Cathay Pacific

@ducklah February 2020

This phishing email contains a malicious link potentially linked to a credential phishing campaign disgusted as a customer survey.

Notice the email sender domain is cOthaypacific[.]com - This domain however does not have MX associated with it.

If we profile the phishing link we can see it will redirect to another domain called "crownheights[.]tri[.]be" which host the Customer Survey phishing page.

Notice the URL? Also find it interesting that the threat actor is trying to get victim(s) to disclose their HSBC or Citibank credit card information.

Now let's look at the email header here. Notice the Mail From domain is actually gifts[.]chataypacific[.]com? This domain was created in 2018 and was recently updated on Feb 11, 2020.

This typosquatting domain chataypacific[.]com resolved to:

Last updated