This article discusses the discovery of numerous phishing domains impersonating Calendly to steal user credentials. The investigation was initiated by a tweet and utilized various tools to uncover additional phishing domains linked to a specific IP address. The findings highlight the methods used to track phishing infrastructure and the importance of frequent data updates. Affected: Calendly, users’ cloud accounts, phishing domain infrastructure
Keypoints :
- Investigation began with a Twitter post by AlphaSOC about a threat actor impersonating Calendly.
- Phishing domains were discovered that closely mimic the official Calendly homepage.
- The main IP implicated in the phishing campaign is 154.82.93[.]96.
- Using Validin’s data revealed an additional 40 domains associated with the phishing IP.
- Out of the additional domains, 27 were confirmed as Calendly lookalikes.
- Further analysis showed 84 hosts using identical page titles to Calendly, with 44 suspected to be phishing domains.
- Another IP address, 78.24.180[.]93, was identified with 406 potentials for phishing, including other popular brands.
- Validin’s high-frequency data collection allows for rapid tracking of changes in phishing infrastructures.
- Example phishing domain airplanereference[.]com was shown to have changed content to mimic Calendly.
- The article emphasizes the need for proactive threat intelligence using tools like Validin.
MITRE Techniques :
- Phishing (T1566) – Utilized Calendly lookalike domains to trick users into submitting their credentials.
- Domain Generation Algorithms (T1568) – Multiple lookalike domains were generated and tracked to facilitate phishing attempts.
- Credential Dumping (T1003) – Aimed at collecting user credential information through impersonation.
Indicator of Compromise :
- [IP Address] 154.82.93[.]96
- [IP Address] 78.24.180[.]93
- [Domain] airplanereference[.]com
- [Domain] calandly[.]one
- [Domain] www.calendsly[.]cc
Full Story: https://www.validin.com/blog/finding-calendly-lookalikes/