The September 2024 update to iAntiSpy is now available from in-app update, iantispy.com, and the Mac App Store. This update features improvements to the user interface and is packaged with the latest blocking database. If you haven't already installed it, please do so now.

The previously identified threat actor has now begun leveraging the Arweave decentralized storage network. As a precautionary measure, we have implemented a block on the default Arweave HTTP gateway. The latest version of the iAntiSpy anti-phish database has been updated to provide protection against these new developments. We will continue to monitor this threat.

The threat actor we've previously discussed has been conducting a phishing campaign for some time. Today, they've started using Netlify.app subdomains for their operations.

Sample email #1:

your_email_address have Incoming Pending Messages
You have Incoming Pending Messages

The following messages have been blocked by your mail-server due to validation error.
You have six pending messages .

 
Incoming  Messages:
Status :                Subject:
your_email_address      Fwd: Payment  ------ forwarded message ----
your_email_address      Re: Statement Of Acoount 	date
your_email_address      RE: Updated PI
your_email_address      Zoom meeting request tomorrow	date.
your_email_address      Re: New Account Details
your_email_address      Re: Shipment	date.

[ DELIVER ALL MAILS ]


Note: The messages will be delivered within 1-2 hours after you receive a confirmation mail notice.
This message was sent by the MailDaemon server honeypot notification.


Thank you!
  
Copyright© 2024 Webmail, Inc.
            

The DELIVER ALL MAILS button and message links all point to a URL in the format:
https://*.netlify.app/#target_email_address

Clicking the link loads the same fake cPanel branded login page we discussed earlier. Unlike the IPFS forms, this form posts back to itself.

The current iAntiSpy for macOS anti-phish database provides immediate protection against all known variants of this threat.

A threat actor has been conducting a phishing campaign for some time, initially hosting their collection scripts on various IPFS gateways. Recently, they've shifted to using Cloudflare Workers' pages.dev subdomains for their operations. As their activity intensifies, we decided to share this information. It seems they are targeting high-value individuals, likely identified from the LinkedIn data breach and other sources.

Sample email #1:

Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=198.12.90.248;
 helo=studiomogavero.com; envelope-from=noreply@studiomogavero.com; 
 receiver=redacted-honeypot 
Received: from studiomogavero.com (unknown [198.12.90.248])
by redacted-honeypot (Postfix) with ESMTP id DECAF15BAD00
for ; Wed, 14 Aug 2024 04:44:44 +0200 (CEST)
From: "honeypot IT Desk"
To: user@honeypot
Subject:  user@honeypot Account Update !
Date: ........
............
Content-Type: text/html;charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
.............

Error Notice
Oops, we encountered an error updating the mail server of honeypot , kindly 
manually update your mailbox preference settings to prevent your incoming and
outgoing emails to be restricted. 

[ Update Preferences ]

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify  support@webmail.com
            

Sample email #2:

From: "honeypot Admin"
To: user@honeypot
Subject: user@honeypot Password will expire today 8/14/2024 ?:??:?? a.m.

Password Expiration Notice
Your password will expires today 8/14/2024 ?:??:?? a.m. 
Please update your password to ensure continued access to your email account.

[ Retain Current Password ]       [ Update Keep Password ]

Account Information:
Email Address:   user@honeypot
Password Status: Expiring today 8/14/2024 ?:??:?? a.m.
 
© 2024. All Rights Reserved.
            

The Update Preferences and other buttons all link to a Cloudflare worker in the format:
https://plausable-sounding-name.pages.dev/#target_email_address (note the misspelling)

Clicking the link generally results in a fake cPanel branded login page.

Another variant still in circulation utilizes javascript obfuscation techniques allowing it to load and submit correctly from an IPFS gateway to a collection server hosted at Shinjiru Technology Sdn Bhd, a Malaysian "Offshore Web Hosting Provider". The collector domain was registered at 2023-11-19T22:35:37Z, updated at 2024-07-15T03:28:43Z and has previously pointed to Cloudflare IP addresses. Other domains associated with this actor continue to be hosted behind Cloudflare. Cloudflare appears to be at least partially aware of the issue, we will provide addtional information if deemed necessary.

The current iAntiSpy for macOS anti-phish database provides immediate protection against all known variants of this threat.