Twitter | Search | |
Jérôme Segura
Threat Intelligence .
8,218
Tweets
303
Following
8,756
Followers
Tweets
Jérôme Segura 15h
Fobos campaign it seems. Will check and update the regex for it :)
Reply Retweet Like
Jérôme Segura Jun 15
Replying to @9bplus
Nice and simple setup, thanks for sharing!
Reply Retweet Like
Jérôme Segura Jun 14
pushing Kronos/Osiris on [FR] victims. Fallout IP: 157.230.102[.]83 Payload: 4cd84dff9d1b4180f80bcd7f7fd27265f44ca17c23e1d6d07a2b53dffea8217e
Reply Retweet Like
Jérôme Segura Jun 12
Replying to @Tra1Nman
Yes, we see a lot of those ones with the CloudFront-hosted browlocks.
Reply Retweet Like
Jérôme Segura Jun 12
Keeping on with the color theme, this one reminds me of a certain country's flag... IOC: moneybackguar[.]website/Call-Mac-Support
Reply Retweet Like
Jérôme Segura Jun 12
Replying to @Tra1Nman
you're right, seeing a ton of these with that URI pattern.
Reply Retweet Like
Jérôme Segura Jun 12
Even scammers get their colors mixed up sometimes... vpsserver[.]website/Call-Support1/blue.php
Reply Retweet Like
Jérôme Segura Jun 12
Thanks, I passed it to the right people.
Reply Retweet Like
Jérôme Segura Jun 11
browlock template in opendir. Domain: new-zombie-virus-alert[.]tk
Reply Retweet Like
Jérôme Segura retweeted
EKFiddle Jun 10
Version 0.9.2.1 - 'Traffic Summary' has been expanded into 'Abuse Report'. (Event time in GMT, defanged hostname and URI)
Reply Retweet Like
Jérôme Segura Jun 8
Another case of a Magecart skimmer compromise via Amazon S3 storage. This time, it is the Washington Wizards page on the official website.
Reply Retweet Like
Jérôme Segura Jun 7
Replying to @jeromesegura
Skimmer code checking many form fields (Group 3: )
Reply Retweet Like
Jérôme Segura Jun 7
Seeing a fair number of web skimming incidents lately with the newer gate jquers[.]com. Looks related to previous jqueres[.]com injections also masquerading as the Google Tag Manager.
Reply Retweet Like
Jérôme Segura Jun 7
good catch. I looked at our telemetry and can confirm that intended victims are from Taiwan and South Korea. cc
Reply Retweet Like
Jérôme Segura Jun 5
No, the 'Read more...' doesn't help with ripping off content from somewhere else, especially when then entire content has been copy/pasted. Original: Stolen:
Reply Retweet Like
Jérôme Segura Jun 5
Replying to @fumik0_ @adamt5Six
Reply Retweet Like
Jérôme Segura retweeted
Fumik0_ Jun 5
Vidar behind a fake CryptoCurrency trading software with a fancy website (4962c0afb925d23013f6c80433f0a453), pushing also two Qulab Variants (Clipper only & Miner variant). An example among other about the aggressive focus on Cryptocurrencies these days.
Reply Retweet Like
Jérôme Segura Jun 4
Magecart skimmers found on Amazon CloudFront CDN
Reply Retweet Like
Jérôme Segura Jun 4
How to avoid being the next Baltimore Nice writeup !
Reply Retweet Like
Jérôme Segura retweeted
Fumik0_ Jun 3
Replying to @jeromesegura
Vidar behind a specific profile is also pushing nowadays this Golang Bruteforcer and currently targeting Wordpress & Website with .htpassword
Reply Retweet Like