Starting around 2:00 AM UTC on March 4th, we've been observing a vast botnet operation attempting to use SMTP-AUTH credentials from nearly 500K distinct IPs - to perform what looks like a large scale phishing campaign targeting Brazilian users.
Here's what we know:
1️⃣ Subject lines used include:
Evite a Suspensão da Sua Caixa de Entrada
Saiba Como-XXXXXX
Sua Capacidade de E-mail Está no Máximo
Solução Disponível-XXXXXX
Atualize Sua Conta para Continuar Recebendo Novas Mensagens
2️⃣ Phishing payload is located at: hXXps://acessoclientevalidar.dnsalias[.]com/
3️⃣ Of particular interest is the fact that the IPs involved in this campaign are overwhelmingly located in Brazil too.
4️⃣ Based on what we and others know about the systems performing this phishing campaign, there appears to be a strict correlation with IPs associated with residential proxy networks.
5️⃣ Out of 373K Brazilian IPs involved, over 90% are associated with residential proxy networks.
#Phishing #Botnet #ResidentialProxies #ThreatIntel #CyberSecurity