Account Tools - Phishing Kit Author

#AccountTools #phishing #phishingkit #SwiftMailer

There is a phishing kit being used to steal passwords from Yahoo, Outlook, and Gmail users. The kit may contain folders like

.zip\yinput
.zip\outlook
.zip\ginput
.zip\products
.zip\lib
.zip\classes\Swift
.zip\dependency_map





This folder ( .zip\classes\Swift ) indicates it uses the Swift Mailer ( SwiftMailer (c) 2004-2009 Chris Corbyn ) to send the malicious emails to the drop accounts.

The Phishing Kit Author calls themself "Account Tools"
Here are several related links to them (some still alive, some not)
- https://www.youtube.com/watch?v=2T1HJwkYn74
- http://rghost.net/55166139
- http://rghost.net/55166141
- http://rghost.net/55166140


- http://spamboard.su
- http://accounttools.cc

Their youtube page says
"Advanced Scam page for hacking any email and password, mailer, smtp, cpanel all tools"
"Deme Bin Published on May 14, 2014"
"All in one scampage, Yahoo, Gmail, Hotmail Hacking Special Mailer and more visit our"

Here are 2 examples of #phishingkit matching this Phishing Kit Author
example 1
found 5/23/2019
md5 aa4586a64637bc5cf4b9b91916eef3be
http://artisbycarolburns.co.uk/index/Y@FMT.zip
https://www.virustotal.com/#/file/6c84b2442ce3c00ed63e39f243f1dfddb1f8000cb7b741f693f3f5af45460f44/detection
screenshot: https://imgur.com/a/IEPgUsO







example 2
from 8/2018
md5 8d4c3f85ab9b00ea7b198fc1545c04b0
http://toperfection.co/aa/tire_update.zip
https://www.virustotal.com/#/file/137c8bfe24620c8416bff55cf4c0a9a044968d42fb2cb29f2fe7ddc2366d50fb/detection


These kits will usually contain a email address in the url and that email address will be used to determine in php code which sub-folder to redirect the user to (e.g. if the victim has a @yahoo.com email they get redirected to the "yinput" folder, if they have a @gmail.com email they get redirected to the "ginput" folder)

The sub-folder usually contains an "id.php" file that is the actual phishing page.

The folder may contain the following files

.country.inc.php (heavily obfuscated, defines helper functions like 'SendAttach, Swift, Email')
address.php (contains the #threatactoremail who purchased / downloaded the kit)

The folder may also contains file such as 
"FMT@YAHOO.txt" 
which will be used to record locally on the web server all the victim passwords




Scampage Demo and Tutorial: https://www.youtube.com/watch?v=2T1HJ...
Mailer Tutorial: https://www.youtube.com/watch?v=IHerw...





There was also a 
rename.php 
file that may log to the text file above and in both cases I saw contained a country timezone of Africa
date_default_timezone_set("Africa/Lagos");

The kit may also contain a READ ME.txt file which has this content

-----------------------------------
READ ME.TXT file in the kit
-----------------------------------
NOTE: DO NOT EDIT ANYTHING JUST CHANGE THE EMAIL IN "address.php" IF YOU TOUCH ANYTHING YOU MAY RUIN THE WHOLE SCRIPT
1. IN THIS TUTORIAL YOU WILL LEARN HOW THIS ALL IN ONE SCAMPAGE WORKS
IT USE ONE LINK, BUT REDIRECTS TO THE A SCAMPAGE RELATING TO THE EMAIL OF THE USER/PERSON YOU EMAIL TO.
E.G IF I USE http://scam-page.com/index.php?userid=#e-mail# as link in my message.
my mailer or sendblaster would change #e-mail# to user1@yahoo.com assuming that email is valid. so if your email list is 3 emails
1. you@yahoo.com
2. me@hotmail.com
3. them@gmail.com
4. others@163.com or anything@example.com
when each and everyone recieve the email: The mailer or script would change
#e-mail# to the person who receives the email so:
when you check your email the link will be http://scam-page.com/index.php?userid=you@yahoo.com
When I check my email it will be
http://scam-page.com/index.php?userid=me@hotmail.com
FINALLY:
WHEN USER CLICK THE LINK IN THE MESSAGE THE SCAM-PAGE WILL OPEN YAHOO SCAM PAGE IF THE USER IS USING YAHOO. SO YOU WILL BE DIRECTED TO YAHOO AND I WILL BE DIRECTED TO HOTMAIL BECAUSE MY EMAIL IS ME@HOTMAIL.COM AND YOU WILL BE YAHOO BECAUSE YOUR EMAIL IS YOU@YAHOO.COM
FOR MORE INFORMATION:
WATCH THE VIDEO ON YOUTUBE TO SEE DEMO:
For the mailer visit: http://accounttools.cc/smtp_mailer.zip
For another type of mailer no smtp: http://accounttools.cc/normal_mailer.zip
Scampage Demo and Tutorial: https://www.youtube.com/watch?v=2T1HJwkYn74
Mailer Tutorial: https://www.youtube.com/watch?v=IHerwW9VXog
For Scam page that works with it: visit http://accounttools.cc/source_update.zip



additional potential examples of this phishing kit author
http://phishtank.net/phish_detail.php?phish_id=5972671 ( groutpro[.]com[.]au )
https://www.phishtank.com/phish_detail.php?phish_id=5905669 ( supersoca[.]com )
https://urlscan.io/result/6517b93d-3b89-450f-a2ef-e57c626d49cd/ ( prenocisca-kocar[.]si )