Jeremiah O’Connor (security researcher at Cisco) forwarded me a domain that has been phishing for Binance logins — logins-binance.com12754825.ml. This domain has a different phishing kit to previous ones we’ve seen, as it changes the user sign-in journey to collect personal information to eventually use in social engineering methods — this server does not communicate with the Binance domain. The usual login screen. The user is then directed to a screen to collect personal information. They are then asked for the 2FA code. The user is then shown a loading GIF to give the “illusion” of something working. After some time, they are redirected back to the previous 2FA view. I decided to check the root domain, com12754825, and to my surprise, it was open. DirectoryIndex for com12754825.ml. Most of these are email scripts — with default text and tools to send out mass PayPal phishing emails. A sample of what’s exposed (filename: xmailer.php). The inputs of....