During monitoring by the Electronic Security Service (ESC), technical findings were obtained regarding a phishing attack conducted via Telegram, ESC told APA-Economics.
According to the information, the analysis produced a schematic map of the infrastructure used in the attack, identified IP addresses and redirect chains, and provided detailed information on the account takeover process.
Initial Suspicious Domain
The investigation started with the domain “12320sw[.]com”, mentioned in one of the intercepted messages. The domain resolves to IP address 156[.]251[.]247[.]206 (AS40065, CNSERVERS LLC), which does not directly serve content but instead redirects users to “p726exa[.]eu[.]cc”, resolving to IP 156[.]251[.]247[.]204 in the same network.
Redirect Chains and Account Takeover Process
Investigation of the IP addresses revealed additional analogous “.com” domains. Visiting these domains leads to further redirections to “p726***.eu.cc” domains.
Analysis of multiple “.com” and “.eu.cc” domains showed a clear structure in the phishing attack:
Domains like “12319ar[.]com”, “12320se[.]com”, “966575[.]com”, “796676[.]com”, “play-zotysports[.]com” and others resolve to 156[.]251[.]247[.]206;
Each redirects to randomly generated “p726*.eu.cc”** subdomains;
The “p726*.eu.cc”** domains host the phishing content and all resolve to 156[.]251[.]247[.]204;
Examination of the page code revealed comments written in Chinese.