• Home
  • |
  • Blog
  • |
  • Microsoft Published A List Of Phishing Domains Part Of New Credential Phishing Campaign
Open Redirect Vulnerability | Credential Phishing Campaign

Microsoft unveils a new credential phishing campaign that leverages an open redirect mechanism to evade security systems. Microsoft has published a long list of phishing domains actively used in this new credential phishing campaign. This list shows that how much the adversaries have invested in this phishing campaign. How extensive would the credential phishing campaign be? Let’s see the listed domains which are part of the credential phishing campaign.

Phishing is one of the most prevalent and effective social engineering techniques, growing these days. There are two main motives behind phishing attacks: harvest credentials and ship malware to the victim’s machine, leading to further attacks. In this phishing campaign, attackers used an extremely prevalent way ‘open redirect links’ to effectively bypass the security system to deliver the phishing emails to the victim’s inbox.

What Is An Open Redirect Vulnerability?

Open redirect link refers to a case in which a web application accepts a user-controlled input that could cause the web application to redirect the request to a URL. However, suppose an attacker replaces the URL input with a malicious site to redirect the request to a malicious URL to steal user credentials. In that case, it is called open redirect vulnerability.

Fig #1: Open Redirect Vulnerability (By Microsoft Research Team)

This image is an example of an open redirect vulnerability. Here, the attacker used a domain-generation algorithm (DGA) domain (c-hi[.]xyz) in the parameter of the trusted domain. When a user hovers his mouse on this URL, he believes that this is a trusted URL. However, when he clicks on the link, it takes the user to the malicious domain in the parameter.

Why Do Attackers Use Open Redirect Vulnerabilities To Run Credential Phishing Campaign?

It is pretty common to see open redirect links among organizations for various reasons. Companies’ sales and marketing representatives use open redirect links in their emails to lead their clients or customers to the desired landing page as a business strategy to increase sales, user experience, and productivity. However, threat actors abuse this feature to link to a URL from a trusted domain and embed the malicious URL as a parameter.

Such open redirect vulnerabilities help attackers evade the organizations’ security systems and deliver the email to the victim’s inbox. For example, When a malicious URL is set as a parameter for a legitimate URL, traditional security solutions may pass through such requests because the security solutions might have been trained to identify only the primary URL. The security system may fail to check the malicious parameters embedded.

How Does This New Credential Phishing Attacks Work?

Fig #2: Attack chain for the open redirect phishing campaign (By Microsoft Research Team)
  1. Attackers send phishing emails: The campaign starts with sending emails to the victims. The report says that Attackers followed a pattern in the email content across the drive.
    1. The content of the email will be inside a box.
    2. The email will have a large button with an open redirect link that takes the victims to the credential harvesting phishing page.
    3. The subject of the email will most likely be created with the recipient’s domain and a timestamp.
  2. Users are tricked into clicking on the open redirect link: when users hover their mouse cursor over the button, they will see the complete URL that looks legitimate as attackers crafted the open redirect links using a legitimate service. The fact is a malicious phishing URL has been embedded in the parameter of the open redirect link.
  3. Phishing page verifies reCAPTCHA verification: When users clicked on the crafted open redirect links, users will be redirected to the attacker’s phishing site. These phishing sites used Google reCAPTCHA services to evade email security systems.
  4. Users will see a fake login page to enter the credentials: After users complete the reCAPTCHA verification, users will see a fake login page that impersonates the original site. The site is prepopulated with the victim’s email address to make the site look more legitimate. Adversaries can also use this strategy to bypass the Single Signe On (SSO) authentication either.
  5. Credentials get compromised: If users enter their credentials on the phishing URL, the page throws an error saying the page is timed out or the password was incorrect. This is to make the user enter the credentials twice to confirm the credentials. Upon entering the credentials for a second time, the page directs to the legitimate Sophos website, which says the message has been released. Once your credentials are harvested, attackers can use your credentials to carry out more attacks.

How To Prevent Credential Phishing Attacks And Open Redirect Vulnerability?

The best ways to prevent being a victim of phishing campaign are:

  1. Educate yourselves: The first level of protection would be learning about phishing techniques. Please be aware of the phishing techniques, don’t be the scape sheep of the campaign.
  2. Use anti-phishing toolbars and security solutions: We recommend buying a good anti-phishing solution. The simple and easiest way is to use anti-phishing toolbars on the browser.
  3. Don’t click on the links shared from untrusted sources. Examine the grammar of the email you received and the spelling of the URL before you click on it. Report about the phishing emails or links to your anti-phishing solutions if possible.
  4. Don’t open the attachments if you received them from an unknown source. Verify the email header from the tools like MXToolBox.
  5. Use good security tools like antivirus solutions, network intrusion detection, firewalls, URL filtering tools, spam filters, and adblockers to protect from many types of phishing attacks.
  6. Do regular password resets and use complex passwords.
  7. Enable MFA multi-factor authentication.

List Of Phishing Domains Which Are Part Of New Credential Phishing Campaign:

Patterns of Secondary redirected domains:

The secondary domains used in the parameter URLs most likely follow a specific domain-generation algorithm (DGA) pattern and use .xyz, .club, .shop, and .online TLDs.

  • [letter]-[letter][letter].xyz
  • [letter]-[letter][letter].club

Secondary Domains:

Some of the captured secondary domains in the crafted open redirect links in this credential phishing campaign are:

  • c-tl[.]xyz
  • a-cl[.]xyz
  • j-on[.]xyz
  • p-at[.]club
  • i-at[.]club
  • f-io[.]online

Sender Domains:

Adversaries used a wide range of domains to send emails, and the sender domains could be from any of these.

  • Attacker-owned DGA domains
  • Compromised legitimate domains
  • Domains ending in .co.jp
  • Free email domains

Patterns Of Sender Domains:

  • [word or string of characters]-[word][number], incrementing by one, for example: masihtidur-shoes08[.]com
  • [number][word or string of characters]-[number], incrementing by one, for example: 23moesian-17[.]com
  • [word][word][number], incrementing by one, for example: notoficationdeliveryamazon10[.]com
  • [word or letters][number]-[number], incrementing by one, for example: dak12shub-3[.]com

Secondary Domains:

Some of the captured primary domains that match the DGA patterns:

masihtidur-shoes08[.]commasihtidur-shoes07[.]commasihtidur-shoes04[.]combas9oiw88remnisn-14[.]com
masihtidur-shoes02[.]commasihtidur-shoes01[.]comwixclwardwual-updates9[.]comromanseyilefreaserty0824r-4[.]com
wixclwardwual-updates8[.]comwixclwardwual-updates7[.]comwixclwardwual-updates6[.]comsecuremanageprodio-04[.]com
wixclwardwual-updates5[.]comwixclwardwual-updates10[.]comwixclwardwual-updates1[.]comsuppamz2-piryshj01-9[.]com
zxcsaxb-good8[.]comzxcsaxb-good6[.]comzxcsaxb-good5[.]comsolution23-servviue-7[.]com
zxcsaxb-good4[.]comzxcsaxb-good3[.]comzxcsaxb-good10[.]comsolution23-servviue-27[.]com
trashxn-euyr9[.]comtrashxn-euyr7[.]comtrashxn-euyr6[.]comsolution23-servviue-9[.]com
trashxn-euyr5[.]comtrashxn-euyr3[.]comtrashxn-euyr20[.]comsolution23-servviue-17[.]com
trashxn-euyr2[.]comtrashxn-euyr19[.]comtrashxn-euyr18[.]comsolution23-servviue-30[.]com
trashxn-euyr17[.]comtrashxn-euyr16[.]comtrashxn-euyr15[.]comsolution23-servviue-10[.]com
trashxn-euyr14[.]comtrashxn-euyr12[.]comtrashxn-euyr11[.]comsolution23-servviue-24[.]com
trashxn-euyr10[.]comtrashxn-euyr1[.]comberangberang-9[.]comservice-account-7243[.]com
berangberang-7[.]comberangberang-12[.]comberangberang-6[.]comservice-account-374567[.]com
notoficationdeliveryamazon8[.]comberangberang-8[.]comberangberang-3[.]comgxnhfghnjzh809[.]com
berangberang-4[.]comberangberang-10[.]comberangberang-11[.]comaccountservicealert003[.]com
berangberang-13[.]comberangberang-5[.]com77support-update23-4[.]comcare887-yyrtconsumer23-23[.]com
posher876ffffff-30[.]composher876ffffff-5[.]composher876ffffff-25[.]comcare887-yyrtconsumer23-26[.]com
fenranutc0x24ai-11[.]comorganix-xtc21[.]comfenranutc0x24ai-13[.]comlaser9078-ter10[.]com
fenranutc0x24ai-4[.]comfenranutc0x24ai-17[.]comfenranutc0x24ai-18[.]comhayalanphezor-3sit[.]com
adminsecurity102[.]comadminsecurity101[.]com23moesian-17[.]comressstauww-6279-3[.]com
23moesian-10[.]com23moesian-11[.]com23moesian-26[.]comressstauww-6279-7[.]com
23moesian-19[.]com23moesian-2[.]comcokils2ptys-3[.]comketiak-muser14[.]com
cokils2ptys-1[.]com23moesian-20[.]com23moesian-15[.]comspammer-comingson01[.]com
23moesian-18[.]com23moesian-16[.]comsux71a37-net19[.]comspammer-comingson05[.]com
sux71a37-net1[.]comsux71a37-net25[.]comsux71a37-net14[.]composidma-posidjar03[.]com
sux71a37-net18[.]comsux71a37-net15[.]comsux71a37-net12[.]comtembuslah-bandar01[.]com
sux71a37-net13[.]comsux71a37-net20[.]comsux71a37-net11[.]comtembuslah-bandar04[.]com
sux71a37-net27[.]comsux71a37-net2[.]comsux71a37-net21[.]comtembuslah-bandar07[.]com
bimspelitskalix-xuer9[.]comaccount-info005[.]comirformainsition0971a8-net16[.]comtembuslah-bandar10[.]com
bas9oiw88remnisn-12[.]combas9oiw88remnisn-27[.]combas9oiw88remnisn-26[.]comsolution23-servviue-23[.]com
bas9oiw88remnisn-11[.]combas9oiw88remnisn-10[.]combas9oiw88remnisn-5[.]comhayalanphezor-7sit[.]com
bas9oiw88remnisn-13[.]combas9oiw88remnisn-1[.]combas9oiw88remnisn-7[.]comsolution23-servviue-15[.]com
bas9oiw88remnisn-3[.]combas9oiw88remnisn-20[.]combas9oiw88remnisn-8[.]comsuppamz2-piryshj01-6[.]com
bas9oiw88remnisn-23[.]combas9oiw88remnisn-24[.]combas9oiw88remnisn-4[.]comsolution23-servviue-16[.]com
bas9oiw88remnisn-25[.]comromanseyilefreaserty0824r-2[.]comromanseyilefreaserty0824r-1[.]comromanseyilefreaserty0824r-5[.]com
sux71a37-net26[.]comsux71a37-net10[.]comsux71a37-net17[.]comsolution23-servviue-19[.]com
maills-activitymove02[.]commaills-activitymove04[.]comsolution23-servviue-26[.]comsolution23-servviue-18[.]com
maills-activitymove01[.]comcopris7-yearts-6[.]comcopris7-yearts-9[.]comsolution23-servviue-13[.]com
copris7-yearts-5[.]comcopris7-yearts-8[.]comcopris7-yearts-37[.]comsolution23-servviue-4[.]com
securityaccount102[.]comcopris7-yearts-4[.]comcopris7-yearts-40[.]comsolution23-servviue-5[.]com
copris7-yearts-7[.]comcopris7-yearts-38[.]comcopris7-yearts-39[.]comservice-account-735424[.]com
romanseyilefreaserty0824r-6[.]comrick845ko-3[.]comrick845ko-2[.]comservice-account-764246[.]com
rick845ko-10[.]comfasttuamz587-4[.]comwinb2as-wwersd76-19[.]comxcfhjxfyxnhnjzh10[.]com
winb2as-wwersd76-4[.]comwinb2as-wwersd76-6[.]comorg77supp-minty662-8[.]comcare887-yyrtconsumer23-24[.]com
winb2as-wwersd76-18[.]comwinb2as-wwersd76-1[.]comwinb2as-wwersd76-10[.]comcare887-yyrtconsumer23-27[.]com
org77supp-minty662-9[.]comwinb2as-wwersd76-12[.]comwinb2as-wwersd76-20[.]comlaser9078-ter11[.]com
account-info003[.]comaccount-info012[.]comaccount-info002[.]comhayalanphezor-6sit[.]com
laser9078-ter17[.]comaccount-info011[.]comaccount-info007[.]comromanseyilefreaserty0824r-3[.]com
notoficationdeliveryamazon1[.]comnotoficationdeliveryamazon20[.]comnotoficationdeliveryamazon7[.]comressstauww-6279-10[.]com
notoficationdeliveryamazon17[.]comnotoficationdeliveryamazon12[.]comcontackamazon1[.]comressstauww-6279-1[.]com
notoficationdeliveryamazon6[.]comnotoficationdeliveryamazon5[.]comnotoficationdeliveryamazon4[.]comketiak-muser13[.]com
notoficationdeliveryamazon18[.]comnotoficationdeliveryamazon13[.]comnotoficationdeliveryamazon3[.]comspammer-comingson02[.]com
notoficationdeliveryamazon14[.]comgaplerr-xt5[.]composher876ffffff-29[.]comspammer-comingson07[.]com
kenatipurecehkali-xt3[.]comkenatipurecehkali-xt13[.]comkenatipurecehkali-xt4[.]composidma-posidjar05[.]com
kenatipurecehkali-xt12[.]comkenatipurecehkali-xt5[.]comwtbwts-junet1[.]comtembuslah-bandar02[.]com
kenatipurecehkali-xt6[.]comhayalanphezor-2sit[.]comhayalanphezor-1sit[.]comtembuslah-bandar05[.]com
noticesumartyas-sc24[.]comnoticesumartyas-sc13[.]comnoticesumartyas-sc2[.]comtembuslah-bandar08[.]com
noticesumartyas-sc17[.]comnoticesumartyas-sc22[.]comnoticesumartyas-sc5[.]comorganix-xtc18[.]com
noticesumartyas-sc4[.]comnoticesumartyas-sc21[.]comnoticesumartyas-sc25[.]combimspelitskalix-xuer7[.]com
appgetbox3[.]comnotoficationdeliveryamazon19[.]comnotoficationdeliveryamazon10[.]comsolution23-servviue-1[.]com
appgetbox9[.]comappgetbox8[.]comappgetbox6[.]comsolution23-servviue-25[.]com
notoficationdeliveryamazon2[.]comappgetbox7[.]comappgetbox5[.]comsolution23-servviue-11[.]com
notoficationdeliveryamazon23[.]comappgetbox10[.]comnotoficationdeliveryamazon16[.]comcokils2ptys-6[.]com
hvgjgj-shoes08[.]comhvgjgj-shoes13[.]comjgkxjhx-shoes09[.]comsolution23-servviue-8[.]com
hvgjgj-shoes15[.]comhvgjgj-shoes16[.]comhvgjgj-shoes18[.]comsuppamz2-piryshj01-1[.]com
hvgjgj-shoes20[.]comhvgjgj-shoes12[.]comjgkxjhx-shoes02[.]comsolution23-servviue-12[.]com
hvgjgj-shoes10[.]comjgkxjhx-shoes03[.]comhvgjgj-shoes11[.]comsolution23-servviue-20[.]com
hvgjgj-shoes14[.]comjgkxjhx-shoes05[.]comjgkxjhx-shoes04[.]comsolution23-servviue-14[.]com
hvgjgj-shoes19[.]comjgkxjhx-shoes08[.]comhpk02h21yyts-6[.]comservice-account-8457845[.]com
romanseyilefreaserty0824r-7[.]comgets25-amz[.]netgets30-amz[.]netservice-account-762441[.]com
gets27-amz[.]netgets28-amz[.]netgets29-amz[.]netaccountservicealert002[.]com
gets32-amz[.]netgets3-amz[.]netgets31-amz[.]netbas9oiw88remnisn-15[.]com
noticesumartyas-sc19[.]comnoticesumartyas-sc23[.]comnoticesumartyas-sc18[.]comcare887-yyrtconsumer23-25[.]com
noticesumartyas-sc15[.]comnoticesumartyas-sc20[.]comnoticesumartyas-sc16[.]combimspelitskalix-xuer6[.]com
noticesumartyas-sc29[.]comrick845ko-1[.]combas9oiw88remnisn-9[.]comhayalanphezor-4sit[.]com
rick845ko-5[.]combas9oiw88remnisn-21[.]combas9oiw88remnisn-2[.]comsolution23-servviue-6[.]com
bas9oiw88remnisn-19[.]comrick845ko-6[.]combas9oiw88remnisn-22[.]comsytesss-tas7[.]com
bas9oiw88remnisn-17[.]combas9oiw88remnisn-16[.]comadminmabuk103[.]comhvgjgj-shoes01[.]com
account-info008[.]comsuppamz2-piryshj01-3[.]comdak12shub-1[.]comketiak-muser15[.]com
securemanageprodio-02[.]comsecuremanageprodio-05[.]comsecuremanageprodio-01[.]comspammer-comingson04[.]com
dak12shub-3[.]comdak12shub-9[.]comdak12shub-8[.]composidma-posidjar01[.]com
dak12shub-6[.]comdak12shub-10[.]comdak12shub-4[.]composidma-posidjar06[.]com
securemanageprodio-03[.]comorg77supp-minty662-7[.]comwinb2as-wwersd76-7[.]comtembuslah-bandar03[.]com
org77supp-minty662-10[.]combimspelitskalix-xuer2[.]comgets34-amz[.]nettembuslah-bandar06[.]com
gets35-amz[.]netservice-account-7254[.]comservice-account-76357[.]comtembuslah-bandar09[.]com
service-account-7247[.]comaccount-info004[.]comservice-account-5315[.]com

Thanks for reading this post, which has the list of phishing domains actively used in this new credential phishing campaign and helps create awareness against credential phishing campaigns.

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.