The website contains confidential, PII, financial information and others. In case of any data stolen or breached; it could cause several damages.

I found out many suspicious domains mimicking the website. The suspicious domains are located in different location through the world.

Let’s share with you the investigation.

Some suspicious domains:

amende-gouv-login[.]fr

amende-pv-service[.]com

antai-gouv-amendes[.]net

antais-gouv[.]com

xn--rglementamendes-bnb[.]fr Puny   réglementamendes[.]fr

servicesamendes[.]info

ksocampaign[.]com

the domains mentioned above are some of the domains mimicking the online fines payment.

Among those domains, the domain ksocampaign[.]com paid my attention.

While investigating, I found the following email address “yakuzahn2.gmail.com” in the DNS OSA records which could be the administrator email address.

ksocampaign.com – Current DNS records and Full DNS Report (securitytrails.com)

I took the email address and checked through Google search and the information below was found.

Like you see, the email address is associated to a website used to unlock the websites that were hacked by the Iranian Locker group.

dhs.edu.bt – urlscan.io 

At this point, we came to the following conclusion:

The domain ksocampaign[.]com might belong to the Iranian threat actor or the person behind the email address “yakuzahn2.gmail.com”.

The intention of the threat actor behind the phishing campaign or the threat actor mimicking the online payment website is to get the users credentials and credit cards information from the users.

Bangaly Koita

Bangaly Koita is a SOC Analyst and  Cyber Security researcher . As a passionate in cyber security,  he spends most of the time  writing articles and making videos online to share his knowledge and experience to the vast community of IT but in general Cyber Security. Feel free to contact me in case.

osintafrica.net

The post Scammers are targeting the French fines authorities website first appeared on osintafrica.