Behind the Screens: Exploring a Fresh Phishing Campaign in Indonesia Stealing Facebook Credentials
2023-10-16 00:22:9 Author: infosecwriteups.com(查看原文) 阅读量:13 收藏

Over the weekend, while leisurely browsing the internet, I came across a unique and suspicious link designed specifically for an Indonesian audience. This scam had a fresh approach that piqued my curiosity, prompting me to investigate further.

As I delved into the fraudulent website, I uncovered additional templates resembling WhatsApp Group Invitations, which ultimately served as a disguise for stealing people’s Facebook login credentials. What made this even more alarming was the content shared within these WhatsApp groups, as they were primarily centered around the distribution of viral and explicit adult videos.

In this blog, I’ll discuss my methods for thoroughly investigating a scam campaign, starting from the very basics. Along the course of this campaign, I also came across the phishing kit that had been utilized.

The Phishing Page

I uncovere this phishing page while surfing through a Telegram Channel. It was impersonating the WhatsApp Group Invitation Page which was focused on sharing sharing viral and explicit adult content[Fig. 1].
Phishing URL: hxxps://chatwpscpij.terbaru-2023[.]com/Faxt16jOoXfq6

Fig.1 impersonating whatsapp group invite focused on sharing viral and explicit adult content

Since all the content was written in the Indonesian language, it was clearly targeted towards the Indonesian people. Upon clicking the “Bergabung Ke Chat” or “Join the Chat” button, it redirected to a Facebook login page, prompting users to enter their login credentials and loaded go.php file.

Fig 2: Clonned Facebook Login Page: go.php

When attempting to enter random credentials and clicking the Login button, it triggered the execution of the check.php file on the backend, resulting in a blank page but internally taking the data and saving it to a data.json file[got the filename later when I discovered the phishing-kit for the same template].

Fig 3: stealing credentials via check.php execution
Fig 4: check.php file which steals credentials from the phishing-kit

Discovering the Phishing-Kit

After exhaustively exploring various methodologies and inspecting the endpoint that led to a blank page, it initially appeared to be a dead end. However, my determination led me to explore alternative methods to gather more information about the phishing domain. During one of these methods, where I attempted to gather information about the certificates associated with the phishing domain, I conducted a search on crt.sh. To my surprise, this search revealed the existence of additional subdomains linked to the phishing domain through their SSL certificates. One of the previously mentioned subdomains inadvertently exposed the phishing kit.

Fig 5: Certificate Transparency log for the phishing domain
Fig 5.1: Exposed phishing-kit from one of the subdomains

Workflow of the Phishing Kit

Upon downloading and thoroughly analyzing this phishing kit, the entire workflow of the phishing template became clear and comprehensible.

Fig 6: complete workflow of the phishing-kit

In the final stages of examining the entire workflow, I made a crucial discovery when inspecting the last executed file, wana.php. It became evident that all the collected credentials were sent to a different endpoint, as depicted in Figure 7. As I investigated the remote host server, I found a message in Indonesian that read: “Mau Nyolong? wkwkkwkw” (translated to English as “Want to Steal? hahahaha”), conveying a sense of trolling or mockery from the threat actor behind this campaign . See the Fig 8.

Fig 7: Victim’s Credentials were exfiltrated to a different server
Fig 8: The TA being a troll :P

What makes this situation particularly intriguing is that, upon examining the source code, it becomes apparent that the scammer or group of scammers responsible for this campaign lacks technical sophistication. This is evidenced by the fact that they have hardcoded a few Gmail addresses and making it possible for anyone to access victim data simply by reviewing the source code[Fig 9]. Upon inspecting the active phishing sites, it appears that there hasn’t been a significant number of victims so far. This suggests that the campaign may have only recently begun, and its impact has been limited thus far[Fig 10]

Fig 9: the source code of the phishing kit where scammers store the data, making it accessible to anyone who comes across it.
Fig 10: Accessible victim emails of the phishing site

Similar Phishing Site Hosted on the same Domain

During the writing of this blog, I came across several more phishing websites hosted on the same domain, all of which were actively engaged in similar phishing activities. These websites appeared to follow a similar workflow but utilized different phishing-kit templates, indicating a coordinated effort by the scammers to target victims using multiple variations of their scam.

Fig 11: Similar campaign, different phishing-kit

Phishing Domains:

hxxps://grup-warxik.terbaru-2023[.]com/vhsfhqpdhdxih1
hxxps://grup-wakcor.terbaru-2023[.]com/vhsfhqpdhdxih1

Additionally, I encountered another type of phishing website that employs a different tactic to lure victims by impersonating Mediafire brand. This website tricks users into divulging their Facebook credentials under the false pretense of granting access to download viral adult content videos. It’s evident that these scammers are employing various deceptive strategies to steal sensitive information from unsuspecting individuals.

Phishing Domain:

hxxps://mediafirejeryghx.terbaru-2023[.]com/Faxt16jOoXfq6
Fig 12: Impersonating Mediafire
Fig 13: Clonned Facebook login page to steal credentials

While having a conversation with the founder(Bradley Kemp) of phish.report about this canmpaign he shared me some insights on how we can track more similar website, using the tool IOK(which is based on URLScan.io API query) by phish.report.

By utilizing URLScan.io and inputting a filename from the phishing kit, we can hunt additional similar phishing URLs from the platform.

Query URL: https://urlscan.io/search/#filename:%2220230920-195253.png%22

filename:"20230920-195253.png"
Screenshot from URLScan.io of similar phishing sites using the same image file from a phishing-kit

Indeed, it is observed that scammers are employing various techniques to lure victims, but their ultimate goal remains straightforward: stealing social media credentials. This campaign has illustrated that scammers can impersonate not just Facebook but potentially any other social media platform, using different templates. It emphasizes the need for heightened vigilance when clicking on shared links in WhatsApp groups or Telegram channels. Furthermore, we must be conscious of when and where we provide our login credentials to protect ourselves from falling victim to these scams.

In closing, I encourage you to share this blog with others to spread awareness about these phishing campaigns and the importance of online security. For threat hunters and cyber threat researchers, this might serve as a valuable starting point in uncovering and addressing other phishing campaigns lurking in the digital landscape. Your contributions to our collective online safety are greatly appreciated.

Your feedback is invaluable, so please connect with me on Twitter or LinkedIn to share your thoughts and insights. Together, we can help protect ourselves and our online communities from cyber threats.

Appendix

Registrar and Registrant WHOIS info of the remote endpoint domain
Certificate tranparency logs for the remote endpoint domain

文章来源: https://infosecwriteups.com/behind-the-screens-exploring-a-fresh-phishing-campaign-in-indonesia-stealing-facebook-credentials-9240016c5989?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh