Banks - Phishing Kit Type

#Banks #l33bo #PhishingKitType #phishing #phishingkit

l33bo phishers create a Phishing Kit that has a sub folder with a bunch of banks inside.

It May contain text like
Created by l33bo_phishers -- icq: 695059760  (see more https://phishingkittracker.blogspot.com/2019/05/l33bo-phishing-kit-author.html ) 

There is a sub-folder called Banks which has numerous types of banking phishes like

\BMO
\HSBC
\Meridian
\RBC
\Scotia

The bank sub-folders have numerous formats, a few are listed below

Some bank sub-folders are in this format
CONTROLS.php contains the #threatactoremail
Step1.php, Step2.php, Finish.php

Some bank sub-folders are in this format
antibots.php & blocker.php to block search engines & researchers
move.php, move1.php, move2.php or next.php, next1.php or logging.php or mailer.php

Some bank sub-folders are in this format
action.php, action1.php, action2.php

many of the bank folders have 2 sub folders such as
files & files2
error_files & login_files

example 1
md5 d8c8d4b64ed3479ba9c93ab7af5f185a
https://www.virustotal.com/#/file/ed141a370274fba371e7e5ba8967ba3f2065f311baf0edb2ea361a16de698db7/detection
http://ganhsman.kr/ljgtrfy.zip

example 2

NOTE: There was another PhishingKitAuthor #NovaShop ( https://phishingkittracker.blogspot.com/2019/05/nova-shop-phishing-kit-author.html ) that had a nearly identical phish so they're probably based off the same kit or they stole it from l33bo