Dear Customer your HDFC NETBANKING Account will be Blocked today kindly Update Your Pancard now visit below the link. https://t[.]ly/HEVC
>>> https://t.ly/HEVC
> --------------------------------------------
> 301 Moved Permanently
> --------------------------------------------
Status: 301 Moved Permanently
Code: 301
Date: Sat, 04 Mar 2023 13:54:06 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Location: https://hmj2utnme.web.app
set-cookie: tly_session=eyJpdiI6InZHdS9QMWNoUFlDUjZNblR0UWhUcnc9PSIsInZhbHVlIjoiTGprZ2MzWTdUQ1ZzOGxtTy9SUTNUVk1PRnZCMjFnNlIxckZUc3MxcGdidUNzZXY3RG5zRk4zR3VFSHFOZUJtNnZ6STRDVnJMYVk0RmZnQnU2M2p0YktzTmRRWUd0RnM5YTZQR3VDYnJFOEFlR1JmSlZSTlNqZVFGQXN5ZVlMT00iLCJtYWMiOiJhZjUzNmIwNjY1MDM0ZjlhZGIwODhkOTkwMWE1Y2IxZWIwZGIzZWQ3YjZlZGE3N2M2M2E1ZjdiOGQwMmNkYjZkIiwidGFnIjoiIn0%3D; expires=Sat, 18-Mar-2023 13:54:06 GMT; Max-Age=1209600; path=/; secure; httponly; samesite=lax
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-whom: tly-2
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=AropzU5bH5rzMoofA2w1l%2FMqh9TqYS5Jgbrhc5d4qxi2k73t%2FrY6DXBi2lZqc3i0%2Bp4Y0qTKFxPsoGGTBl3i5t1FAqTTxH3%2F6j1L1r93N9HM8d3EGes%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 7a2a9bf41f78383b-FRA
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
>>> https://hmj2utnme.web.app
> --------------------------------------------
> 200 OK
> --------------------------------------------
Status: 200 OK
Code: 200
Connection: close
Content-Length: 2281
Cache-Control: max-age=3600
Content-Type: text/html; charset=utf-8
Etag: "745b0de578e5968088d1c2de7154b4bbc78c819268297eb03d2c689d7d60e79e"
Last-Modified: Fri, 03 Mar 2023 08:38:09 GMT
Strict-Transport-Security: max-age=31556926; includeSubDomains; preload
Accept-Ranges: bytes
Date: Sat, 04 Mar 2023 13:54:06 GMT
X-Served-By: cache-hhn-etou8220064-HHN
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1677938046.290518,VS0,VE1
Vary: x-fh-requested-host, accept-encoding
alt-svc: h3=":443";ma=86400,h3-29=":443";ma=86400,h3-27=":443";ma=86400
https://urlscan.io/result/1ae039a2-3441-4069-8b1e-374746a198a8/#summary
https://www.virustotal.com/gui/domain/hmj2utnme.web.app/detection
Admin City: REDACTED FOR PRIVACY
Admin Country: REDACTED FOR PRIVACY
Admin Organization: REDACTED FOR PRIVACY
Admin Postal Code: REDACTED FOR PRIVACY
Admin State/Province: REDACTED FOR PRIVACY
Creation Date: 2019-01-08T22:05:04Z
DNSSEC: unsigned
Domain Name: web.app
...
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Registrar IANA ID: 292
Registrar URL: http://www.markmonitor.com
Registrar WHOIS Server: whois.nic.google
Registrar: MarkMonitor Inc.
Registry Admin ID: REDACTED FOR PRIVACY
Registry Domain ID: 300A2C851-APP
Registry Expiry Date: 2024-01-08T22:05:04Z
...
Updated Date: 2022-12-12T09:28:46Z
<!DOCTYPE html><html><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width"/><title>Wellcome</title><meta name="next-head-count" content="3"/><link rel="preload" href="/_next/static/css/a6cd15749f8dde69.css" as="style"/><link rel="stylesheet" href="/_next/static/css/a6cd15749f8dde69.css" data-n-g=""/><noscript data-n-css=""></noscript><script defer="" nomodule="" src="/_next/static/chunks/polyfills-c67a75d1b6f99dc8.js"></script><script src="/_next/static/chunks/webpack-59c5c889f52620d6.js" defer=""></script><script src="/_next/static/chunks/framework-7751730b10fa0f74.js" defer=""></script><script src="/_next/static/chunks/main-591bb7ec51acdc0d.js" defer=""></script><script src="/_next/static/chunks/pages/_app-1a336683ff51f334.js" defer=""></script><script src="/_next/static/chunks/345-9778382fb4c87e41.js" defer=""></script><script src="/_next/static/chunks/pages/index-461061f438c1bc00.js" defer=""></script><script src="/_next/static/rYCyJCt1arYy2bGtPH3t1/_buildManifest.js" defer=""></script><script src="/_next/static/rYCyJCt1arYy2bGtPH3t1/_ssgManifest.js" defer=""></script></head><body><div id="__next"><div class="text-center loading-fast"><span style="box-sizing:border-box;display:inline-block;overflow:hidden;width:100px;height:100px;background:none;opacity:1;border:0;margin:0;padding:0;position:relative"><img alt="loading" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" decoding="async" data-nimg="fixed" style="position:absolute;top:0;left:0;bottom:0;right:0;box-sizing:border-box;padding:0;border:none;margin:auto;display:block;width:0;height:0;min-width:100%;max-width:100%;min-height:100%;max-height:100%"/><noscript><img alt="loading" src="/spinner.gif" decoding="async" data-nimg="fixed" style="position:absolute;top:0;left:0;bottom:0;right:0;box-sizing:border-box;padding:0;border:none;margin:auto;display:block;width:0;height:0;min-width:100%;max-width:100%;min-height:100%;max-height:100%" loading="lazy"/></noscript></span><h1>Please wait</h1></div></div><script id="__NEXT_DATA__" type="application/json">{"props":{"pageProps":{}},"page":"/","query":{},"buildId":"rYCyJCt1arYy2bGtPH3t1","nextExport":true,"autoExport":true,"isFallback":false,"scriptLoader":[]}</script></body></html>
<!DOCTYPE html><html><head><meta charSet="utf-8"/>
<meta name="viewport" content="width=device-width"/>
<title>Wellcome</title><meta name="next-head-count" content="3"/>
<link rel="preload" href="/_next/static/css/a6cd15749f8dde69.css" as="style"/>
<link rel="stylesheet" href="/_next/static/css/a6cd15749f8dde69.css" data-n-g=""/>
<noscript data-n-css=""></noscript>
<script defer="" nomodule="" src="/_next/static/chunks/polyfills-c67a75d1b6f99dc8.js"></script>
<script src="/_next/static/chunks/webpack-59c5c889f52620d6.js" defer=""></script>
<script src="/_next/static/chunks/framework-7751730b10fa0f74.js" defer=""></script>
<script src="/_next/static/chunks/main-591bb7ec51acdc0d.js" defer=""></script>
<script src="/_next/static/chunks/pages/_app-1a336683ff51f334.js" defer=""></script>
<script src="/_next/static/chunks/345-9778382fb4c87e41.js" defer=""></script>
<script src="/_next/static/chunks/pages/index-461061f438c1bc00.js" defer=""></script>
<script src="/_next/static/rYCyJCt1arYy2bGtPH3t1/_buildManifest.js" defer=""></script>
<script src="/_next/static/rYCyJCt1arYy2bGtPH3t1/_ssgManifest.js" defer=""></script>
</head><body><div id="__next"><div class="text-center loading-fast">
<span style="box-sizing:border-box;display:inline-block;overflow:hidden;width:100px;height:100px;background:none;opacity:1;border:0;margin:0;padding:0;position:relative">
<img alt="loading" src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"
decoding="async" data-nimg="fixed" style="position:absolute;top:0;left:0;bottom:0;right:0;box-sizing:border-box;padding:0;border:none;margin:auto;display:block;width:0;height:0;min-width:100%;max-width:100%;min-height:100%;max-height:100%"/>
<noscript><img alt="loading" src="/spinner.gif" decoding="async" data-nimg="fixed" style="position:absolute;top:0;left:0;bottom:0;right:0;box-sizing:border-box;padding:0;border:none;margin:auto;display:block;width:0;height:0;min-width:100%;
max-width:100%;min-height:100%;max-height:100%"
loading="lazy"/></noscript>
</span><h1>Please wait</h1></div></div>
<script id="__NEXT_DATA__" type="application/json">{"props":{"pageProps":{}},"page":"/","query":{},"buildId":"rYCyJCt1arYy2bGtPH3t1","nextExport":true,"autoExport":true,"isFallback":false,"scriptLoader":[]}</script></body></html>
Web.app is a mobile platform used for building mobile apps hosted by Firebase, which is Google’s mobile app platform.
These campaigns use SSL certificates issued by Appspot.com and Web.app, and they have well-designed login pages that attempt to spoof popular brands widely used in business, such as Dropbox Business, Microsoft Outlook and SharePoint, and DocuSign. They are designed to capture login credentials, which are sent to a remote server.
To evade detection, the attackers are leveraging most of the code written in an external JavaScript code.
“The attackers are using the latest tactics to evade detection from scan engines, with most of the code written in an external JavaScript file. This filename is 32 characters long and different for every site,” researchers noted.
https://web.archive.org/web/20230304140736/https://hmj2utnme.web.app/f1
About the Author
Lena Yu is a Cybersecurity Analyst from Japan. She conducts Cybersecurity research, investigations and writes articles as a hobby. Her passion includes hacking, engineering, investigations, nature and drawing.