627 lines
No EOL
21 KiB
JSON
627 lines
No EOL
21 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2017-02-02",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Nile Phish: Large-Scale Phishing Campaign Targeting Egyptian Civil Society",
|
|
"publish_timestamp": "1486051007",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1486041224",
|
|
"uuid": "589327e5-227c-4236-a9b8-fafc950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#326300",
|
|
"local": "0",
|
|
"name": "circl:incident-classification=\"phishing\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039206",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "589328a6-8f58-41b7-861e-a72f950d210f",
|
|
"value": "Egyptian NGOs are currently being targeted by Nile Phish, a large-scale phishing campaign.\r\nAlmost all of the targets we identified are also implicated in Case 173, a sprawling legal case brought by the Egyptian government against NGOs, at ich has been referred to as an \u00e2\u20ac\u0153unprecedented crackdown\u00e2\u20ac\u009d on Egypt\u00e2\u20ac\u2122s civil society.\r\nNile Phish operators demonstrate an intimate knowledge of Egyptian NGOs, and are able to roll out phishing attacks within hours of government actions, such as arrests."
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039223",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "589328b7-3598-41f9-a503-4837950d210f",
|
|
"value": "https://citizenlab.org/2017/02/nilephish-report/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039319",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "58932917-4064-4830-a6d1-4b19950d210f",
|
|
"value": "account-google.serveftp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039320",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "58932918-a200-4e93-a634-4275950d210f",
|
|
"value": "aramex-shipping.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039320",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "58932918-e458-4a3c-9244-4e2e950d210f",
|
|
"value": "device-activation.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039321",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "58932919-39a8-49e9-9164-4c48950d210f",
|
|
"value": "dropbox-service.serveftp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039322",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5893291a-1d70-4170-ba53-4576950d210f",
|
|
"value": "dropbox-sign.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039322",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5893291a-ac08-45da-aa57-402e950d210f",
|
|
"value": "dropboxsupport.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039323",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5893291b-db6c-490a-8b6e-4def950d210f",
|
|
"value": "fedex-mail.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039324",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5893291c-1148-4945-980f-4287950d210f",
|
|
"value": "fedex-shipping.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039325",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5893291d-78e8-44ba-9d5c-4911950d210f",
|
|
"value": "fedex-sign.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039325",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5893291d-7a60-4659-8fe1-4d85950d210f",
|
|
"value": "googledriver-sign.ddns.net"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039326",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5893291e-295c-4d72-861f-4ff8950d210f",
|
|
"value": "googledrive-sign.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039327",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5893291f-c728-420e-91fe-42bd950d210f",
|
|
"value": "google-maps.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039328",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "58932920-35b8-4f43-b2fd-43f2950d210f",
|
|
"value": "googlesecure-serv.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039328",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "58932920-d574-4b73-9d56-4c92950d210f",
|
|
"value": "googlesignin.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039329",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "58932921-7ed4-4b05-a967-4b08950d210f",
|
|
"value": "googleverify-signin.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039330",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "58932922-3680-4989-bf29-426e950d210f",
|
|
"value": "mailgooglesign.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039330",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "58932922-c80c-4b4d-93c7-4b70950d210f",
|
|
"value": "myaccount.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039331",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "58932923-1d14-4cac-84a1-4c8b950d210f",
|
|
"value": "secure-team.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039332",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "58932924-1f3c-4ff0-b00c-4083950d210f",
|
|
"value": "security-myaccount.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039333",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "58932925-28dc-4dfc-b72c-4a79950d210f",
|
|
"value": "verification-acc.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039333",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "58932925-8e18-41f9-b8d7-4d02950d210f",
|
|
"value": "dropbox-verfy.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039334",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "58932926-4ecc-43d7-be08-4605950d210f",
|
|
"value": "fedex-s.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039335",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "58932927-5404-453e-80d9-4534950d210f",
|
|
"value": "watchyoutube.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039335",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "58932927-a878-4a7d-8f5b-490b950d210f",
|
|
"value": "verification-team.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039336",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "58932928-0654-4370-8eb0-49b1950d210f",
|
|
"value": "securityteam-notify.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039337",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "58932929-1a48-4472-8e21-4e1b950d210f",
|
|
"value": "secure-alert.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039338",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5893292a-bd64-479e-b03b-4864950d210f",
|
|
"value": "quota-notification.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039338",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5893292a-b974-491b-a059-4268950d210f",
|
|
"value": "notification-team.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039339",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5893292b-42bc-4b15-8ed4-4daa950d210f",
|
|
"value": "fedex-notification.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039340",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5893292c-f15c-4d6c-8266-4f96950d210f",
|
|
"value": "docs-mails.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039340",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5893292c-ca04-483c-b3cf-47f4950d210f",
|
|
"value": "restricted-videos.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039341",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5893292d-b614-409b-ad73-45e4950d210f",
|
|
"value": "dropboxnotification.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039342",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5893292e-1bf0-4b0e-b729-4696950d210f",
|
|
"value": "moi-gov.serveftp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039343",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5893292f-dbe8-4d18-854f-4835950d210f",
|
|
"value": "activate-google.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "domains for this phishing attack",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039343",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5893292f-64a0-42d0-a008-47d9950d210f",
|
|
"value": "googlemaps.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039390",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5893295e-2ddc-436b-8a56-4f2f950d210f",
|
|
"value": "108.61.176.96"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039390",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5893295e-797c-42f1-9fa2-405e950d210f",
|
|
"value": "104.238.191.204"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039391",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5893295f-2d60-4e1d-9094-4b8d950d210f",
|
|
"value": "176.123.26.42"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Phishing emails (claiming to be from legitimate services)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039501",
|
|
"to_ids": true,
|
|
"type": "email-src",
|
|
"uuid": "589329cd-35f0-4f14-83a7-fafb950d210f",
|
|
"value": "secure.policy.check@gmail.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Phishing emails (claiming to be from legitimate services)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039502",
|
|
"to_ids": true,
|
|
"type": "email-src",
|
|
"uuid": "589329ce-157c-44b2-adf9-fafb950d210f",
|
|
"value": "aramex.shipment@gmail.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Phishing emails (claiming to be from legitimate services)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039502",
|
|
"to_ids": true,
|
|
"type": "email-src",
|
|
"uuid": "589329ce-ed50-4892-a636-fafb950d210f",
|
|
"value": "fedex_tracking@outlook.sa"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Phishing emails (claiming to be from legitimate services)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039503",
|
|
"to_ids": true,
|
|
"type": "email-src",
|
|
"uuid": "589329cf-0348-4a7f-ab04-fafb950d210f",
|
|
"value": "mails.acc.noreply@gmail.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Phishing emails (claiming to be from legitimate services)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039504",
|
|
"to_ids": true,
|
|
"type": "email-src",
|
|
"uuid": "589329d0-9170-4a2f-9af1-fafb950d210f",
|
|
"value": "fedex.noreply@gmail.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Phishing emails (claiming to be from legitimate services)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039505",
|
|
"to_ids": true,
|
|
"type": "email-src",
|
|
"uuid": "589329d1-9b98-428f-bfab-fafb950d210f",
|
|
"value": "customerserviceonlineteam@gmail.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Phishing emails (claiming to be from legitimate services)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039505",
|
|
"to_ids": true,
|
|
"type": "email-src",
|
|
"uuid": "589329d1-6b78-4b55-bbdb-fafb950d210f",
|
|
"value": "fedexcustomers.service@gmail.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Phishing emails (claiming to be from legitimate services)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039506",
|
|
"to_ids": true,
|
|
"type": "email-src",
|
|
"uuid": "589329d2-a5e8-4b0b-9a10-fafb950d210f",
|
|
"value": "elnadeem.org@gmail.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Phishing emails (claiming to be from legitimate services)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039507",
|
|
"to_ids": true,
|
|
"type": "email-src",
|
|
"uuid": "589329d3-b19c-4856-85df-fafb950d210f",
|
|
"value": "dropbox.noreplay@gmail.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Phishing emails (claiming to be from legitimate services)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039507",
|
|
"to_ids": true,
|
|
"type": "email-src",
|
|
"uuid": "589329d3-098c-4373-a4d0-fafb950d210f",
|
|
"value": "mails.noreply.verify@gmail.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Phishing emails (claiming to be from legitimate services)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039508",
|
|
"to_ids": true,
|
|
"type": "email-src",
|
|
"uuid": "589329d4-9778-4ea6-b9f9-fafb950d210f",
|
|
"value": "fedex.mails.shipping@gmail.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Phishing emails (claiming to be from legitimate services)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039509",
|
|
"to_ids": true,
|
|
"type": "email-src",
|
|
"uuid": "589329d5-6548-4042-a2a8-fafb950d210f",
|
|
"value": "dropbox.notifications.mails@gmail.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Phishing emails (claiming to be from legitimate services)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039510",
|
|
"to_ids": true,
|
|
"type": "email-src",
|
|
"uuid": "589329d6-92f0-434e-a004-fafb950d210f",
|
|
"value": "dropbox.notfication@gmail.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Phishing emails (claiming to be from legitimate services)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1486039511",
|
|
"to_ids": true,
|
|
"type": "email-src",
|
|
"uuid": "589329d7-ce6c-467e-b1c6-fafb950d210f",
|
|
"value": "drive.noreply.mail@gmail.com"
|
|
}
|
|
]
|
|
}
|
|
} |