Analysis Report
Lets Encrypt Free SSL Cert Paypal Phishing
Description
- This alert is set to capture an inbound free SSL Cert from Lets Encrypt with associations/keywords with PayPal. These types of certs are known to be associated with phishing that attempts to steal PayPal login information. These phishing attempts usually start with an email stating a requirement to log in to PayPal and will display a ‘PayPal’ link but will divert the user to a malicious page that appears legitimate in an attempt to steal credentials.
Vector
- HTTPS, Port 443
Known False Positive Indicators
- Pypd.paypal-mktg.com is a known false positive for this alert, pypd.paypal-mktg.com is an alias (CNAME) to pardot[.]com, which is a large marketing automation firm owned by SalesForce.
- Correlating DNS request to the alert indicating FP rdata":"pi.pardot.com"},{"rrname":"pi.pardot.com","rrtype":"CNAME","ttl":265,"rdata":"pi-ue1.pardot.com"},{"rrname":"pi-ue1.pardot.com","rrtype":"CNAME","ttl":865,"rdata":"pi.t.pardot.com"},{"rrname":"pi.t.pardot.com","rrtype":"CNAME","ttl":30,"rdata":"pi-ue1-lba2.pardot.com"},{"rrname":"pi-ue1-lba2.pardot.com","rrtype":"A","ttl":900,"rdata":
Affected Host
- Any/All
Classification
- Malware/Phishing
Sentinel Signature
- TROJAN Lets Encrypt Free SSL Cert Observed in Possible Paypal Phishing
DNS Calls
- N/A See False Positive Indicators for DNS request indicating an FP
Comments
0 comments
Article is closed for comments.