Inside Phishing Groups: Trust No One

Transcript

1. M Inside Phishing Groups: # Trust No-One # * e

   by Anshuman El ethebitdoodler /in/thebitdoodler

2. Agenda Analyzing the kit that How phishing-kit works scam the

   scammers Take aways How Phishing Kits Hunting in the wild are distributed

3. M · Threat & Adversary Research GeloudSEK ⑳ Writing Tech-Zines

   @securityLines · Documenting Learnings HuskyScripts. blog El @thebitdoodlea er *

4. ww 88 e ⑧ ↓ TAs Who deploy phishing sites

   to harvest credentials &thebitdoodler

5. M banner. Sug L · taki ⑨thebitdoodler

6. M # I L Logo. png index . php main

   . js style. ess banner. Sug These can be indicators!! &thebitdoodler

7. M # I L Logo. png index . php main

   . js style. ess banner. Sug These can be indicators!! ↓ ↓ content filename inside the or file hashes filess ... &thebitdoodler

8. Some where on the T elegram FREE Phishing Kits -

   - - - - > Interesting .... &thebitdoodler
9. None

10. M unzipped - > phishing Kits Loading inside Browser ↓

    &thebitdoodler

11. Capabilities Blocking M ↓ Bots ⑨ Harvestinto Anti-Analysis Blocking user-agent-

    &thebitdoodler

12. Capabilities M Flexible credentials # · xtitratore inbox Email &thebitdoodler

13. M Why Phishing-Kit G is ⑳ # · N ab

    &thebitdoodler

14. M en

15. M ↓ function from the interesting file ↓ # "

    * Whaaatt ..... &thebitdoodler

16. M - L1 Deobfuscation.... - Not enough. &thebitdoodler

17. M ↓ L2 Deobfuscation ↓ Sending oken to some URL

    S & &thebitdoodler

18. The Artist M - - > I hosted by Scammer

    * xcksm/a =- phishing site ↑ victimstials 1 02 . 165 . 14 . 4 : 5000 ⑤ F # &thebitdoodler

19. The Artist M - - > I hosted by Scammer

    * xcksm/a =- phishing site ↑ victimstials 1 02 . 165 . 14 . 4 : 5000 ⑤ F # &thebitdoodler

20. The Artist M - - > - I hosted by

    Scammer * xcksm/a · i phishing site ↑ victimstials 102 . 165 . 14 . 4 : 5000 & ⑤ - F # web server written in python &thebitdoodler

21. Phishing kit M Author C2 server steals -- >Bot tokens

    Hosted # ... ) =>>> . ! # ... - Phishing Sites D # ...[ goodbankk. xyz courier . top +vfzpa- webapp M I spepy Phishing kits Configures with #init #Telegram BotTokens ⑤ # · Freely distributed , , F - > # Telegram scammers channels &thebitdoodler

22. M Hunting in the Wild &thebitdoodler

23. M * + urlscan. io phish. report ↓ ↓ community

    F open source &thebitdoodler

24. M * urlscan . io phish. report ↓ ↓ community

    F open source · Nuclei for phishing kits &thebitdoodler

25. https://github.com/phish-report/IOK M

26. M

27. M

28. M /YAML Rule Presenton the A Based on Indicators -

    3 # ↓ Hardcoded on th index page &thebitdoodler

29. M minder Live UrLS & & similar We can detect

    A Kits created by the same author 1! &thebitdoodler

30. https://phish.report/blog/no-honour-among-phishers M

31. M O questions

32. M Thank You... El ethebitdoodler /in/thebitdoodler