#JsonAPI #PhishingKitType #phishing #phishingkit
@JCyberSec_ documented a phishing kit targeting AirBnb that utilized a Json based API http posting method inside the \assets\API.php folder and stores it's phishing kit clicker activity in a file called updates.json
folder structure
\000-default.conf
\admin.php
\ban.txt
\hosts
\index.php
\updates.json
\assets\API.php
\assets\API.user.php
\assets\crawler.detect.php
\assets\func.all.php
\assets\goo\
\assets\fb\
\css\
\data\
\fonts\
\img\
\js\jQuery.dPassword.js
\js\notify.mp3 <=== voice over music the phish will play in the browser
\js\notify.ogg <=== voice over music the phish will play in the browser
\login\
admin.php has cpanel spelled wrong as 'cpanle_login'
function cpanle_login()
updates.json contains all the phishing page access history (timestamp, ip address)
func.all.php uses geoip lookup from freegeoip[.]net
http://freegeoip.net/json/
numerous comments in multiple files saying
// CHECK USER HUMAN
ajax postbacks to \assets\API.php
$.ajax({
method: "POST",
url: "assets/API.php",
apache related config files like
000-default.conf
[something].site
[something].conf
each starting with 1st line of
<VirtualHost *:80>
The word METHOD is spelled wrong with an extra E at the end numerous time
<label>LOGIN METHODE</label>
$user['methode']
example 1
md5: 656a00ba927bc00a2f22d5ba0db15d2e
https://www.virustotal.com/#/file/b299d18f08bdfcaf67f8f4ffc05ede7a1f27867e07296da4c2552eb97f35334e/detection
hxxps://www.airbnb.es.ab219329[.]pw
screenshots
https://imgur.com/a/70xPRKK
References
https://twitter.com/JCyberSec_/status/1132692482427432960
Comments
Post a Comment