惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

美团技术团队
D
DataBreaches.Net
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
D
Docker
N
Netflix TechBlog - Medium
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
C
Check Point Blog
腾讯CDC
Stack Overflow Blog
Stack Overflow Blog
V
Visual Studio Blog
IT之家
IT之家
月光博客
月光博客
U
Unit 42
K
Kaspersky official blog
T
Threatpost
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
GbyAI
GbyAI
P
Proofpoint News Feed
Last Week in AI
Last Week in AI
云风的 BLOG
云风的 BLOG
酷 壳 – CoolShell
酷 壳 – CoolShell
I
InfoQ
Engineering at Meta
Engineering at Meta
Recorded Future
Recorded Future
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
S
Security @ Cisco Blogs
MyScale Blog
MyScale Blog
大猫的无限游戏
大猫的无限游戏
Security Archives - TechRepublic
Security Archives - TechRepublic
Webroot Blog
Webroot Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Hacker News - Newest:
Hacker News - Newest: "LLM"
S
Schneier on Security
S
Secure Thoughts
The Register - Security
The Register - Security
B
Blog RSS Feed
The Last Watchdog
The Last Watchdog
P
Palo Alto Networks Blog
爱范儿
爱范儿
B
Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
N
News and Events Feed by Topic
阮一峰的网络日志
阮一峰的网络日志
L
LINUX DO - 热门话题
C
Cisco Blogs
Spread Privacy
Spread Privacy
F
Full Disclosure
博客园 - 聂微东
T
The Blog of Author Tim Ferriss

Threat Walkthroughs – ThreatDown by Malwarebytes

Fake Booking.com emails target hotels “Enhanced Bonus” QR code phish steals Microsoft credentials USB worms: Still wriggling on to under-protected computers after all these years Analyzing a Mispadu Trojan’s attack chain How a clipboard hijacker delivers Lumma Stealer - ThreatDown by Malwarebytes Web shop spreads SocGolish malware and steals credit cards Clipboard hijacker tries to install a Trojan A visit to a print shop put a password stealer on a co-worker’s laptop Watch out! Mobidash Android adware spread through phishing and online links
Phishers go “interplanetary” to get company login credentials
Pieter Arntz · 2025-03-10 · via Threat Walkthroughs – ThreatDown by Malwarebytes
Planets

Phishers go “interplanetary” to get company login credentials

An ongoing campaign to harvest company login credentials is using IPFS to host its phishing pages.

The InterPlanetary File System is a decentralised, peer-to-peer storage system. Unlike regular storage, it doesn’t rely on a single storage location—files are stored “everywhere” rather than “somewhere”.

Conveniently for cybercriminals, having no one specific location for their phishing sites makes them more difficult to take down.

Since most users won’t have the software they need to access IPFS, criminals who want to host their phishing sites on it rely on gateways that provide IPFS data with HTTP addresses.

In one phishing campaign, things start off pretty normally, with a fake DocuSign email urging the target to download an invoice. (Another campaign starts with a message claiming to come from the mail administrator and links to the same site.)

A phishing email disguised as a DocuSign message
A phishing email disguised as a DocuSign message

Clicking the download link opens a phishing site hosted on the IPFS, where the target is asked to confirm their email address.

A phishing site hosted on IPFS
A phishing site hosted on IPFS

If the target enters their email address and clicks “Access Document”, the site extracts the domain name from the email address and uses it to load an appropriate company logo from logo.clearbit.com, to provide a branded login page.

The phishing site attempts to load the correct company logo
The phishing site attempts to load the correct company logo

In our case, we used a malwarebytes.com address and got a Malwarebytes branded login page.

The branded phishing site login page
The branded phishing site login page

If the target enters a password, it’s sent to the attacker via the Telegram secure messaging app. This is a common tactic in modern phishing campaigns—Telegram provides anonymity for the attacker, and the platform’s bot API makes it easy to automate the collection process.

The site sends the target's credentials to a Telegram channel
The site sends the target’s credentials to a Telegram channel

IPFS is working hard to get the phishing pages removed, but, no surprise for a platform that’s designed to be robust and decentralised, it seems they can’t keep up. New IPFS phishing sites are popping up on a daily basis.