Corporate Credential Theft (GEB Case Study)

⚠️ Advanced Phishing Alert

This is a sophisticated cyberattack targeting employees of a specific organization (Grupo Energía Bogotá). It uses “trust-building” techniques to steal corporate login credentials and bypass security measures.

1. The Strategy: The “Bait and Switch”

The attacker shares a shortened URL that appears to lead to a legitimate, harmless resource — in this case, a corporate benefits platform (Gointegro) showing discounts for books in Bogotá. Because the destination looks familiar and non-threatening, employees are more likely to click.

2. The Trap: Forced Re-authentication

Once the user clicks the link, they are automatically redirected to Microsoft login page.

The user is redirected to a GENUINE Microsoft login page, but the session is hijacked.
How it works (Technical Explanation):
The Proxied Redirect: The link isn’t just a simple redirect. It acts as a proxy.

The attacker uses a trusted corporate link to initiate a legitimate login process, but controls the redirection path. Once you successfully log in to the real Microsoft portal, the system sends your authentication token back to the attacker’s infrastructure, allowing them to hijack your corporate session without ever knowing your password.
Bypassing MFA: Because the site is real, Microsoft sends a Multi-Factor Authentication (MFA) code to the user. The user enters it, thinking everything is fine. The attacker then steals the Session Cookie (the digital “key” that says you are logged in).
Full Access: With that stolen cookie, the hacker can enter the victim’s account without needing the password or the MFA code again. They are “in” as the user, bypassing all modern security layers.

Even if the login page looks 100% official (because it is), the path you took to get there was compromised. Attackers use shortened links and ‘trusted’ third-party sites to wrap the official login process in a malicious layer that steals your access token the moment you sign in.

The Psychological Trick: Users often assume their “session has expired” and instinctively enter their username and password to continue to the “discounts” they were promised.

3. Technical Red Flags:

  • Unauthorized Redirects: A link for “book discounts” should never suddenly ask for your Microsoft password. This is a primary sign of a Credential Phishing attack.
  • Suspicious Source: These links are often distributed via unofficial channels (personal WhatsApp, social media, or external emails) rather than official company communications.
  • Abuse of URL Shorteners: Attackers use URL shorteners to hide the final destination and to bypass corporate email filters that would otherwise block direct links to phishing sites.

4. The Goal: Corporate Espionage & Ransomware

By capturing these credentials, hackers can:

  • Gain access to the company’s internal network and sensitive data.
  • Perform AiTM (Adversary-in-the-Middle) attacks to intercept Multi-Factor Authentication (MFA) tokens.
  • Spread ransomware or conduct financial fraud within the organization.

5. How to Protect Yourself and Your Company:

  • Never trust “Login” prompts from external links: If a link unexpectedly asks for your password, close the tab immediately.
  • Verify via the Official Portal: Always log in through your company’s official bookmarks or by typing the address directly into your browser.
  • Report Suspicious Links: If you see a shortened URL claiming to be a corporate resource, report it to your IT Security department before clicking.

🛡 Note for Security Professionals:

This attack is particularly dangerous because it originates from the same geographic location (Bogotá) as the victim company, making it appear “local” and less suspicious. For a moderation system, the key is to implement Deep Redirect Inspection — following the link to its final destination and flagging any unauthorized jumps from a “safe” site to a login portal.

Fake Account Suspension. Jimoty, ジモティー

This is a highly sophisticated phishing attack targeting users of online marketplaces (like the Japanese service Jimoty). Here is how the scam works and how to spot it.

1. The Trap: Fake Urgency

The page displays a message stating that your account has been suspended. It creates artificial pressure by claiming you must “verify your credit card details within 24 hours” to restore access.

2. The Red Flags (How to identify it):

  • Malicious Domain: The URL in the screenshot is jmty.jp-order.cc. The official Jimoty domain is jmty.jp. Scammers use “look-alike” domains by adding extra words like -order.cc to trick your eyes.
  • Unauthorized Payment Request: Legitimate services will never ask for your full credit card details (number, CVV, expiry) just to “verify your identity” or “reactivate an account.”
  • Fake Support Chat: On the right, there is a popup window mimicking a “Support Chat.” It uses professional-sounding language to reassure you that the process is “secure” and “encrypted (SSL),” which is a common tactic to lower your guard.

3. The Goal: Financial Theft

Once a victim clicks the “Check” (チェック) button and enters their card information, the scammers capture the data in real-time to perform unauthorized transactions or sell the card details on the dark web.

4. How to Stay Safe:

  • Check the URL: Always look at the domain name carefully. If it’s not exactly jmty.jp, it’s a scam.
  • Don’t Click Links: If you receive a suspension notice, do not click the link in the message. Instead, go directly to the official website by typing the address in your browser or using the official app.
  • Report & Block: If you encounter such a page in a URL shortener or message, report it immediately to the service provider.

Fake “Complaint Center” / “INTERPOL” Scam

Threat Analysis: Fake “Complaint Center” / “INTERPOL” Scam (Recovery & Impersonation Fraud)

This set of screenshots reveals a fraudulent website impersonating a high-level international complaint center, loosely referencing INTERPOL, the FBI, and the U.S. Department of Justice. The site is designed to appear as a legitimate security or law enforcement agency offering services such as “Fund Recovery”, “Investigation”, and “Case Review”.

How it works:
The victim is likely directed to this site after being scammed previously (e.g., via a phishing email or an ad promising help with recovering lost funds). The site features fake testimonials, stock photos, generic security service descriptions, and a “Complaint Form”. The victim is asked to enter a “Case Number” or file a complaint. In subsequent steps (not fully shown in these screenshots), the victim would be asked to provide personal identification, banking details, or upfront fees for “investigation” or “asset recovery”.

The goal:

Steal personal information (name, address, ID documents) for identity theft.

Collect banking or credit card details under the guise of “verification” or “processing fees”.

Perpetrate an advance fee fraud (recovery scam) – the victim pays a fee to “unlock” their non-existent refund or investigation, but never receives any service.

Impersonate law enforcement to intimidate victims into compliance.

Red flags to watch for:

Suspicious domain & IP address: The URL shows an IP address 192.142.55.73 with a path containing ~cimb2/… – not an official government or law enforcement domain (which would be .gov, .int, or similar). The use of a raw IP and a hosting subdirectory is highly unprofessional for any legitimate agency.

Poor design & generic content: The site mixes unrelated topics (“Bodyguard”, “Computer Security”, “Biometric”) with stock images and placeholder text. The “Latest Post” section contains generic blog titles unrelated to law enforcement.

Impersonation of multiple agencies: The site claims to be run by a “Secretary General”, references INTERPOL, the FBI, and the U.S. Department of Justice. No single entity combines all these. This is a common tactic to fabricate authority.

Fake testimonials: Generic quote from “Zenifar Lopez, Business Owner, Spain” – likely fabricated.

Request for case number without prior interaction: Legitimate law enforcement does not ask you to enter a case number on a public website to start a complaint. Official reporting is done through verified government portals or in person.

Offers of “Fund Recovery”: This is a classic recovery scam promise. No legitimate law enforcement or security agency guarantees fund recovery for a fee.

What to do if you encounter this:

Do not enter any case number, personal information, or financial details.

Do not pay any fee for “investigation” or “fund recovery”.

If you have already submitted information, contact your bank immediately and monitor your credit reports for identity theft.

Report the fraudulent website to the real INTERPOL (via their official site), the FBI’s IC3, and the hosting provider.

Protective measures:

Always verify the official website of any law enforcement or security agency by typing the known official URL directly (e.g., interpol.int, fbi.gov, justice.gov).

Never pay upfront fees to recover money from a previous scam – this is almost always a secondary scam.

Be suspicious of unsolicited offers to resolve complaints or investigate fraud, especially if received via email or social media.

Use a password manager and keep your personal information secure.

Woolworths Vendor Summit fake page

⚠️ High-Risk Alert: Corporate “Vendor Summit” Phishing Scam

This image displays a classic example of B2B (Business-to-Business) Phishing. Scammers are impersonating the Australian retail giant Woolworths to harvest corporate intelligence and employee data.

How the Scam Works:

  1. Exploiting Professional Authority: By using the Woolworths Vendor Summit 2026 branding, attackers target business partners and suppliers. They exploit the victim’s desire to maintain a good relationship with a major client.
  2. The “Registration” Hook: The page asks for “Company Name,” “Agent Name,” and “Designation.” This is Corporate Reconnaissance. Scammers use this data to perform more convincing Business Email Compromise (BEC) attacks later.
  3. The Image Upload Trap: The request to “Upload Image” is particularly dangerous. It can be used to harvest biometric data (photos) or, more maliciously, to trick users into uploading sensitive corporate ID documents.
  4. Critical Technical Red Flags:
  • Insecure Connection: The browser explicitly marks the site as “Not secure.” Legitimate corporate portals always use encrypted HTTPS.
    • Numerical URL: The website uses a raw IP address (43.225.148.223) instead of an official domain like woolworths.com.au. No major corporation hosts registration forms on an exposed IP address.
    • Non-Standard Port: The use of port :8082 is a common sign of a temporary, malicious server setup.

How to Protect Your Organization:

  • Verify the Source: Official Woolworths communications will only come from verified @woolworths.com.au email addresses and point to official domains.
  • Inspect the URL: Never enter data into a site that uses a raw IP address (numbers only) or displays a “Not secure” warning.
  • Report & Block: If you encounter this specific IP or similar “Registration Forms,” report them to your IT Security department immediately.

🚨 Quick Check: Is This Site a Scam?

Before entering any corporate or personal data, look for these 4 Red Flags identified in the recent Woolworths impersonation scam:

  • 🚩 The “Not Secure” Warning: If your browser displays a “Not secure” message in the address bar, stop immediately. Legitimate companies always use HTTPS to encrypt your data.
  • 🚩 Numbers instead of a Name: Official portals use clear domains (e.g., woolworths.com.au). If the address is just a string of numbers (like 43.225.148.223), it is almost certainly a malicious server.
  • 🚩 Unusual Data Requests: Be wary of forms asking for “Agent Names,” “Designations,” or especially those requiring you to upload images/files on an unverified site.
  • 🚩 Poor Visual Quality: Look for “copy-paste” logos, inconsistent fonts, or strange phrasing like “Add Image Like.” Real corporate sites go through strict quality control.

Rule of Thumb: If a registration link doesn’t end in the official company domain, do not click, do not type, and do not upload.

Meine AOK (a major German health insurance provider) fake page detected

This screenshot is a perfect example of a sophisticated phishing landing page. Here is a description of this method in English, designed to inform and warn users:

⚠️ Phishing Alert: The “Professional Insight” Subscription Trap

This image reveals a deceptive phishing tactic used to harvest personal information under the guise of a professional newsletter subscription.

How the Scam Works:

  1. Impersonation & Trust: The page uses the branding “Meine Aok” (mimicking a major German health insurance provider) to create a false sense of security. It uses a clean, professional layout and promises “Exclusive Content” and “Expert Analysis” to lure targets.
  2. The Hook: It appeals to professionals by offering “Industry Insights” and “Weekly Updates,” claiming that thousands of others have already joined.
  3. Data Harvesting: The form asks for your Full Name and Email Address. While it looks like a standard sign-up, this information is used to build profiles for identity theft or to launch more targeted “spear-phishing” attacks.
  4. Malicious Domain: The URL in the address bar is meine-aok.digital. The official domain for AOK is aok.de. Scammers often use .digital, .info, or hyphenated names to trick users who aren’t looking closely.

Red Flags to Watch For:

  • Mismatched URL: Always check the domain. If the brand is “AOK” but the URL ends in something other than their official .de domain, it is a scam.
  • Generic Language: The text “Stay Ahead with Professional Insights” is very generic and doesn’t align with the actual services a health insurance company provides.
  • Privacy Policy Links: Often, on these fake sites, the “Privacy Policy” links are either broken or lead back to the same page.

How to Stay Safe:

  • Never enter your details on a site reached via a suspicious link in an email or SMS.
  • Manually type the official website address into your browser if you need to access a service.
  • Look for the lock icon, but remember: even scam sites can have SSL certificates. The domain name is your best clue.

Fake Storage Alert – Credential / Payment Harvesting Scam

This screenshot shows a fake “storage alert” phishing page designed to scare victims into believing their device or cloud storage is nearly full. The message threatens data loss, blocked files, and backup suspension unless the user clicks an “UPGRADE NOW” button – which leads to a phishing site.

Threat Analysis: Fake Storage Alert – Credential / Payment Harvesting Scam

How it works:
The victim receives an email, pop‑up, or SMS claiming that their storage is critically low. The message uses urgent language (“URGENT REMINDER”, “Action required”, “Failure to act may result in backup suspension”) to create fear. A button labelled “UPGRADE NOW” is prominently displayed.

Clicking the button leads to a fraudulent website that:

  • Asks for cloud account login credentials (e.g., Google, Microsoft, iCloud, Dropbox)
  • Requests payment information (credit card details) for a fake storage upgrade
  • Installs malware disguised as a “cleanup tool” or “upgrade utility”

The goal:
The attacker aims to:

  • Steal login credentials for cloud or email accounts
  • Capture credit card details for fraudulent transactions
  • Trick the victim into downloading malware

Red flags to watch for:

  • Unsolicited storage alert: Legitimate storage notifications come from within the app or operating system – not via random emails or pop‑ups with a clickable “UPGRADE NOW” button.
  • Threats of immediate data loss: “New files and emails will be blocked”, “Backups will fail silently”, “Important data may be lost permanently” – these are classic fear tactics.
  • Vague system references: The message does not specify which service or device is affected (e.g., no mention of Google Drive, iCloud, Windows, etc.).
  • Generic branding: No company logo or official header is shown.
  • Urgency and pressure: Phrases like “URGENT REMINDER” and “Failure to act” are designed to bypass critical thinking.

What to do if you encounter this:

  • Do not click the “UPGRADE NOW” button or any links.
  • Check your actual storage status through your device’s settings or the official app of your cloud provider.
  • If you have already clicked and entered credentials, change your password immediately and enable two‑factor authentication.
  • If you entered payment details, contact your bank immediately to block your card.
  • Report the phishing page to the legitimate service being impersonated (if identifiable).

Protective measures:

  • Never click links in unsolicited storage alerts. Always check storage directly through official system settings.
  • Use a password manager – it will not autofill on fake domains.
  • Enable two‑factor authentication on all cloud and email accounts.
  • Be suspicious of any message that creates urgency and threatens data loss.

Poshmark Phishing – Fake Account Restriction & Card Harvesting

This set of screenshots shows a phishing campaign impersonating Poshmark, a popular online marketplace for second‑hand goods. The scam uses a fake “account restricted” notification and a fake support chat to pressure victims into providing full credit/debit card details, personal information, and contact details.

Threat Analysis:

How the scam works (multi‑step flow):

  1. Fake Account Restriction Page – The victim receives a link (via email, SMS, or social media) claiming their Poshmark account is restricted. The page shows a countdown or threat that the account will be deactivated within 24 hours. A “Verify” button is prominently displayed. A fake live chat window appears, with a “support agent” (e.g., “Amelia”) explaining that the victim must provide card details for verification.
  2. Card Details Harvesting Page – The victim is asked to enter card details and billing information. Fake assurances about encryption and GDPR compliance are added:

Fake Order Summary & Submit Page – A final page shows an order summary (often with a small amount or zero) and a “Submit” button. The victim is told that completing this will “validate” their card and restore the account.

The goal:
The attacker collects:

  • Full credit/debit card details (number, expiry, CVV)
  • Personal information (full name, address, email, phone number)

With this data, the attacker can:

  • Make fraudulent online purchases
  • Clone the card or sell the information on criminal markets
  • Use the personal details for identity theft

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain like check0925.sbs, not poshmark.com. Legitimate Poshmark pages are only on official domains.
  • Request for CVV and full card details for “account verification”: Poshmark never asks for your card security code to verify or unblock an account.
  • Fake live chat support: The chat window is not a real support function – it is a scripted message designed to pressure victims. Legitimate customer support does not ask for card details via chat.
  • Threat of account restriction / 24‑hour deadline: Classic urgency and fear tactics.
  • Fake order summary and “Submit” button: There is no actual purchase; this is designed to mimic a checkout process and make the victim believe they are completing a legitimate transaction.
  • Copied branding: The pages use Poshmark’s logos, categories, and footer links, but these are stolen from the real site.
  • Warnings about scams on the page itself: Ironically, the page includes a generic warning about scams – this is copied text and does not make the page legitimate.

What to do if you encounter this:

  • Do not enter any personal or card information.
  • Do not interact with the fake chat or click any buttons.
  • If you are a Poshmark user, always log in directly by typing poshmark.com into your browser. Check your account status from the official dashboard.
  • If you have already entered card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • Report the phishing page to Poshmark’s security team and to the hosting provider.

Protective measures:

  • Never click links in unsolicited messages claiming your account is restricted.
  • Always type the official website URL directly into your browser.
  • Never provide your card CVV or expiration date for “account verification” – legitimate businesses do not need this information to confirm your identity.
  • Enable two‑factor authentication on your Poshmark account and email.
  • Be suspicious of any page with a live chat that immediately asks for card details – this is almost always a scam.
  • Check the URL carefully – look for misspellings, extra words, or unusual top‑level domains (.sbs, .top, .xyz).

dao (Danish Parcel Service) Phishing – Fake Delivery Failure & Address Update Scam

This phishing campaign impersonates dao, a Danish parcel delivery service. The scam uses a fake “delivery failed” notification to trick victims into providing personal information, which can later be used for identity theft or to redirect victims to a payment page where credit card details are stolen.

How it works:

Fake Tracking Page – The victim receives an SMS or email with a link to a fake tracking page. The page displays a fake tracking number and a false status (e.g., “Delivery attempt failed”).

Delivery Failure Notice – The victim is informed that the package could not be delivered because the address was unclear. A button or link (e.g., “Update Address”) is presented.

Address Update Form – The victim is taken to a page that asks for personal details: first name, last name, street address, city, postal code, email, and phone number (with Danish country code +45 pre‑filled).

Potential Next Step (not fully shown) – After submitting the address, the victim may be redirected to a payment page requesting card details (e.g., a small “redelivery fee”). This is a common pattern.

The goal:
The attacker collects:

Full name, address, postal code, city

Email address and phone number

With this information, the attacker can:

Sell the data to other criminals

Use it for identity theft

Target the victim with follow‑up scams (e.g., fake bank calls)

If a payment page follows, also steal credit card details

Red flags to watch for:

Suspicious URL: The pages are hosted on domains that are not dao.dk or the official dao website. The visible fragments (e.g., 135.2.tv, 135.1.tv) suggest a subdomain or odd URL structure.

Unsolicited delivery failure notification: dao does not send links to update addresses via SMS or email. Legitimate delivery issues are handled through the official tracking system or by contacting customer service directly.

Fake tracking number: The tracking number (CP318587863DK) is fabricated and cannot be verified on the real dao website.

Request for personal information before delivery: A legitimate courier already has your address. They will not ask you to re‑enter it via a link in a message.

Generic design / copied content: The pages use dao’s branding, navigation menus, and help section links, but these are copied from the real site. The domain is the giveaway.

What to do if you encounter this:

Do not enter any personal information (name, address, email, phone).

If you have already entered such information, be aware that it may be used for identity theft or follow‑up scams.

If you were redirected to a card payment page and entered card details, contact your bank immediately to block your card.

Always track packages by typing the official courier URL directly (e.g., dao.dk) and entering your real tracking number.

Report the phishing page to dao’s customer service.

Protective measures:

Never click links in unsolicited delivery messages. Always go directly to the official courier website.

Never provide your address, email, or phone number in response to a delivery notification link.

Check the URL carefully: Official dao domains end with dao.dk. Look for misspellings, extra words, or unusual top‑level domains (e.g., .tv, .th).

Enable two‑factor authentication on your email and banking accounts.

🇩🇿 🇫🇷 Cross-Border B2B Fraud: The “Atoms.dev” Phishing Wave

HIGH RISK / SCAM

A sophisticated phishing campaign originated in Algeria, targeting the French business sector. Scammers used Google Share links to bypass email security filters, redirecting victims to a temporary Atoms.dev deployment. The site impersonated a fake Spanish trade entity, “Pro Lite Stock,” offering fraudulent import/export services for premium Algerian products.

Technical Breakdown

  • Vector: Google Share Redirects (share.google)
  • Hosting: Atoms.dev (Serverless Phishing)
  • Identity Theft: Fake Spanish entity “Pro Lite Stock” (Non-existent in Spanish Mercantil Registry).
  • Goal: B2B Credential Harvesting and Invoice Fraud.

Key Facts Table

  • Attacker Origin: Algeria (DZ)
  • Traffic Target: France (FR)
  • Infrastructure: Obfuscated deployment on atoms.dev
  • Status: Neutralized (Domain and IP Cluster Blacklisted)

🛡️ Expert Advice for French Businesses (Conseil aux Entreprises)

Scammers often impersonate European entities to gain trust. Before interacting with any “Trade Offer” or “Logistics Portal,” take these three steps:

  1. Verify NIF/CIF (Spain) or SIRET/SIREN (France): Any legitimate European company must display its official registration number. The “Pro Lite Stock” entity failed to provide a valid CIF (Código de Identificación Fiscal). You can verify Spanish companies for free via the Registro Mercantil Central.
  2. Inspect the Hosting Infrastructure: No established international trade firm hosts its official portal on developer subdomains like *.atoms.dev or *.vercel.app. These are red flags for temporary, throwaway infrastructure.
  3. Cross-Check the Domain History: Use tools like WHOIS to check the domain age. If a company claims to be a “Trusted Global Partner” but their website was created 14 days ago, it is 100% a scam.

Case Study: Intercontinental Crypto-Scam Uncovered

Our system just neutralized a sophisticated Pump & Dump scheme targeting the Singaporean market using North African infrastructure.
The Technical Anatomy of the Attack:

  • Target Audience: Users in Singapore 🇸🇬.
  • Traffic Vector: Paid advertisements on TikTok.
  • Infrastructure: Managed from Morocco 🇲🇦 (IP cluster 154.144.253.x).

Deep Dive into TikTok Ads Metadata:
Our engine intercepted the link containing specific tracking parameters used by professional fraud-arbitrageurs:

  • utm_source=tiktok & utm_medium=paid: Confirmed high-budget bypass of organic content filters.
  • utm_id=CAMPAIGN_ID: A dynamic macro used in TikTok Ads Manager, indicating a template-based, scalable attack.
  • utm_campaign=CAMPAIGN_NAME: Evidence of an automated “industrial” approach to scam distribution.

The Fraud Mechanism:
Scammers use paid TikTok ads to target affluent regions (Singapore) with “get-rich-quick” narratives. The traffic is funneled to a private Telegram channel “Better Call Ton”, where organizers manipulate TON-based memecoins. Our Covariance Matrix flagged the 10/10 risk score due to the extreme geographical mismatch and the use of automated advertising macros to promote market manipulation.
The Verdict:
The link is Permanently Blocked. The author’s IP is Blacklisted.
By analyzing metadata patterns, Antiphishing.biz stops fraudulent campaigns before they reach their peak.

#CyberSecurity #TikTokAds #MarTech #CryptoScam #TON #Antiphishing