Login pages loading from thum.io
22 Aug, 2023
10 weeks ago
A tactic used by phishing sites targeting corporate email accounts, is to load a screenshot of the email domain to use as a background.
thum.io is one service used by phishers for this purpose. Because this service requires an API key, you can use the API key to cluster phishing sites by threat actor: https://image.thum.io/get/auth/
Activity
Matching hosts (daily)
Filters
Filters , active
- http://lacaixa.es-staffrecords-2025xunmj-oqysmzqzw.sergiotaveira.pt/[email protected]
- Screenshot
- Scanned
- 1 week ago
- https://evv0s.preview.codesignal.com/#laith.jaradat%40cbj.gov.jo
- Screenshot
- Scanned
- 2 weeks ago
- http://url5442.smartzip-marketing.com/ls/click?upn=u001.28bap-2BDr1IGQyKPvjD68Ri60GoR1lCDoWxAWyjyVBUP7Cve5MNj7e5-2FYcZcAk6vAFSJiTOLnL4rZ5OaNR-2F3hHw-3D-3DKXRK_EyKgKJU62ZbUwKJXV2eNxMS1-2BRzPegknHgRSKp76pBAnW3MPPFS26xfq2huDYL1Hew6S9dFZANp-2BweFgXSmQHpYCpm8kd0RrK7O9tXEghE-2F5AnpBziT5VxTUlLZVViAAa05ZZ1y2f5nUAeNLwP6dhULjwKcF2ceVqVVTBYJ-2B1yPbBWXdtze6RJ-2FDNUai6DG-2FlvYgT9ilqCH4cLNEeSRQKEeyh3Cbn5XFa3mKUc7Ob1mOTgzdLGAAjbJiDymDX-2FMMGA7vnPAsR0D8omNAN0ZTzt5mqywQn7pYUX4GmxeK-2BcGCNaOIBAQvujuXdRWH4D9aU9VhISJO-2B0h4EYTAx-2BGoNkWBzkcZqXd-2BhYCG0qPL2nBfdNHrWkgH9QpuhM23ucqpNUKbB01OybuibGjcOgwMaA-3D-3D#[email protected]
- Screenshot
- Scanned
- 2 weeks ago
- https://ipfs.io/ipfs/bafybeiha5shwghvgld37cncei5fyot6o3e7l7p6jsj2lnmaiymk7kpwm4y/okp-Docusign.html#[email protected]
- Screenshot
- Scanned
- 2 weeks ago
- https://flicker-cake-cub.glitch.me/#[email protected]
- Screenshot
- Scanned
- 2 weeks ago
- https://stirring-majestic-jackfruit.glitch.me/
- Screenshot
- Scanned
- 2 weeks ago
title: Login pages loading from thum.io
description: |
A tactic used by phishing sites targeting corporate email accounts,
is to load a screenshot of the email domain to use as a background.
[thum.io](https://thum.io) is one service used by phishers for this purpose.
Because this service requires an API key, you can use the API key to cluster phishing sites
by threat actor: https://image.thum.io/get/auth/<api key>
level: potentially_malicious
detection:
selection:
title|contains:
- Login
- Authentication
requests|startswith: https://image.thum.io/
condition: selection