Login pages loading from thum.io
22 Aug, 2023
40 weeks ago
A tactic used by phishing sites targeting corporate email accounts, is to load a screenshot of the email domain to use as a background.
thum.io is one service used by phishers for this purpose. Because this service requires an API key, you can use the API key to cluster phishing sites by threat actor: https://image.thum.io/get/auth/
Activity
Matching hosts (daily)
Filters
Filters , active
- http://ipfs.io/ipfs/bafybeigejg43mvjjf5hd7yawk5ucjrm5mby47ttpk5qj67jnuitiaccrba
- Screenshot
- Scanned
- 3 weeks ago
- http://buildbettercredit.org/administrator/help/en-GB/css/cgbin/5.html#[email protected]
- Screenshot
- Scanned
- 4 weeks ago
- https://web-auth01.ceratechhcoatings.top/icann-registrar/2096/cpsess554310798278501/roundcube/user/#[email protected]
- Screenshot
- Scanned
- 4 weeks ago
- https://alhamzi.com/nxc/hofk43hljtlawavkzflctg0xonqf2/ZHVuc3Rhbi50YWJvbmVAYWN0YXZpcy5jb20=
- Screenshot
- Scanned
- 5 weeks ago
- https://blueseal-xcghaoiqoiwheho-my3kh04rgo.edgeone.run/?eo_token=d88b9cba7c7ec7a0af45069a5004b749&eo_time=1762589094
- Screenshot
- Scanned
- 5 weeks ago
- https://www.enprotectengineers.com/LKN/index.xhtml
- Screenshot
- Scanned
- 5 weeks ago
title: Login pages loading from thum.io
description: |
A tactic used by phishing sites targeting corporate email accounts,
is to load a screenshot of the email domain to use as a background.
[thum.io](https://thum.io) is one service used by phishers for this purpose.
Because this service requires an API key, you can use the API key to cluster phishing sites
by threat actor: https://image.thum.io/get/auth/<api key>
level: potentially_malicious
detection:
selection:
title|contains:
- Login
- Authentication
requests|startswith: https://image.thum.io/
condition: selection