Over the past couple of months, I’ve been receiving phishing emails from “banks” that i’m not a customer of.
Naturally, I looked into each phishing site to see if I can discover the source of the phishing scheme, but most lead to a dead end.
Until recently, I received a text message from a Malaysian phone number containing a link to a phishing site stating that my bank account details need to be updated, so I got to work.
The site
Victims are presented with a decently convincing login page, with reassuring titles such as “your credentials are safe with us” and a QR code that redirects to the bank’s legitimate mobile application.
Obviously, the end-goal of this is to harvest bank account credentials and gain access to victims’ bank accounts.
After looking at the page’s source code, I noticed some leftover JavaScript comments written in Chinese, this was a hint at what I was about to discover.
PaaS — Phishing as a service
I fired up BurpSuite to take a look at what pages the website was interacting with, and I noticed some API calls when I “logged in”, as well as a possible URL to an admin page.
Unfortunately, the admin panel required authentication, but it gave me hints to find what is possibly the same admin panel which this site is reaching out to.
From the limited public data available on this scheme, it’s safe to assume that this admin panel is used for multiple phishing schemes, where it ingests data from an API from various phishing sites.
The victims’ usernames, passwords, IP addresses and user-agents are all visible in plaintext.
An interesting thing to note is that once you’ve “logged in” on the phishing site, your IP address gets blocked and you can’t ever access the phishing site again.
Takedown & analysis
After reporting the site, it was quickly taken down.. for the time-being .
So how does this scheme exactly work?
Attackers require a few things to get a phishing scheme up and running:-
- A communication method i.e an email or spoofed phone number
- A domain & hosting platform
- A method of receiving the victims’ data
- Cloned or replicated login pages of the targeted bank
Once the attacker baits a victim into visiting the phishing site, the API is first used to check whether the victim has previously provided credentials to the site, and in that case, they are redirected to an empty page.
In case the victim is new to the site, logging in triggers the API to send the victim’s data and bank account credentials to the admin panel.
A Russian rip-off?
Looking at this operation, it seems similar to this one covered by LiveOverflow in this video, it’s worth watching if you’re interested.
What you can do to take down phishing sites
Obviously, not everyone has the time or skills to dig into these sites and find such information, but taking down these sites can easily be done by reporting them to:-
- The business that is being impersonated
- The registrar