add nico.sa to add-wildcard-domain

[g0d33p3rsec]

The site is serving the phishing kit that was previously hosted at ajstelecom[.]com[.]mx

Domain/URL/IP(s) where you have found the Phishing:

https://nico.sa/M24yYzA5MUMyODl2NGQ=
https://nico.sa/M3IyazdUOEsyRDdrNjg=

Impersonated domain

https://www.zimbra.com/
https://www.betway.co.za

Describe the issue

This (likely recently compromised) site is hosting the phishing kit that was previously active at ajstelecom[.]com[.]mx. See #362 #353 and #343 for a recent history of this activity group. The previous host had more than 250 malicious endpoints identified in a two week period. I don't have a facebook account but you will likely be able to find lures and additional URIs there until I can update this submission with additional samples after the search engines have had a chance to recrawl the various social media platforms.

Related external source

https://urlscan.io/result/1bf9c496-7277-4203-a76a-bc27620d54b5/
https://urlscan.io/result/66ff3c11-e284-413a-bf59-5e84af87bcfa/

Screenshot

Click to expand

[spirillen]

Thanks for your report @g0d33p3rsec

[g0d33p3rsec]

The host has apparently responded to the abuse report.

[spirillen]

we let it fry for a couple of days... to see if they find everything. And the 503 response be based on a lot of things, like IP and Location or even a cookie in your browser = the browser choice it self.

[g0d33p3rsec]

we let it fry for a couple of days... to see if they find everything. And the 503 response be based on a lot of things, like IP and Location or even a cookie in your browser = the browser choice it self.

Sounds good, the group has moved to a new host which is mentioned in #367