Hot Topics
Security Bloggers Network 
SBN

Profiling a Typosquatted Google’s Gmail Targeted Phishing Campaign Domain Portfolio – An OSINT Analysis

by Dancho Danchev on November 29, 2022

NOTE:

The majority of these typosquatted phishing domains which are also known to have been used in targeted phishing campaigns are known to have been part of the Void Balaur hacking for hire vendor of services.
I’ve decided to share with everyone a recently discovered using OSINT typosquatted phishing domains portfolio which appears to have been widely used in a variety of targeted phishing campaigns.
 
Sample domains known to have been involved in the campaign include:

hxxp://my-mail-account-gmail.com

hxxp://security-myaccount-goglemail.com

hxxp://myaccount-mail-my-gmail.com

hxxp://account-mail-my-gmail.com

hxxp://cloud-accounts-goglemail.com

hxxp://my-account-security-goglemail.com

hxxp://mail-yahoo-myaccounts.com

hxxp://mail-yahoo-myaccount.com

hxxp://account-disk-gmail.com

hxxp://my-mail-accounts-gmail.com

hxxp://accounts-mail-my-gmail.com

hxxp://mail-my-accounts-gmail.com

hxxp://myaccount-mail-goglemail.com

hxxp://accounts-oauth-gmail.com

hxxp://account-oauth-gmail.com

hxxp://account-my-mail-gmail.com

hxxp://mail-myaccounts-gmail.com

hxxp://accounts-mail-goglemail.com

hxxp://mail-myaccount-yahoo.com

hxxp://mail-my-account-gmail.com

hxxp://security-accounts-goglemail.com

hxxp://my-signin-accounts-gmail.com

hxxp://my-signin-account-gmail.com

hxxp://my-oauth-account-gmail.com

hxxp://security-myaccounts-goglemail.com

hxxp://security-my-account-goglemail.com

hxxp://my-security-goglemail.com

hxxp://myaccounts-gmail.com

hxxp://myaccounts-mail-gmail.com

hxxp://accounts-my-mail-gmail.com

hxxp://myaccounts-mail-my-gmail.com

hxxp://my-mail-account-yahoo.com

hxxp://security-my-goglemail.com

hxxp://myaccount-my-mail-gmail.com

hxxp://myaccounts-my-mail-gmail.com

hxxp://cloud-myaccount-goglemail.com

hxxp://my-mail-yahoo-accounts.com

hxxp://mail-yahoo-my-account.com

hxxp://mail-myaccount.com

hxxp://myaccounts-mail-yahoo.com

hxxp://my-mail-gmail.com

hxxp://security-my-accounts-goglemail.com

hxxp://mail-accounts-my-gmail.com

hxxp://yahoo-oauth-accounts.com

hxxp://mysecurity-goglemail.com

Sample responding IPs known to have been participating in the campaign include:

185.246.130.170

194.67.71.102

5.188.206.201

194.58.56.56

194.67.71.197

194.58.56.34

195.3.144.231

194.67.71.61

195.3.146.111

195.3.146.100

194.67.71.142

194.67.71.44

54.241.4.132

195.186.210.241

194.67.71.189

194.67.71.137

194.67.71.3

194.67.71.25

193.105.134.29

194.58.112.169

194.67.71.160

194.67.71.35

194.67.71.17

194.67.71.158

194.67.71.99

194.67.71.123

195.3.146.94

194.58.112.174

95.173.132.1

194.67.71.173

195.3.146.106

185.246.130.165

194.58.112.172

195.3.146.90

99.83.178.7

194.67.71.105

185.246.130.162

194.67.71.162

194.67.71.47

194.67.71.175

75.2.110.227

194.67.71.40

194.58.113.13

194.58.112.170

194.67.71.118

194.67.71.177

195.3.146.99

195.186.208.193

194.58.113.14

194.67.71.73

Stay tuned!

*** This is a Security Bloggers Network syndicated blog from Dancho Danchev's Blog - Mind Streams of Information Security Knowledge authored by Dancho Danchev. Read the original post at: https://ddanchev.blogspot.com/2022/11/profiling-typosquatted-googles-gmail.html

Dancho Danchev