UK Parking Penalty Charge Notice SMS Phishing

Summary

New SMS phishing campaign targeting the UK posing as parking penalty charges
It has borrowed assets from UK.GOV sites to look legit
It uses qrco[.]de shortening links
It redirects to stockx[.]com if you are not the intended target
The sites are protected by Cloudflare and registered through NameSilo
It gets the target to enter their number plate then presents the "fine" and then asks for payment data (for fraud)

OSINT

Quite a few UK councils have warned about it:

SMS Phish

Landing Page

Phishing Infrastructure

Regex: /parking(?:gov|ukgov)[a-z]{1,2}\.(?:top)/

Known IOCs

parkinggovgbg[.]top
parkinggovgbd[.]top
parkingukgovt[.]top
parkinggovgbf[.]top
parkinggovgba[.]top
parkingukgovy[.]top
parkingukgovf[.]top
parkingukgovv[.]top
parkingukgovo[.]top
parkingukgovl[.]top
parkingukgovq[.]top
parkingukgovr[.]top
parkingukgovm[.]top
parkingukgovx[.]top
parkingukgovg[.]top
parkingukgova[.]top
parkingukgovc[.]top
parkingukgovw[.]top
parkingukgovu[.]top
parkingukgovk[.]top
parkingukgovi[.]top
parkingukgove[.]top
parkingukgovb[.]top
parkingukgovh[.]top
parkingukgovp[.]top
parkingukgovn[.]top
parkingukgovj[.]top
parkingukgovs[.]top
parkingukgovd[.]top

Hunting:

VTE Query: entity:domain registrar:NameSilo,LLC whois:carlos.ns.cloudflare.com ssl_issuer:"Google Trust Services"
Look for the ones with parking in the name

Pivoting

Thanks to @banthisguy9349 for finding the Phishing Kit's Admin Panel
Thanks to @g0njxa for finding the Phishing Kit Admin's Telegram Account
The creators of this phishing kit appear to be Chinese-speaking cybercriminals
They pivoted to /admin#/auth/login to find the panel

BushidoUK/UK_PPCN_SMS_Phishing.md

Summary

OSINT

SMS Phish

Landing Page

Phishing Infrastructure

Hunting:

Pivoting

JCyberSec commented Sep 25, 2024

Uh oh!