Phishing campaigns remain a common way to infect computers. Every day, I'm receiving plenty of malicious documents pretending to be sent from banks, suppliers, major Internet actors, etc. All those emails and their payloads are indexed and this morning I decided to have a quick look at them just by the name of the malicious files. Basically, there are two approaches used by attackers:
This is the second approach that looks interesting. I extracted all the IOC of type ‘filename’ from my MISP[1]. The raw export contained 4692 filenames (4247 unique). I also exported all payloads from my archive (574.879 unique files). I extracted interesting strings based on:
Warning: This list is provided "as is" and is not intended to be used to quality files as malicious or not (it will generate too many false positives). abuse account acompte advice agreement airline alert archive bill bitcoin booking brochure budget caller cancellation card caution certificate changes christmas client company complaint confirmation contact contract controls copy credit cv date debit debt decrypter delivery details dll diplomatic directory document download draft-msg dropbox dscf ebay ecard egift efax email energy engineer employee eps epson eula extract express exported facebook facture fax file finance financial flash flight free gdpr gift-card google-drive googleupdate help history hp holidays-gift-card hotel human-resource img important inf information install Instruction invite invoice insurance javaupdate label lettre letter license log login-required logmanager mail malware message microsoft-hotfix microsoft-upgrade money msg myresume mote officeupdate order overdue package parcel password payslip photo pic pid picture pdf po proposal purchase poster powerpoint privacy private project quotation quote ransom readme receipt remittance report resume restore sale salary safe scan screenshot security secure selfie service settings setup sheet shipping skype specialoffer ssh ssl staff statement statistics strike support swift tax task tracking trade trademark transaction transfer travel unpaid untitled upcoming update urgent us user vcd video visa voice vpn vmware webmail wifi windows youtube [1] https://www.misp-project.org/ Xavier Mertens (@xme) |
Xme 686 Posts ISC Handler Mar 2nd 2018 |
Thread locked Subscribe |
Mar 2nd 2018 4 years ago |
yes. i have personally received phishing mails using the term gdpr. i understand a lot of businesses now are changing their policies because of GDPR and thus mailing their existing customers. while i did get a lot of legit notifications emails from legit providers i'm using the services of like twitter, ivacy vpn, hotjar and others, i did get fake mails that required me to enter details so they could be phished.
|
Anonymous |
Quote |
May 8th 2018 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!