Login pages loading from thum.io
22 Aug, 2023
40 weeks ago
A tactic used by phishing sites targeting corporate email accounts, is to load a screenshot of the email domain to use as a background.
thum.io is one service used by phishers for this purpose. Because this service requires an API key, you can use the API key to cluster phishing sites by threat actor: https://image.thum.io/get/auth/
Activity
Matching hosts (daily)
Filters
Filters , active
- http://full-gargantuan-demos-ldrappersentanz.replit.app/
- Screenshot
- Scanned
- 8 weeks ago
- https://aaeth7fghfd4ik8thjfr32jgf68ffdsehjpyg.netlify.app/g.html#yahoo%40yahoo.com
- Screenshot
- Scanned
- 8 weeks ago
- https://ipfs.io/ipfs/bafybeicfbyp4j3cn4ggfkv2bwbnahj56a5rvabnzys7yr6nhbm4ed3ofrm#thonc%40kbsec.com.vn
- Screenshot
- Scanned
- 8 weeks ago
- http://gabrielles.life/8/#[email protected]
- Screenshot
- Scanned
- 8 weeks ago
- https://ppkservice.com/wp-content/RE/lzlj6bgywo1eqaktjs7uk/bWFpbG1hc3RlckBjb3JwLmdtYXJrZXQuY28ua3I/=
- Screenshot
- Scanned
- 9 weeks ago
- https://ipfs.io/ipfs/bafkreifkf74vhmejfsr4jxdio7vddc4mkkzizov2laux5ht3m4ssnexnpa
- Screenshot
- Scanned
- 9 weeks ago
title: Login pages loading from thum.io
description: |
A tactic used by phishing sites targeting corporate email accounts,
is to load a screenshot of the email domain to use as a background.
[thum.io](https://thum.io) is one service used by phishers for this purpose.
Because this service requires an API key, you can use the API key to cluster phishing sites
by threat actor: https://image.thum.io/get/auth/<api key>
level: potentially_malicious
detection:
selection:
title|contains:
- Login
- Authentication
requests|startswith: https://image.thum.io/
condition: selection