Flying Phish

This report analyzes a recurring credential-harvesting phishing campaign impersonating Twitter, documenting discovery of a starting domain (twitterreporterhelp.com), pivoting to ~153 related domains, shared GIF/logo resources, VirusTotal-sourced PHP samples and a zip lure, active testing with honey accounts, and network/process artefacts; it provides IoCs, sample hashes, mitigations and an import hash for DomainTools Iris Investigate for further detection and blocking.