[Phishing] Current state of phishing threat using Paris 2024 Olympic games branding (June 24)
2024-6-20 14:16:33 Author: stalkphish.com(查看原文) 阅读量:19 收藏

With the Paris 2024 Olympic and Paralympic Games approaching, a host of scams have been developed and deployed, including phishing pages harvesting personal and banking data.

With the Paris 2024 Olympic and Paralympic Games approaching, a multitude of scams have been developed and deployed, including phishing pages harvesting personal and banking data.

Stalkphish.io references a multitude of sites created – more or less recently – with a view to impersonating legitimate sites associated with the organizing committee of the Olympics. But it’s hard to tell what’s legitimate and what’s not. Dozens of sites have emerged in recent months, here to make it easier to reserve parking spaces, there to make it easier to access official ticket offices of legitimate companies distributing tickets to their employees.

And in the middle is the jungle where we found:
👉 phishing sites dedicated to collecting personal information
👉 phishing sites dedicated to retrieving banking data
👉 phishing sites targeting specific populations (such as law enforcement officers)
👉 fake phishing sites dedicated to training and awareness
and so on…

Fake page, Fake ticket

As expected, the most widespread scam is that of selling victims false tickets to competitions, or – as here – to the opening ceremony of the Paralympic Games.

This page offers a totally free ticket, except for a €2 delivery charge to the victim’s home address.

Of course, this page has nothing to do with the official ticketing service (the official organization uses .paris2024.org most of the time), and the only purpose of this page is to collect data from the victim:
✅ email address
✅ firstname
✅ lastname
✅ phone number
✅ complete postal address

Once the victim has validated this information, the data is sent in an HTTP POST request to the scammer, using the same scamsite, and the victim is redirected to a well-known phishing network using the domain: storelink[.]vip.

No doubt this information will be used by the scammer to carry out new, more targeted phishing or vishing campaigns.

Phishing page targeting Law Enforcement officers personal data

StalkPhish.io probes were able to detect a phishing page specifically targeting law enforcement officers.

The page uses the official graphic identity of the Paris 2024 Olympic Games. The page offers to verify eligibility for a free ticket to law enforcement officers with the words: “Places individuelles offertes aux forces de l’ordre“, which in English means: “Individual tickets offered to law enforcement officers

This page collect data as:
✅ lastname
✅ firstname
✅ phone number
✅ email address

Once the information has been provided, and after validation, an error message appears, claiming a session error, or that the victim is not eligible for this free ticket. Finally, the error message suggests that the victim check his or her e-mails to request new tickets.

However, we have not been able to determine the campaign actor exact motives: recover email addresses for targeted phishing? Raising awareness? Because it could also be an awareness-raising campaign, as French Gendarmerie Nationale officers recently experienced.

Training and awareness phishing pages

Speaking of awareness training, we’ve noted several domain names that have been used for awareness campaigns (yes you can use StalkPhish.io to detect awareness phishing websites too).

The imminent opening date of the Olympic Games, and the scarcity and price of access tickets, make the Games a formidable “trap” for testing the operational teams of any company with employees in France, and particularly in Paris.

We can observe that sub-domains of domains belonging to awareness companies clearly end up with a reference to the Paris 2024 Olympic Games (the domains have been blurred so as not to reveal certain domains dedicated to these companies’ awareness campaigns, as these domains have been used for several years in some cases).

Ready to deploy domains

Several domains have been contracted and have yet to present any content. Some of these domains feature TLDs that have little to do with either France or the International Organizing Committee of the Olympic Games, but look set to be used in campaigns impersonating the Olympic Games, as:

Or:

  • stop-jo-paris-2024[.]net and .org
  • ioc-paris2024[.]com
  • paris2024-security[.]com and .eu and .fr and .info and .org
  • paris2024[.]cat
  • paris2024[.]ee
  • ejm-paris2024[.]org
  • souvenirs-paris2024[.]site
  • joparis2024[.]be
  • olympics2024[.]be
  • france-2024[.]be
  • parisolympics24[.]com
  • 2024joparis[.]de
  • 2024joparis[.]com
  • jo2024[.]app
  • jo2024paris[.]net
  • summerolympics2024paris[.]com
  • xn--paris2024-11a[.]org
  • xn--paris2024-62a[.]org
  • … (there are so many)

It is highly likely that these domains will, at one time or another, present content, although it is difficult to determine the nature of this content: legit? phishing? malware? awareness? Keep a close eye on them.

Just like this WordPress space, whose front page presents… nothing in fact, at least nothing to do with the Olympic Games, but it does present:

✅ a domain name associated with the Olympics

✅ an error page featuring the graphic charter of the official Olympic Games sites

Parked domains

We have also noticed a multitude of domains that were contracted several months ago to run phishing campaigns, or at least to impersonate the organization in malicious campaigns – and which have since been dismantled.

This is particularly relevant for domains that can be built with the words “paris”, “2024”, “olympics”, “jo” ( for Jeux Olympiques) as, and to get an idea:

  • fr-paris2024[.]org (with navigo.fr-paris2024[.]org)
  • paris2024[.]finance
  • olympics-2024[.]games
  • paris2024[.]asia
  • paris2024[.]ai
  • olympics24[.]fun
  • and so on…

Official platforms

Phishing detection

We provides tools and services to fight against phishing and brand impersonation campaigns which try to collect personal or banking data stolen from customers.

This analysis was based on data detected by our StalkPhish.io platform, dedicated to detecting and enriching URLs linked to phishing campaigns.

You can use the StalkPhish.io REST API to search for Olympic Games phishing threat with one command line as:

curl -H "authorization: Token xxxxxxxxxxxxxx" "https://api.stalkphish.io/api/v1/search/url/olympic"

文章来源: https://stalkphish.com/2024/06/20/phishing-current-state-of-phishing-threat-using-paris-2024-olympic-games-branding-june-24/
如有侵权请联系:admin#unsafe.sh