Exposing a “Correios” phishing scam with FOFA
FOFA platform is highly flexible and can be customized for different needs, making it very convenient and practical. Of course, the search results may also contain other relevant features, which can be used to further expand or narrow down the search scope. For example, the website title could be “ChatGPT Web” or its website favicon (icon_hash) could be used as a search parameter. These keywords can also be searched on FOFA.
In our use case, we will perform a search for phishings associated with a campaign using the name of Correios. It all starts with a high volume of people reporting spam related to an email from “Correios” reporting an alleged blocked order, followed by a “PIX” request payment to unblock the alleged order. See below:
![Aviso importante: Seu pedido foi bloqueado pela fiscalizacao alfandegaria! Protocolo:7201424843 Correios<aviso@%correiostaxa[.]com>](https://miro.medium.com/v2/resize:fit:1400/format:webp/1*8U3K2WhGFo9nbbHWnWVf1w.jpeg)
Aviso importante: Seu pedido foi bloqueado pela fiscalizacao alfandegaria! Protocolo:7201424843 Correios<aviso@%correiostaxa[.]com>With the aim of expanding the search for other URLs associated with this phishing campaign, we use the asset search feature (favicon) in FOFA to try to map new active domains. First we need to identify and extract some asset from the malicious website to expand the search, in this case we will use the favicon:
hxxps://rastreamento-correios-alfandega[.]kyiv[.]ua/correios[.]com[.]br/rastreamento/
Now with the favicon extracted, we need to download the asset to use in the next steps:
At this point, we need to access the FOFA website and follow the step below, selecting the “three points” and then using the “icon search” function:
Let’s see what FOFA returned with the result of the icon hash search and we will insert new elements in our query based on the result below:
It is worth highlighting how the FOFA logical operators work, for learning purposes and use to refine and insert new elements in the search:
(icon_hash="119993459" || title=="Rastreamento" || title=="enviopedido - acompanheseupedido.online")(icon_hash="119993459" || title=="enviopedido - acompanheseupedido.online" || icon_hash="1086298006" || icon_hash="-457998599")Now, with new “title” elements and new icons identified, we refined the query and arrived at a new search and the result is surprising, new related threats lol:
We identified that one of the domains in the malicious campaign had a domain registered with .br, which allows us to identify and associate the alleged operators or documents used improperly for fraud purposes:
https://registro.br/tecnologia/ferramentas/whois?search=liberacaoproduto.com.br
QRCode PIX extracted:
{
"type": "dynamic",
"merchantCategoryCode": "0000",
"transactionCurrency": 986,
"countryCode": "BR",
"merchantName": "CASH TIME PAY",
"merchantCity": "SAO PAULO",
"transactionAmount": null,
"oneTime": false,
"url": "qr.iugu.com/public/payload/v2/9FC7B1B9795746A18AE286B20C26147F"
}
URL: hxxps://pay[.]liberacaoproduto[.]com/pix/30AWkW9Z?
Finally, below we have the list with all the domains extracted from the query, indicating an extremely positive efficiency for the use of FOFA in the threat hunting process, identifying new threats and operators behind criminal actions:
https://gist.githubusercontent.com/teixeira0xfffff/1a3ca7ba0efb9d0813343b8b08bb0e7a/raw/30401404bdf8da6a05bfb476045b385431d4727f/output.csvHappy hunting =)
