This URL was detected by ConcealBrowse on January 22nd, 2024. Six security vendors began reporting on this site later the same day. As of this report,the site is detected by 15 vendors. ConcealBrowse isolated the page with a 28% risk due to suspicion of phishing.

This page pretends to be Yahoo’s login page and is used to steal email credentials. Email credentials carry significant risk, because they can be used to steal accounts connected to the email address. Without 2 factor authentication, all an attacker needs is access to the email associated with the account to change the password and take it over. An attacker might also launch attacks against all contacts in the address book of the account because users are more likely to click on links from someone they know.

Conceal recommendation: Educating users how to spot potential phishing sites is an important aspect of a layered security approach. However, it is important to address those who may not identify phishing sites with a solution, like ConcealBrowse, that prevents users from entering credentials into sites that they fail to recognize as phishing by preventing username and password input in suspicious sites.

This URL was detected by ConcealBrowse on January 10th, 2024. It was first identified by 2 security vendors on the same day, with 3 reporting to date. ConcealBrowse intervened assigning the page a 14% risk due to suspicion.

Upon first look, the webpage itself is using a malicious Top-Level Domain (TLD) that is notoriously used globally for malware distribution and phishing campaigns. The domain itself is also leveraging deception, as there is a legitimate Robin AI used by many. Due to this, vendors have annotated this site as phishing. Further, the page is seen downloading an HTML file that has also been annotated as suspicious by two reputable anti-virus vendors. More grandeur, the hosting IP address was flagged and is delivering other copycat websites to users. With that, users should always confirm login page addresses before divulging credentials and other personal information.

ConcealBrowse detected this URL on December 29th, 2023. It was first identified by three security vendors on October 3rd, 2023, and to date, by five vendors in total. ConcealBrowse intervened due to the abundance of signals around the page’s structure. With that, the site was assigned a 14% risk score.

The innocuous news site appears safe at first glance, giving insight to those seeking information on the Affordable Care Act and employee rights. Sites like this often use various marketing tags to track analytics to gain insight into their site visitors. These tags often rely on popular management systems such as Google Tag Manager, and one can see the HTTP requests from the page to the tag manager system. However, one such HTTP request from the site reaches out to a mimicked tag manager, which then loads the script to the page. The script, if loaded, notifies the user to update their browser, which runs a PowerShell script that introduces the NetSupport Remote Access Trojan to the endpoint. This gives adversaries remote access to the endpoint for follow-up actions. This active site should be avoided until the site admins remedy their issue.

This URL was detected by ConcealBrowse on December 14th, 2023. The URL in question was first identified December 13th, 2023 as delivering malware and a phishing webpage by 4 security vendors. 6 additional security vendors have since deemed the page as dangerous, totaling 10 vendors to date.

Spoofed websites, like the one delivered by the URL in question, are popular during this time of the year as the adversaries know there will be increased visitors. This site replicates the USPS homepage and even subpages. After a few minutes on the page, it is obviously spoofed with broken links. Conceal’s Sherpa AI engine detected multiple anomalies, identifying this site as malicious. The spoofed site was isolated with ConcealBrowse due to its intention of collecting credit card information from the unassuming, allowing users to add items such as stamps to their cart and proceed to a checkout screen.