![](https://assets-global.website-files.com/65253d038bc23c6041109654/65259b414ce3ec086f3fdee6_s1.webp)
I received this message from a Thai number (probably spoofed) stating that there is an issue with my package’s delivery. Ignoring the terribly obvious bad English, I dived straight into the site.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65259b627e90ba8ad5f3700b_s2.webp)
A bit different from the other Chinese phishing scheme that I recently covered, this operation focuses on collecting credit and debit card data rather than account credentials.
An interesting thing to note is that the site implements Geo-IP filtering, and visiting it from a laptop or desktop redirects you to the legitimate website, but that won’t stop me.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65259b7ced20f86511942ae8_s3.webp)
As I mentioned before, OPSec isn’t a strong suit of this cybercrime group, and they left their admin panel at “/admin”, which is one of the most common URLs of such backend systems.
School of fish
I noticed the name “StupidFISH” next to the copyright statement, but looking for any mentions of StupidFish on the internet yields no results.
Thankfully, they were kind enough to leave a link to their Telegram group embedded in “@stupidFISHcc”.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65259b9c943abafd3f0f89e9_s4.webp)
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65259bac96ec9977061de019_s5.webp)
Apparently, their Telegram group serves as a “customer service”, where cybercriminals can purchase source code to replicate legitimate websites, and troubleshoot issues with their phishing kit.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65259bc175d07780a15fde7d_s6.webp)
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65259be765e7688277ea8296_s7.webp)
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65259bfe96ec9977061e2dcf_s8.webp)
Hidden for obvious reasons, but the screenshots above contained the full names, card numbers, expiry dates and CVVs of compromised credit/debit cards.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65259c2471ed29a16c54930b_s9.webp)
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65259c2bd096dfcb63e7b6e1_s10.webp)
They also have full videos on their Telegram group of a new “product” i.e a new rip-off of a legitimate site of a Danish shipping company.
In the video, I noticed that they use a panel called “D2 Admin” as their backend for the phishing kit.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65259c468fd3dd3390fdb2d1_s11.webp)
In another message containing a 30+ minute video, the exact steps to setup a phishing website are explained, and I discovered that their choice for domain registration is NameSilo.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65259c5cbac3bc92cff6861d_s12.webp)
In addition, the providers you see above are the ones they use to host their phishing sites.
One of many
From the Telegram group I found, it appears that there are many other groups serving the same purpose.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65259c80b917685a77ac2826_s13.webp)
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65259c87d1d7fc0b6293c58a_s14.webp)
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65259c8de290dbb74db45024_s15.webp)
So how does this work?
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65259ca80b2a2bbcd879968c_s16.webp)
- Cybercriminals looking to make money purchase modified source code from StupidFish Telegram groups.
- An admin from the group takes a cut for the sale, distancing them from the operation.
- Cybercriminals use the provided instructions to purchase a domain and host it on the recommended hosting providers.
- Once the phishing site is up and running, victims’ credit and debit card data are fed into the backend “D2 admin” panel.
From the publicly available data I found, this brings the total number of StupidFish members to at least 3,014 members.
Disclaimer
The purpose of this article is solely for educational and informational purposes.
I do not condone any activities discussed in this article, nor am I responsible for how you use the provided information.
I am not responsible for any damages or illegal activities resulting from the misuse of the information provided.