A small tool to view real-world ActivityPub objects as JSON! Enter a URL
or username from Mastodon or a similar service below, and we'll send a
request with
the right
Accept
header
to the server to view the underlying object.
{
"@context": [
"https://www.w3.org/ns/activitystreams",
{
"ostatus": "http://ostatus.org#",
"atomUri": "ostatus:atomUri",
"inReplyToAtomUri": "ostatus:inReplyToAtomUri",
"conversation": "ostatus:conversation",
"sensitive": "as:sensitive",
"toot": "http://joinmastodon.org/ns#",
"votersCount": "toot:votersCount",
"Hashtag": "as:Hashtag"
}
],
"id": "https://ioc.exchange/users/cstromblad/statuses/110468204766928796",
"type": "Note",
"summary": null,
"inReplyTo": null,
"published": "2023-06-01T09:17:14Z",
"url": "https://ioc.exchange/@cstromblad/110468204766928796",
"attributedTo": "https://ioc.exchange/users/cstromblad",
"to": [
"https://www.w3.org/ns/activitystreams#Public"
],
"cc": [
"https://ioc.exchange/users/cstromblad/followers"
],
"sensitive": false,
"atomUri": "https://ioc.exchange/users/cstromblad/statuses/110468204766928796",
"inReplyToAtomUri": null,
"conversation": "tag:ioc.exchange,2023-06-01:objectId=37569006:objectType=Conversation",
"content": "<p>Noticed an interesting TTP in relation to phishing domains.</p><p>1. Actor registers a new domain (later to be used for phishing).<br />2. Actor points DNS A-records to a legitimate IP-address, often the one you actually later want to imitate.<br />3. A few months later, or weeks, you change the DNS A-records again towards your own VPS with copied content of the site you're imitating.<br />4. Start phishing.</p><p>Perhaps an obvious tactic, but it was new to me. And I assume that pointing a new domain towards a legitimate IP/domain will give some slightly increased reputation?</p><p>I can certainly see a number of issues with VHOSTing etc, but it's common enough to at least discuss.</p><p>Anyone seen this, or have thoughts about it?</p><p><a href=\"https://ioc.exchange/tags/ThreatIntelligence\" class=\"mention hashtag\" rel=\"tag\">#<span>ThreatIntelligence</span></a> <a href=\"https://ioc.exchange/tags/Tactic\" class=\"mention hashtag\" rel=\"tag\">#<span>Tactic</span></a> <a href=\"https://ioc.exchange/tags/Phishing\" class=\"mention hashtag\" rel=\"tag\">#<span>Phishing</span></a></p>",
"contentMap": {
"en": "<p>Noticed an interesting TTP in relation to phishing domains.</p><p>1. Actor registers a new domain (later to be used for phishing).<br />2. Actor points DNS A-records to a legitimate IP-address, often the one you actually later want to imitate.<br />3. A few months later, or weeks, you change the DNS A-records again towards your own VPS with copied content of the site you're imitating.<br />4. Start phishing.</p><p>Perhaps an obvious tactic, but it was new to me. And I assume that pointing a new domain towards a legitimate IP/domain will give some slightly increased reputation?</p><p>I can certainly see a number of issues with VHOSTing etc, but it's common enough to at least discuss.</p><p>Anyone seen this, or have thoughts about it?</p><p><a href=\"https://ioc.exchange/tags/ThreatIntelligence\" class=\"mention hashtag\" rel=\"tag\">#<span>ThreatIntelligence</span></a> <a href=\"https://ioc.exchange/tags/Tactic\" class=\"mention hashtag\" rel=\"tag\">#<span>Tactic</span></a> <a href=\"https://ioc.exchange/tags/Phishing\" class=\"mention hashtag\" rel=\"tag\">#<span>Phishing</span></a></p>"
},
"updated": "2023-06-01T09:19:22Z",
"attachment": [],
"tag": [
{
"type": "Hashtag",
"href": "https://ioc.exchange/tags/threatintelligence",
"name": "#threatintelligence"
},
{
"type": "Hashtag",
"href": "https://ioc.exchange/tags/tactic",
"name": "#tactic"
},
{
"type": "Hashtag",
"href": "https://ioc.exchange/tags/phishing",
"name": "#phishing"
}
],
"replies": {
"id": "https://ioc.exchange/users/cstromblad/statuses/110468204766928796/replies",
"type": "Collection",
"first": {
"type": "CollectionPage",
"next": "https://ioc.exchange/users/cstromblad/statuses/110468204766928796/replies?only_other_accounts=true&page=true",
"partOf": "https://ioc.exchange/users/cstromblad/statuses/110468204766928796/replies",
"items": []
}
},
"likes": {
"id": "https://ioc.exchange/users/cstromblad/statuses/110468204766928796/likes",
"type": "Collection",
"totalItems": 2
},
"shares": {
"id": "https://ioc.exchange/users/cstromblad/statuses/110468204766928796/shares",
"type": "Collection",
"totalItems": 0
}
}