This article discusses how to identify a wide range of phishing domains tied to a Meta-themed credential phishing campaign. The author explains utilizing Validin’s features for WHOIS registration and host response analysis to uncover over 100 related phishing domains, which have been reported and connected to a fraudulent recruitment scam. Affected: phishing domains, Meta, Reality Labs, users applying for jobs
Keypoints :
- Analysis initiated by reviewing reported phishing domains from a Meta-themed campaign.
- Emails impersonated Meta’s Reality Labs hiring team and used Cloudflare for fake login pages.
- Identification of associated phishing domains through WHOIS registration data and existing reports.
- Use of Validin’s bulk search functionality to explore hosting patterns and domain timelines.
- Discovery of a cluster of domains registered with similar registrars indicates potential links between them.
- Potentially over 771 domains related to the Meta recruitment scam were uncovered through registration pattern analysis.
- Validin’s tools aid in tracking malicious domains and facilitating threat hunting initiatives.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: Use of common web application protocols for phishing domains.
- T1530 – Data from Cloud Storage: Use of Cloudflare’s infrastructure to host phishing pages.
- T1491 – Replication Through Removable Media: Replication of domain names across multiple registrars to maximize reach.
Indicator of Compromise :
- [Domain] recruitee.com
- [Domain] threadssharedivision.com
- [Domain] staffing-department.com
- [Domain] whatsappteam.com
- [Domain] metacareers-jobdesk.com
Full Story: https://www.validin.com/blog/not_reality_meta_phishing/