Lately there has been a new phishing trend where one url is creating thousands of phishing pages targeting many brands and customers. These new phishing attacks are created in a few seconds, and due to their quantity, are very difficult to take down.

1. The Redirection URL

For this attack to work, all parameters must be included in the URL. If only the domain is present it will generate a false 404 page. These URLs’ domains are all registered on Alibaba’s web services, and Google web hosting.

Thus, a working URL would look something like:
somedomain.top/ee11UX5BR1RkRHRnZEMIWBg1JnFVfVV4aQEgc1UkGxolUA8gSj83D0g_?cyr1636280111876

The website will then try to load a series of bots named anti1.php, anti2.php, etc. located at
/home/ somedomain /public_html/secure.alpha.gr2/index.php

The .top domain would retain the phished credentials from the attack at [domain].top/T_a_n_G_u_l_AR/alpha.txt

The bots would then forward the request to a remote address of a newly generated domain.

2. The Redirection

From this URL, a new domain is created to generate and host the new phishing attack on the middle redirect URL. From this example, the following page would look like:

http://7xhvqvpy.cn/eG4qV883/somedomain/static/sur.css

or

http://dmzyewzh.cn/8wLei2wf/somedomain/static/sur.css and other similar URLs.

This domain is on Cloudflare’s services in order to obfuscate the attack and keep fraud investigation at bay. The registrant’s information ties each of these domains back to peacchi@163.com, being created on March 18 2021. For example this domain:

Figure 1: The domain results for the stage two redirection URLs

Without the full URL, the attack will redirect elsewhere to a malicious website request to use notifications from the site. This is again to prevent investigation on the attack. The URL must be the same one as created in phase 1 or it will not work appropriately.

3. The Final Stage

Lastly, the attack loads the intended phishing page. In this example the URL is

http://7xhvqvpy.cn/eG4qV883/somedomain/?_t=1636993722wmx#1636993736735

The numbers in the parameter section of the URL changes with each time the page is refreshed, never leaving the exact same URL.

There is a fake survey that promises large amounts of money once the survey is completed, capturing sensitive information. The information is sent to the first URL where the credentials are stored.

Armen Najarian

CMO + Chief Identity Officer

Armen is a 15-year Silicon Valley veteran with deep experience leading the marketing function for fast-growing fraud prevention, predictive analytics, and cybersecurity companies. His most recent leadership roles include CMO positions at Agari and ThreatMetrix, the latter of which he established as the definitive category leader for digital identity solutions.