Login pages loading from thum.io
22 Aug, 2023
40 weeks ago
A tactic used by phishing sites targeting corporate email accounts, is to load a screenshot of the email domain to use as a background.
thum.io is one service used by phishers for this purpose. Because this service requires an API key, you can use the API key to cluster phishing sites by threat actor: https://image.thum.io/get/auth/
Activity
Matching hosts (daily)
Filters
Filters , active
- https://ghgghg.s3.us-east-005.backblazeb2.com/camfloge.htm
- Screenshot
- Scanned
- 12 hours ago
- https://garyryanblair.com/bgbon/5.html#uk123%40gmail.com
- Screenshot
- Scanned
- 3 days ago
- http://ipfs.io/ipfs/bafkreia4aiiyrlsl3mbfslz35d256r5dv7vmquk5kjwthze4q7cod5sjz4?eta=test@yahoo.com
- Screenshot
- Scanned
- 1 week ago
- https://ivhh5.genarcade.biz.id/#[email protected]
- Screenshot
- Scanned
- 1 week ago
- https://defeated-emerald-angck6szds-0h6obm2ver.edgeone.dev/
- Screenshot
- Scanned
- 2 weeks ago
- http://bafkreicxo2hepvyiix7um6npvd3yuaniiwoh5bkk6sdtvshohlwdl6l2bm.ipfs.dweb.link/
- Screenshot
- Scanned
- 2 weeks ago
title: Login pages loading from thum.io
description: |
A tactic used by phishing sites targeting corporate email accounts,
is to load a screenshot of the email domain to use as a background.
[thum.io](https://thum.io) is one service used by phishers for this purpose.
Because this service requires an API key, you can use the API key to cluster phishing sites
by threat actor: https://image.thum.io/get/auth/<api key>
level: potentially_malicious
detection:
selection:
title|contains:
- Login
- Authentication
requests|startswith: https://image.thum.io/
condition: selection