📢 Le NCSC teste « Proactive Notifications » pour alerter les organisations UK sur leurs vulnérabilités exposées
📝 Selon BleepingComputer, le NCSC (National C...
📖 cyberveille : https://cyberveille.ch/posts/2025-12-06-le-ncsc-teste-proactive-notifications-pour-alerter-les-organisations-uk-sur-leurs-vulnerabilites-exposees/
🌐 source : https://www.bleepingcomputer.com/news/security/ncscs-proactive-notifications-warns-orgs-of-flaws-in-exposed-devices/
#NCSC #Netcraft #Cyberveille

#Netcraft describes itself as "digital risk protection" and "Advanced Cybercrime Defense". Having been flagged by them 4 times now, and each time with an easily recognizable false positive (they also pinged our provider, which then threatened with actions – and added our domain to their blacklist right away!), I'm quite fed up with their seemingly incompetence: first shoot, then ask. All automated, obviously no humans involved on their end.

My experience so far: https://gitlab.com/-/snippets/4909577

(1/2)

Next week, I'm speaking at #Saintcon about #phishing, #smishing, #quishing (all the -ishings) and propose a broad-based possible solution that could end this problem forever. Nothing big.

If you're going to be there, you can find me in Track 2 at 2:30pm, or most of the rest of the time at the @SAINTCON @malwarevillage Community, where we will be hosting two of our contests (MARC I and BOMBE) and encouraging people to consider the field of malware analysis and threat research as a career.

We also will have minibadges, both at #MalwareVillage and at the #Netcraft booth. If you're a #minibadge fan/collector, you aren't going to want to miss out on the Netcraft minibadge, which is awesome. Just drop by the booth to get a kit to build one. Tell them Spike sent ya.

Until then, stay safe, and please tell everyone you know, don't click links to tax refunds or toll road fees you get on your phone.

/END

https://www.netcraft.com/blog/taxpayers-drivers-targeted-in-refund-and-road-toll-smishing-scams

And I just wanted to give a quick shoutout to our engineering team for noticing this bizarre trick that all of the #phishing pages do that we connect to this #LoggerEIO group.

The phishing kit in use has several pages that the victims are expected to click through. As one enters information onto the first page, then clicks a Continue button, the browser initiates a WebSocket connection with the server, and transmits the data inside of that WebSocket connection.

It isn't exactly encryption, but more obfuscation: The compression, while reversible, does have the effect of obfuscating the content of the exfiltrated data. That little bit of effort might prevent a Data Loss Prevention (DLP) tool from recognizing outbound sensitive data before it's too late.

And the reason we call them #LoggerEIO is because all of the sites that Netcraft connects to this campaign do this on the same URI string: The page makes a connection to the path /logger/?EIO=4&transport=websocket in its GET request - only when the victim sends the data.

/6

#smishing #phishing #NetcraftConfirmsIt #Netcraft #threatresearch #WebSocket

Germany was not the only non-US country represented in the #LoggerEIO #smishing attack (so far).

There was one version of a page claiming to be the Spanish highway authority, Dirección General del Tráfico (DGT), that warns you owe a 100 Euro fine (multa) for some kind of driving infraction you committed, that must be paid within 24 hours.

More recently, I spotted a flood of pages that claim to be from the UK government's Winter Fuel Payment program. The real program helps impoverished people not freeze to death in winter by subsidizing the high cost of heating. But this page simply wants your credit card to "test" charge your card for £1 on the promise that you'll get up to £300.

/5

#smishing #phishing #roadtoll #HighwayRobbery #WinterFuelPayment #UK #spain #espana #Netcraft #NetcraftConfirmsIt #NetcraftResearch #Germany

Having recently returned from a trip to #Germany, where I spoke at #VirusBulletin, I have become more familiar with the appearance of some German government operated websites.

The Bundeszentralamt für Steuern (or BZSt), Germany's federal tax authority, is also represented in these #TaxScam #phishing pages.

Bizarrely, #LoggerEIO have decided to clone the template of one of the US-themed versions of the #smishing page which prominently features a banner image of a US form #1040 #tax return, and the corner of a $20 bill, neither of which (I suspect) the #BZSt use for tax filing in that country.

Whoopsie! Or, as my German friends might say, Hoppla!

/4

#smishing #phishing #netcraft #NetcraftConfirmsIt #Oops

In this #scam, the #smishing message informs you that you are owed a reimbursement or refund on overpaid state taxes. The #LoggerEIO group seems to have latched on to the idea of using individual states as the lure, rather than the federal #IRS, which is an interesting choice.

In the pages I looked at, the following states were represented with custom #phishing pages that use the same stylesheet, color scheme, and logos of the state tax agency they're impersonating.

Targeted states include Alabama, California, Connecticut, Delaware, Florida, Maryland, Massachusetts, Michigan, Minnesota, Montana, New Jersey, New York, Ohio, Texas, Tennessee, Washington, and Wisconsin.

/3

#smishing #netcraft #NetcraftConfirmsIt #taxrefund #taxrefundscam

First of all, this seems to be part of a much wider #smishing campaign that people are more familiar with: Fake road toll collection #scams

These have been a nuisance all year, and some of the sites hosting the same #phishing kit appear to be using that same ruse, simultaneously with the new one.

Did you get a message telling you that you owe $6.99 (or $6.69 - nice) in tolls? Probably part of this larger network of scammers.

Note how they have expanded to a variety of different locales: the City of Los Angeles, Seattle, Columbus (Ohio), and even the Canadian province of Ontario are all reflected, as well as the E-ZPass and SunPass multi-state toll payment systems, which together cover most of the US states that operate toll roads.

/2

#phishing #fraud #roadtoll #tollscams #netcraft #NetcraftConfirmsIt #EZPass #SunPass

Happy Thursday! I'm celebrating the publication of my first blog post at @Netcraft as Principal Threat Researcher with a story about...#smishing for tax refunds.

Since the beginning of last month, a threat actor we're calling #LoggerEIO began registering domains for use in #phishing attacks.

They're now up to more than 850 domains registered, with thousands of websites in use (using a variety of subdomains) that dangle the prospect of a refund of state income tax overpayments as a lure.

Here's a quick 🧵 about it.

https://www.netcraft.com/blog/taxpayers-drivers-targeted-in-refund-and-road-toll-smishing-scams

#ThreatResearch #NetcraftConfirmsIt #Netcraft

📢 Les chatbots IA facilitent le phishing selon Netcraft
📝 L'article publié par The Register met en lumière une nouvelle menace en cybersécurité identifiée par l'entreprise de renseignement sur les menaces, Netcraft...
📖 cyberveille : https://cyberveille.ch/posts/2025-07-03-les-chatbots-ia-facilitent-le-phishing-selon-netcraft/
🌐 source : https://go.theregister.com/feed/www.theregister.com/2025/07/03/ai_phishing_websites/
#Netcraft #chatbot #Cyberveille

@davidho.bsky.social

It would be interesting to see the spread of HTTP 451 Unavailable For Legal Reasons by country over time. I've pinged #netcraft to ask if they can add a tally for this code.

Does anyone here have any contacts at either @netcraft or the Microsoft Edge/Smartscreen team?

Someone in my network had their domain incorrectly marked as a phishing domain by Netcraft. Netcraft acknowledged their mistake, but refuse to help recover/clear the domain at Microsoft and other downstream parties using the Netcraft feeds.

This has been ongoing for 5 days now. #netcraft #smartscreen

Fake web stores and evolving cyberattacks pose new perils for holiday shoppers, according to recent reports. https://jpmellojr.blogspot.com/2024/11/fake-web-stores-evolving-cyberattacks.html #HolidayShopping #OnlineFraud #ECommerce #Netcraft #Fortinet #FortiGuardLabs

Tiens, Netcraft a intercepté et analysé les techniques d'opération des cybercriminels spécialisés dans l'arnaque au QR code, une méthode ayant sévi aussi en Suisse romande à la fin juin / debout juillet dans le parking où des autocollants ont été placés frauduleusement.
⬇️
"Faux code QR dans les parkings: l'arnaque touche tout le canton"
👇
https://www.20min.ch/fr/story/vaud-faux-code-qr-dans-les-parkings-larnaque-touche-tout-le-canton-103145802

Il est fort probable qu'il s'agisse du même groupe (roumain selon la langue du code analysé par Netcraft) ayant opéré au Royaume-Uni (et en France) au même moment, et de la même campagne, au vu de la période et des découvertes de Netcraft.

Ils ont probablement recruté de la "main-d'œuvre" locale pour coller les autocollants en UK , Suisse et France..., en ciblant les parkings en se basant simplement sur la distribution géographique des parking utilisant la solution PayByPhone en Europe.

👀

"The phishing websites contain internationalization files for English, French, German, Italian, and Romansh (spoken in Switzerland), indicating that this attack is being deployed on a trans-European scale. This backs up news reports from both Switzerland and France where have been found linking to the same phishing websites "

"Les sites de phishing contiennent des fichiers d'internationalisation pour l'anglais, le français, l'allemand, l'italien et le romanche (NDR 😳) (langue parlée en Suisse), ce qui indique que cette attaque est déployée à l'échelle transeuropéenne. Cela confirme les rapports d'information provenant de la Suisse et de la France qui ont été trouvés en lien avec les mêmes sites d'hameçonnage."

Analyse complète de Netcraft
⬇️
"Problems in the Parking Lot: Threat Actors Use IRL Quishing to Target Travelers"
👇
https://www.netcraft.com/blog/irl-quishing-scams-target-travelers/

Selon le timing rapporté par Netcraft :

• 19 juin : début de l'arnaque, les premiers sites de phishing apparaissent mais sont rapidement mis hors ligne après une semaine.
• 28 juin : réapparition de l'arnaque avec un nouveau nom de domaine.
• 2 juillet : enregistrement de deux nouveaux domaines redirigeant vers les sites initiaux.
• 27 juillet : alternance continue de sites mis en ligne puis hors ligne.
• Début août : de nouveaux domaines sont enregistrés régulièrement, certains ne restant en ligne que brièvement.
• Mi-août : tous les sites de phishing connus sont désactivés, l'acteur malveillant enregistre de nouveaux domaines avec des variations (comme parkbyphone au lieu de paybp), ces sites ne restent en ligne que quelques jours.
• Fin août et au-delà : le même schéma persiste avec l'utilisation de nouveaux TLDs pour éviter la détection (comme .live et .online), chaque site ne restant actif que quelques jours.

Pendant cette période (du 19 juin au 23 août) les chercheurs de Netcraft ont trouvé que 10 000 utilisateurs ont accédé à ces sites malveillants entre le 19 juin et le 23 août, parmi lesquels beaucoup pourraient être des victimes ayant scanné les faux QR codes. Sur l’un des sites, 2 199 soumissions de formulaires ont été enregistrées, impliquant potentiellement des détails de carte de paiement.

Détails techniques observées pour les domaines frauduleux:

Enregistrés via NameSilo
Using .info, .click, .live, .online, and .site TLDs
Protected with Cloudflare (NDR of course, toujours présents dans ces phishings 🤬)

#CyberVeille #quishing #Suisse #netcraft #arnaque

To no one's surprise, the plot is another hockey stick

Scam Sites at Scale: LLMs Fueling a GenAI Criminal Revolution | #Netcraft
https://www.netcraft.com/blog/llms-fueling-gen-ai-criminal-revolution/

Fake Online Stores See A 135% Spike As Black Friday And Holiday Shopping Approaches | #Netcraft
https://www.netcraft.com/blog/fake-online-stores-see-black-friday-spike/

it comes as no surprise that cybercriminals are keen to exploit the media hype (and consumer naivety), and the domain registrars keen to capitalize on both

The rise of .ai: cyber criminals (and Anguilla) look to profit
https://www.netcraft.com/blog/the-rise-of-ai-cyber-criminals-and-anguilla-look-to-profit/

#Netcraft #ai #cybercriminals

@Voka
@kuketzblog @rufposten
Ja, #webbkoll kenne ich und nutze ich gelegentlich auch.

Gestern habe ich noch das #Firefox #Plugin #Netcraft Extension gefunden. Da kann man sich auch einen (fast zu) ausführlichen Report ausgeben lassen.

Sowas in der Richtung für maximale Transparenz für alle... 😉

https://addons.mozilla.org/de/firefox/addon/netcraft-toolbar

Un-fucking-believable …

#Netcraft to one of my clients: You are hosting a #phishing site at [link] targeting [online service]! Take it down now! NOW!!!

Me on behalf of my client: No you idiots we are #SelfHosting a copy of their online service. See [link to product page] where you can buy this option.

Netcraft several hours later: Umm yeah sorry that was a mistake we are sending retraction notices to all the parties we notified.

My client: 🤬🤬🤬

@zweije @Njames Ah, yes. #Netcraft confirms it. Online surveys can be biased /s 😏