After a long break and while sifting through my junk emails, I came across this interesting phishing email that caught my eye due to its decent design. Furthermore, I haven’t seen many phishing attempts at US banks.
Fortunately though, and as you’ll see later in this article, cybercriminals haven’t gotten good enough at OPSEC yet.
Exploring the site
Credential compromise
As with many phishing sites, this one immediately attempts to harvest victims’ account credentials.
Typically, after a victim ‘logs in’ to a phishing site, attackers try to validate the credentials to ensure they can use them for authentication.
However, since I provided fake information, it allowed me to continue without attempting to sign in.
The bait
After “logging in”, a message is displayed alerting the victim that their account needs “verification” and that they need to “update their information”.
Final score
As expected, the primary goal of this phishing site is to harvest debit/credit card information.
Interestingly, this site also requests victims to provide their ATM pin 🤔.
Data exfiltration
Now that the victim has provided their card information, it’s exfiltrated through a post request, and then sent to a Telegram web hook.
Pretty standard way of logging victim information. As you’ll see soon, this information came in handy.
Backend-side of things
Remember that I mentioned bad OPSEC?
Well whoever is running this site is no different, the admin panel of YoCHI’s phishing kit was accessible at /admin.
After a bit of research, I found no mentions of YoCHI online, except for a single tweet, which shows a similar admin login page for YoCHI’s phishing kit.
After digging around a bit more, I found another mention of YoChi online, showing a limited snippet of logs collected from the admin panel.
The following is an example of log entries from YoChi’s phishing kit.
After getting my hands on it, I tried to make an educated guess as to where this phishing site’s operator is located using Python.
The earlier Python script identifies the most frequently occurring IP address in the log file. Using that, I performed an IP lookup and found it originated from Norway.
Now whether the person operating this site is indeed located in Norway or not is up for debate, your guess is as good as mine.
Finding YoCHI
It didn’t take long for me to find YoChi’s Telegram group, where they promote their phishing kit and drive-through sales.
In addition, they appear to be pretty active, keeping “customers” updated on new features of the phishing kit.
Using timestamps from Telegram, we can guess that YoChi has started operating sometime around late 2021.
As you can see, the phishing kit allows cybercriminals to add the following features to their phishing sites:-
- Logging visitor information
- Data cleanup
- Victim information exfiltration via Telegram, email notifications and file exports
- Taking down and reactivating phishing sites in a single click
- Responsive designs
- Hiding behind a Cloudflare page
- Limiting user-agents
- Document uploads
Timeline
In 2022, an article by WMC Global reported 443 phishing kits linked to YoChi, with the majority targeting US banks.
Notes
It’s important to note that this site is not directly managed by YoChi, rather, they sell phishing kits to “customers” who are responsible for developing, hosting and spreading the phishing site.
YoChi is ultimately the one enabling others to run phishing campaigns, and taking down cybercriminals like YoChi can sever the entire operation from its roots.
DISCLAIMER
The purpose of this article is solely for educational and informational purposes.
I do not condone any activities discussed in this article, nor am I responsible for how you use the provided information.
I am not responsible for any damages or illegal activities resulting from the misuse of the information provided.