I received this message from a Thai number (probably spoofed) stating that there is an issue with my package’s delivery. Ignoring the terribly obvious bad English, I dived straight into the site.
A bit different from the other Chinese phishing scheme that I recently covered, this operation focuses on collecting credit and debit card data rather than account credentials.
An interesting thing to note is that the site implements Geo-IP filtering, and visiting it from a laptop or desktop redirects you to the legitimate website, but that won’t stop me.
As I mentioned before, OPSec isn’t a strong suit of this cybercrime group, and they left their admin panel at “/admin”, which is one of the most common URLs of such backend systems.
School of fish
I noticed the name “StupidFISH” next to the copyright statement, but looking for any mentions of StupidFish on the internet yields no results.
Thankfully, they were kind enough to leave a link to their Telegram group embedded in “@stupidFISHcc”.
Apparently, their Telegram group serves as a “customer service”, where cybercriminals can purchase source code to replicate legitimate websites, and troubleshoot issues with their phishing kit.
Hidden for obvious reasons, but the screenshots above contained the full names, card numbers, expiry dates and CVVs of compromised credit/debit cards.
They also have full videos on their Telegram group of a new “product” i.e a new rip-off of a legitimate site of a Danish shipping company.
In the video, I noticed that they use a panel called “D2 Admin” as their backend for the phishing kit.
In another message containing a 30+ minute video, the exact steps to setup a phishing website are explained, and I discovered that their choice for domain registration is NameSilo.
In addition, the providers you see above are the ones they use to host their phishing sites.
One of many
From the Telegram group I found, it appears that there are many other groups serving the same purpose.
So how does this work?
- Cybercriminals looking to make money purchase modified source code from StupidFish Telegram groups.
- An admin from the group takes a cut for the sale, distancing them from the operation.
- Cybercriminals use the provided instructions to purchase a domain and host it on the recommended hosting providers.
- Once the phishing site is up and running, victims’ credit and debit card data are fed into the backend “D2 admin” panel.
From the publicly available data I found, this brings the total number of StupidFish members to at least 3,014 members.
Disclaimer
The purpose of this article is solely for educational and informational purposes.
I do not condone any activities discussed in this article, nor am I responsible for how you use the provided information.
I am not responsible for any damages or illegal activities resulting from the misuse of the information provided.
