Behind the Scenes of a Tailor-Made Massive Phishing Campaign
– Sarit Yerushalmi
Based on the information provided, we can infer the following about the phishing campaign: 1. Purposeful selection of a derogatory term: The use of the word “piggy” in Russian as a translation for a key term in the campaign suggests that the campaign’s architects purposefully selected a seemingly derogatory term to demonstrate disrespect. This choice may be connected to the ongoing war between Russia and Ukraine. 2. Hidden endpoints: The investigation discovered several hidden endpoints related to the phishing campaign. These endpoints are URLs that were not publicly accessible but were discovered through automated research processes. These endpoints could provide clues about the phishing site infrastructure. 3. Endpoint redirection: When attempting to access the discovered hidden endpoints, the researchers were redirected to the “/root/login” URL, which presented a login screen. This indicates that access to these endpoints required authentication. 4. Dynamic analysis: To gain a deeper understanding of the scam platform, the researchers performed a dynamic analysis by downloading all the resources of the scam site and replicating it behind a man-in-the-middle (MITM) proxy. By manipulating the server’s JSON responses, they reverse-engineered the application. 5. `templateId` parameter: The researchers found that the parameter called `templateId` controlled the layout and content of the scam page. By setting the value of this parameter, the scammers could impersonate more than 340 legitimate sites, including FedEx, CapitalBank, and PostExpress. 6. `locale` parameter: The `locale` parameter allowed the scam server to customize the content of the front end based on the desired language of the attacker. The platform supported 48 languages, giving the scammers the ability to present the scam site in different languages to target victims. 7. Payment methods: The scammers could control which payment methods were presented to the target by updating the JSON response. This indicates that they could tailor the payment options based on their preferences and the targeted victims. 8. Hidden endpoints made available to collaborators: The front-end JavaScript code attempted to reach the domain `testSDNservssfg.com` to make the hidden phishing site endpoints available. However, this domain did not exist on the public internet and was likely accessible only within the network of the collaborators involved in the campaign. 9. Main page and features: The /root/index page was the main page used by the scammers to control the platform. It was primarily in Russian, suggesting that the scammers’ primary language was Russian. The scammers also developed two main features: `create-bank` and `create-platform`. 10. Chat interface: The investigation uncovered a hidden chat interface used by the scammers. This chat interface allowed communication between the attackers and potentially their victims. The scammers referred to their targets as “mammoths” and themselves as “workers”, indicating a company-like operation. 11. Fake LinkedIn profile: The scammers used a fake LinkedIn profile picture for their chatbot. When doing a reverse image search, a fake LinkedIn account was found, created in 2020, using the same picture. The scammers may have used this fake profile for deceptive purposes. It is important to continue tracking the activity of this threat actor to gather more information and hopefully take actions to shut down their operation.
Link: https://www.imperva.com/blog/analysis-of-a-phishing-campaign/