yeah.
The attack used a lookalike domain, I checked when was it created and when was the certificate issued.
I also had one of the attacker's VM's IP address, where the phishing site was hosted.
That allowed me to check the logs and see if it pops up earlier. And lo and behold, there it was, quite a lot at some point. Probably when they were building the phishing site and pulling our resources for it.
It was very satisfying to see all this prep work go down the drain. 😉
Michał "rysiek" Woźniak · 🇺🇦 /
npub1af…q5gp4
2024-10-12 10:34:13
in reply to nevent1q…xvyz
Author Public Key
npub1afml2kzwamqxppl50207sf5jwgl3l6ugn6hnuwugtxt7ctnhdtkqjq5gp4Published at
2024-10-12 10:34:13Event JSON
{
"id": "4db0bbb632facfb139c04edddfd05602832a3450be6638f68182c82e63057392",
"pubkey": "ea77f5584eeec06087f47a9fe82692723f1feb889eaf3e3b885997ec2e776aec",
"created_at": 1728729253,
"kind": 1,
"tags": [
[
"p",
"ea77f5584eeec06087f47a9fe82692723f1feb889eaf3e3b885997ec2e776aec"
],
[
"p",
"1738a95bcc2b8589e81be3a8a4671331979f3cc51a51c32d0df9d61914819a9b"
],
[
"e",
"8b37b038d867baba69f6404d0917cd7914c8c64d22b22b10787a8694b46f0ae9",
"",
"root",
"ea77f5584eeec06087f47a9fe82692723f1feb889eaf3e3b885997ec2e776aec"
],
[
"p",
"e9ed4bfba848119da13074e34029e5d91f69f729791320d4d79207922d0a4bca"
],
[
"e",
"8cb81eff477e457a4453f0fe812a1cb090d44cc41bb4d65771d705ede7cb935b",
"",
"reply",
"1738a95bcc2b8589e81be3a8a4671331979f3cc51a51c32d0df9d61914819a9b"
],
[
"proxy",
"https://mstdn.social/@rysiek/113294000354864545",
"web"
],
[
"proxy",
"https://mstdn.social/users/rysiek/statuses/113294000354864545",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://mstdn.social/users/rysiek/statuses/113294000354864545",
"pink.momostr"
],
[
"-"
]
],
"content": "yeah.\n\nThe attack used a lookalike domain, I checked when was it created and when was the certificate issued.\n\nI also had one of the attacker's VM's IP address, where the phishing site was hosted.\n\nThat allowed me to check the logs and see if it pops up earlier. And lo and behold, there it was, quite a lot at some point. Probably when they were building the phishing site and pulling our resources for it.\n\nIt was very satisfying to see all this prep work go down the drain. 😉",
"sig": "0536ba1e19843e437945aeb178ba272a9eb82ae78ffce554cf7ab3b24f85346af19a5d6097c7602cdd2434b88734fa552c6e8f11534118536c3138e1b40d3af8"
}