Scammers are targeting the French fines authorities website
The website https://www.amendes.gouv.fr is the only governmental website for online payment of fines issued by the French authorities.
The website contains confidential, PII, financial information and others. In case of any data stolen or breached; it could cause several damages.
I found out many suspicious domains mimicking the website. The suspicious domains are located in different location through the world.
Let’s share with you the investigation.
Some suspicious domains:
amende-gouv-login[.]fr
amende-pv-service[.]com
antai-gouv-amendes[.]net
antais-gouv[.]com
xn--rglementamendes-bnb[.]fr Puny réglementamendes[.]fr
servicesamendes[.]info
ksocampaign[.]com
the domains mentioned above are some of the domains mimicking the online fines payment.
Among those domains, the domain ksocampaign[.]com paid my attention.
While investigating, I found the following email address “yakuzahn2.gmail.com” in the DNS OSA records which could be the administrator email address.
ksocampaign.com – Current DNS records and Full DNS Report (securitytrails.com)
I took the email address and checked through Google search and the information below was found.
Like you see, the email address is associated to a website used to unlock the websites that were hacked by the Iranian Locker group.
At this point, we came to the following conclusion:
The domain ksocampaign[.]com might belong to the Iranian threat actor or the person behind the email address “yakuzahn2.gmail.com”.
The intention of the threat actor behind the phishing campaign or the threat actor mimicking the online payment website is to get the users credentials and credit cards information from the users.
Bangaly Koita is a Cyber Security Analyst and researcher working for Radarcs Cyber Security in Vienna-Austria. As a passionate in cyber security, he writes articles to share his knowledge and experience to the vast community of IT but in general Cyber Security.
