{"id":91459,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/90084\/revisions\/91459"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/90126"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=90084"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=90084"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=90084"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Picture1-300x234.png\")
Fig. 1 Phishing attack flow<\/em><\/p>\n![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Picture2-1-300x154.png\")
<\/p>\n