See: https://www.phishtank.com/phish_detail.php?phish_id=6695710
Detection VT: https://www.virustotal.com/gui/url/e04f29dfc39500a14290ee50411f4e23e869b94b5173e607ab33934cca2faf1d/detection
1 minute ago…
Re: -http://geriyedonukislem.com/js/main.js
Inside this code we find:
rules: {
name: { required: true, regex: “{1,50}$”, maxlength: 50 },
tc: { required: true, regex: “{1}[0-9]{9}[0,2,4,6,8]{1}$”, minlength: 11, maxlength: 11, validtc:“” }
},
Alerted is a https downgrade attack: chrome-extension://gcbommkclmclpchllfjekcdonpmejbdp/pages/cancel/index.html?originURL=http%3A%2F%
2Fgeriyedonukislem.com%2F (HTTPS Everywhere).
See:
https://sitereport.netcraft.com/?url=http%3A%2F%2Fgeriyedonukislem.com%2Fjs%2Fmain.js
polonus (volunteer 3rd party cold recon website security-analyst and website error-hunter)
Netcraft has Site Blocked: Suspected Phishing
This page has been blocked by the Netcraft Extension.
Blocked URL: hxxps://attyahoonettt.weebly.com/
See: https://www.phishtank.com/phish_detail.php?phish_id=6695724&frame=details
Consider results from scanning URL: -https://attyahoonettt.weebly.com/files/templateArtifacts.js?1595593588
Number of sources found: 43
Number of sinks found: 20 (search.results.hack)
Flagged: https://www.virustotal.com/gui/url/547b1a1ada2683054ba9d0a33cad2ad46a46f36e41ccf09ede33424cf9f43a42/detection
See: https://www.shodan.io/host/199.34.228.54
On the mainblog we stumble upon:
Retire.js
jquery 1.7.2 Found in -https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js
Vulnerability info:
Medium CVE-2012-6708 11290 Selector interpreted as HTML
Medium 2432 3rd party CORS request may execute CVE-2015-9251
Low CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution
Medium Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
JS errors:
ReferenceError: $ is not defined
/files/theme/parallax.js:12
TypeError: Cannot read property ‘setupContainer’ of undefined
/:165 HTMLDocument.()
:3:98()
HTMLDocument.G.c. (eval at exec_fn (:1:147), :42:472)()
:3:98()
c (:2:146)()
:3:98()
G (eval at exec_fn (:1:147), :42:498)()
HTMLDocument.H (eval at exec_fn (:1:147), :49:154)()
SyntaxError: Invalid regular expression flags
eval ()()
:3:98()
Object.c [as F_c] (:2:146)()
Object.E_u (:3:267)()
la (eval at exec_fn (:1:147), :60:53)()
Object.create (eval at exec_fn (:1:147), :71:325)()
d (eval at exec_fn (:1:147), :13:89)()
JavaScript frameworks
Mustache
2.1.3
React
pol
[SOLVED] here:
Not know this is a real PHISH?
Not flagged at VT: https://www.virustotal.com/gui/url/783e2deae3d4311edf276044bd95ac8f0cb7fe256fe5b379ccd5cda375f75ca4/detection
But not known at IP: https://www.shodan.io/host/166.62.6.39
See the vulnerabilities on this GoDaddy host.
Consider: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=fXt3fH0jc3BdW250c317I3t7bXMuXl1tYA%3D%3D~enc
Then avira detects: https://www.virustotal.com/gui/ip-address/166.62.6.39/detection
infested Word Document detections on IP relations: https://www.virustotal.com/gui/ip-address/166.62.6.39/relations
Avast detects as - This website is unsafe
This website has been marked as a phishing site. Phishing is an attempt to steal sensitive information from you like passwords, credit card numbers, etc. OK. We have detection!
polonus
