May 14, 2023

StupidFish: Cybercrime group harvesting credit card data

OPSec just isn’t their thing.

Text message containing a link to a phishing site

I received this message from a Thai number (probably spoofed) stating that there is an issue with my package’s delivery. Ignoring the terribly obvious bad English, I dived straight into the site.

Phishing pages harvesting personal and credit/debit card data

A bit different from the other Chinese phishing scheme that I recently covered, this operation focuses on collecting credit and debit card data rather than account credentials.

An interesting thing to note is that the site implements Geo-IP filtering, and visiting it from a laptop or desktop redirects you to the legitimate website, but that won’t stop me.

As I mentioned before, OPSec isn’t a strong suit of this cybercrime group, and they left their admin panel at “/admin”, which is one of the most common URLs of such backend systems.

School of fish

I noticed the name “StupidFISH” next to the copyright statement, but looking for any mentions of StupidFish on the internet yields no results.

Thankfully, they were kind enough to leave a link to their Telegram group embedded in “@stupidFISHcc”.

Telegram group 1

Translation of Telegram group 1’s description

Apparently, their Telegram group serves as a “customer service”, where cybercriminals can purchase source code to replicate legitimate websites, and troubleshoot issues with their phishing kit.

Apparently, their Telegram group serves as a “customer service”, where cybercriminals can purchase source code to replicate legitimate websites, and troubleshoot issues with their phishing kit.

Screenshots of phishing kit admin panel from Telegram group 1 showing credit/debit card data (hidden)

Screenshots of phishing kit admin panel from Telegram group 1 showing credit/debit card data (hidden)

Hidden for obvious reasons, but the screenshots above contained the full names, card numbers, expiry dates and CVVs of compromised credit/debit cards.

They also have full videos on their Telegram group of a new “product” i.e a new rip-off of a legitimate site of a Danish shipping company.

In the video, I noticed that they use a panel called “D2 Admin” as their backend for the phishing kit.

Screenshot of video showing phishing kit backend panel

In another message containing a 30+ minute video, the exact steps to setup a phishing website are explained, and I discovered that their choice for domain registration is NameSilo.

Screenshot from Telegram group 1 showing video instructions and hosting providers

In addition, the providers you see above are the ones they use to host their phishing sites.

One of many

From the Telegram group I found, it appears that there are many other groups serving the same purpose.

So how does this work?

  • Cybercriminals looking to make money purchase modified source code from StupidFish Telegram groups.
  • An admin from the group takes a cut for the sale, distancing them from the operation.
  • Cybercriminals use the provided instructions to purchase a domain and host it on the recommended hosting providers.
  • Once the phishing site is up and running, victims’ credit and debit card data are fed into the backend “D2 admin” panel.

From the publicly available data I found, this brings the total number of StupidFish members to at least 3,014 members.

Disclaimer

The purpose of this article is solely for educational and informational purposes.

I do not condone any activities discussed in this article, nor am I responsible for how you use the provided information.

I am not responsible for any damages or illegal activities resulting from the misuse of the information provided.

Copy link

Get in touch

Email
LinkedIn
Disclaimer

© Karam Chatra

Karam Chatra
Blog
/
Resume