Dr Don - Phishing Kit Author
#DrDon #PhishingKitAuthor #phishing #phishingkit
@ActorExpose documented a phishing kit against Chase Bank this type of text
\uploads\rezlt.txt says
------------>CODED BY Dr.Don<------------
>Dr.Don | CH453 | ID<
\uploads\index.php says
/* ==================== || CODED BY Dr.Don || ==================== */
mutiple php files also reference this
---- : || GhostMode || :------
folder structure
\css js\
\uploads\css\
\uploads\css\css.css (style sheets referencing fonts.gstatic.com)
\uploads\js\
\uploads\src\
\uploads\src\class.fileuploader.php (Innostudio.de FileUploader)
\uploads\php\form_upload.php
\uploads\php\upload_file.php
\uploads\php\upload_remove.php
\uploads\rezlt.txt
\.htaccess
\acc.php
\access.html
\bill.php
\billing.html
\email.php
\index.html
\thanks.php
\vb.php
\vbv.html
@ActorExpose documented another phishing kit against USAA that claimed to be written by Dr. Don. It was unique in that is contained several folders that appeared to be full web crawled/locally downloaded copies of the USAA site including JS, CSS, Images, HTML pages, etc.
But this could also be a partially ripped off version of #AK47VBV ( https://phishingkittracker.blogspot.com/2019/05/ak47-vbv-phishing-kit-type.html ) because it contains the same exact text "// PUT UR FUCKING E-EMAIL BRO" in it
folder structure
\antibots.php
\block.php
\blocker.php
\bt.php (list of banned ips and keywords similar to the other 3 above)
\email.php (#threatactoremail in here & comment // PUT UR FUCKING E-MAIL BRO )
\img\ (this whole folder looks like somebody used a crawler and downloaded an entire site)
\imgs\ (this whole folder looks like somebody used a crawler and downloaded an entire site)
\imgs\Get.ashx (contains text DeepReferrer.Handlers.ReadDone("---"); )
\inc\drdon1.php (the php mailer, says By Dr. Don)
\inc\drdron3.php (the php mailer, says By Dr. Don)
\inc\drdon5.php (the php mailer, says By Dr. Don)
\Insurance, Banking, Investments & Retirement USAA_files\ (this whole folder looks like somebody used a crawler and downloaded an entire site)
\Password Recovery USAA_files\ (this whole folder looks like somebody used a crawler and downloaded an entire site)
example 1:
md5 9c30006eeed3c63a1b69cdd0a8460a2d
https://www.virustotal.com/gui/file/53284e912767f54366aa6451f708ff81a9f4683b5f2eac50725d4f8083351379/details
hxxp://dead-daughter[.]com/
example 2:
md5 a54fd7f069e3f4bb83f8af1f3c4e66f0
https://www.virustotal.com/#/file/536c64c4f5612b02305783009ab1d8b0860b3f2232d3567f556274f26d6761f7/detection
hxxp://hairless-preserver[.]000webhostapp[.]com/
References
https://twitter.com/ActorExpose/status/1133098597531234304
@ActorExpose documented a phishing kit against Chase Bank this type of text
\uploads\rezlt.txt says
------------>CODED BY Dr.Don<------------
>Dr.Don | CH453 | ID<
\uploads\index.php says
/* ==================== || CODED BY Dr.Don || ==================== */
mutiple php files also reference this
---- : || GhostMode || :------
folder structure
\css js\
\uploads\css\
\uploads\css\css.css (style sheets referencing fonts.gstatic.com)
\uploads\js\
\uploads\src\
\uploads\src\class.fileuploader.php (Innostudio.de FileUploader)
\uploads\php\form_upload.php
\uploads\php\upload_file.php
\uploads\php\upload_remove.php
\uploads\rezlt.txt
\.htaccess
\acc.php
\access.html
\bill.php
\billing.html
\email.php
\index.html
\thanks.php
\vb.php
\vbv.html
@ActorExpose documented another phishing kit against USAA that claimed to be written by Dr. Don. It was unique in that is contained several folders that appeared to be full web crawled/locally downloaded copies of the USAA site including JS, CSS, Images, HTML pages, etc.
But this could also be a partially ripped off version of #AK47VBV ( https://phishingkittracker.blogspot.com/2019/05/ak47-vbv-phishing-kit-type.html ) because it contains the same exact text "// PUT UR FUCKING E-EMAIL BRO" in it
folder structure
\antibots.php
\block.php
\blocker.php
\bt.php (list of banned ips and keywords similar to the other 3 above)
\email.php (#threatactoremail in here & comment // PUT UR FUCKING E-MAIL BRO )
\img\ (this whole folder looks like somebody used a crawler and downloaded an entire site)
\imgs\ (this whole folder looks like somebody used a crawler and downloaded an entire site)
\imgs\Get.ashx (contains text DeepReferrer.Handlers.ReadDone("---"); )
\inc\drdon1.php (the php mailer, says By Dr. Don)
\inc\drdron3.php (the php mailer, says By Dr. Don)
\inc\drdon5.php (the php mailer, says By Dr. Don)
\Insurance, Banking, Investments & Retirement USAA_files\ (this whole folder looks like somebody used a crawler and downloaded an entire site)
\Password Recovery USAA_files\ (this whole folder looks like somebody used a crawler and downloaded an entire site)
example 1:
md5 9c30006eeed3c63a1b69cdd0a8460a2d
https://www.virustotal.com/gui/file/53284e912767f54366aa6451f708ff81a9f4683b5f2eac50725d4f8083351379/details
hxxp://dead-daughter[.]com/
example 2:
md5 a54fd7f069e3f4bb83f8af1f3c4e66f0
https://www.virustotal.com/#/file/536c64c4f5612b02305783009ab1d8b0860b3f2232d3567f556274f26d6761f7/detection
hxxp://hairless-preserver[.]000webhostapp[.]com/
References
https://twitter.com/ActorExpose/status/1133098597531234304
Comments
Post a Comment