Black Hats Exploit US Social Security System in Phishing Campaigns

By /

Listen to this Post

Cybercriminals are leveraging recent news about the U.S. Social Security System to launch phishing campaigns, using deceptive domains like `viewer-ssa-gov[.]es` and user2ilogon[.]es. These attacks distribute malware, including a trojan named SsaViewer1.7.exe, which utilizes ScreenConnect for remote access.

Malicious Domains to Block

– `user2ilogon[.]es`
– `viewer-ssa-gov[.]es`
– `wellsffrago[.]com`
– `nf-prime[.]com`
– `deilvery-us[.]com`
– `wllesfrarqo-home[.]com`
– `nahud[.]com`

You Should Know: Detecting & Mitigating Phishing Attacks

1. Check Suspicious URLs

Use WHOIS and VirusTotal to verify domains:

whois viewer-ssa-gov[.]es 
curl -X POST --url 'https://www.virustotal.com/api/v3/urls' --header 'x-apikey: YOUR_API_KEY' --data 'url=https://viewer-ssa-gov[.]es'

#### **2. Analyze Malware Samples**

Extract hashes and scan with **YARA**:

sha256sum SsaViewer1.7.exe 
yara -r malware_rules.yar SsaViewer1.7.exe

#### **3. Block Malicious IPs via Firewall**

On **Linux (iptables)**:

sudo iptables -A INPUT -s 192.168.1.100 -j DROP

On **Windows (PowerShell)**:

New-NetFirewallRule -DisplayName "Block Phishing IP" -Direction Inbound -RemoteAddress 192.168.1.100 -Action Block

#### **4. Detect ScreenConnect Abuse**

Check running processes:

ps aux | grep -i screenconnect 
netstat -tulnp | grep 8040 # Default ScreenConnect port

#### **5. Email Header Analysis**

Extract headers from phishing emails:

cat phishing_email.eml | grep -E 'Received:|From:|To:|Subject:'

#### **6. Automate Phishing Detection with Python**

import requests 
def check_url(url): 
res = requests.get(f"https://www.phishtank.com/checkurl.php?url={url}") 
return "phish" in res.text 
print(check_url("http://viewer-ssa-gov[.]es"))

### **What Undercode Say**

Phishing remains a top attack vector, exploiting human trust and weak DNS security. Defenders must:
Monitor DNS records for spoofing (dig +trace ssa.gov).
Deploy email filters (SPF, DKIM, DMARC).
Educate users on spotting fake domains.
Use threat intelligence (MISP, AlienVault).

### **Expected Output:**

Phishing domains blocked. 
Malware hashes logged. 
ScreenConnect processes terminated. 
Firewall rules updated.

References:

Reported By: Daniel Anyemedu – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: