IFIN - The Independent Federated Intelligence Network

Looks like we have a live one here. Weird Rust maintainer phishing campaign using crates[.]ws:

https://discourse.ifin.network/t/bizarre-crates-io-phishing-campaign/232

Bizarre crates.io phishing campaign

Observable: crates[.]ws Observable Type: Domain Details: Rust maintainer phishing email sending users to a bogus Crates website. Interestingly it looks like the .ws domain redirects to .io unless you provide it direct parameters. Unclear the intention though. Full URI in the email: https://crates[.]ws/settings/profile?action=verify&e=SOMENUMBER https://bsky.app/profile/nabijaczleweli.xyz/post/3miyodcruiuy2

IFIN
Apr 8 at 6:53pmWeb
Show threadIFIN - The Independent Federated Intelligence Network19h ago

So, how this works is:

  • Our community finds something interesting
  • We make a thread
  • We investigate together
  • The data remains searchable for future reference
  • We all win

Come join us!

Show threadDarses17h ago
@ifin
URLScan has an interesting subdomain `github-oauth.crates.ws` logged with a Github style login page: https://urlscan.io/result/019d6e08-183f-76a1-a960-ec337c405cd3/
github-oauth.crates.ws - urlscan.io

urlscan.io - Website scanner for suspicious and malicious URLs

Show threadIFIN - The Independent Federated Intelligence Network17h ago
@darses Great catch!
Show threadDarses17h ago
@ifin
From what I can tell this DOM looks identical to the Github sign-in page. The hidden timestamp fields in the form fields even match the time the URL was submitted to URLScan, indicating this is not just a static copy. I have the feeling this is some sort of adversary-in-the-middle (aitm) framework.