Summary:
A recent phishing campaign has been detected that exploits the WeTransfer brand and cPanel control panel. Fraudulent emails contain links to fake login pages designed to steal user credentials. The phishing page is hosted on GitHub Pages, enhancing its credibility, and utilizes Telegram bots to collect stolen information.
Keypoints:
Phishing campaign targets WeTransfer and cPanel users.
Fraudulent emails redirect users to fake login pages.
Phishing page mimics cPanel Webmail login form.
Page hosted on GitHub Pages for increased legitimacy.
Stolen credentials sent to a Telegram bot.
Additional information like email provider MX records and geolocation is also collected.
Telegram is increasingly used for data collection in phishing and malware campaigns.
Indicators of compromise (IoCs) have been shared with accredited entities.
GitHub has been notified to remove the phishing pages.
Users are advised to remain vigilant against phishing threats.
MITRE Techniques
Phishing (T1566): Uses fraudulent emails to trick users into providing sensitive information.
Credential Dumping (T1003): Captures user credentials through fake login forms.
Data Exfiltration Over Command and Control Channel (T1041): Sends stolen data to a remote server via Telegram bot.
IoC:
[domain] github[.]com
[others ioc] Telegram bot for credential collection
Full Research: https://cert-agid.gov.it/news/phishing-ospitato-su-github-ruba-credenziali-utilizzando-telegram/