Login pages loading from thum.io
22 Aug, 2023
41 weeks ago
A tactic used by phishing sites targeting corporate email accounts, is to load a screenshot of the email domain to use as a background.
thum.io is one service used by phishers for this purpose. Because this service requires an API key, you can use the API key to cluster phishing sites by threat actor: https://image.thum.io/get/auth/
Activity
Matching hosts (daily)
Filters
Filters , active
- https://e9f2a152-1571-4b30-906c-7eb792d42290-00-2o8t9e905sm5.spock.replit.dev/
- Screenshot
- Scanned
- 12 weeks ago
- https://ipfs.io/ipfs/bafybeidgkd6ry5ur5c7cylut6xooyqizlu45ooldxl5lt7h74lpbspsc2u
- Screenshot
- Scanned
- 12 weeks ago
- http://nftgallry-bawado4j.4everland.app/
- Screenshot
- Scanned
- 12 weeks ago
- https://old.napirajz.hu/wp-includes/fedex/alldomain.html#uphpproviderrelations%40uphp.com
- Screenshot
- Scanned
- 13 weeks ago
- https://posted-report.liplace.co.jp/ser/sai.html#[email protected]
- Screenshot
- Scanned
- 13 weeks ago
- https://xn----7sbhlnddf0cofee.xn--p1ai/components/com_media/ewunzm1/maixbhv/rp1lvjg/ads/newindex.html#[email protected]
- Screenshot
- Scanned
- 13 weeks ago
title: Login pages loading from thum.io
description: |
A tactic used by phishing sites targeting corporate email accounts,
is to load a screenshot of the email domain to use as a background.
[thum.io](https://thum.io) is one service used by phishers for this purpose.
Because this service requires an API key, you can use the API key to cluster phishing sites
by threat actor: https://image.thum.io/get/auth/<api key>
level: potentially_malicious
detection:
selection:
title|contains:
- Login
- Authentication
requests|startswith: https://image.thum.io/
condition: selection