PRIV9 - Phishing Kit Type

#PRIV9 #PhishingKitType #CAZANOVA163 #phishing #phishingkit
The Priv9 phishing kit is made by CAZANOVA163 ( https://phishingkittracker.blogspot.com/2019/05/cazanova163.html ) and looks pretty much identical to Priv8. In fact they didn't even change the version strings so they all still say Priv8 in them.
login.php & id.php & cc.php & bnk.php & vbv.php indicates the author
$subject = "PRIV8 V2 LOGIN INFO FROM [$country] -  $ip - $xUserName";
$headers = "From: CAZANOVA163 <CAZANOVA163-Free-Tools@hotmail.com>\r\n";

There is an About.txt that says
# SCAMA CAZANOVA V2 #
CHANGE EMAIL ADDRESS V2/inc/config.php



folder structure may look like
\index.php
\home\vbv.php
\home\suspecisious.php
\home\inc\login.php
\home\inc\cc.php
\home\inc\id.php
\home\inc\bnk.php
\home\inc\vbv.php



NOTE: the 'home' folder may be renamed to many other things like 'V2' etc
They may be in folders like PRIVE8, PRIVE9 as versions change
config.php contains the #threatactoremail

suspecious.php is spelled wrong (notice the e instead of i)

stolen data saved to
../../result/Re3sult.txt

webcam image capture on identity.php (confirm your identity)
\home\img\webcam.min.js  ( http://github.com/jhuckaby/webcamjs - Webcam Image Capture )


redirect to paypal.com
\home\img\thanks.js


example 1
md5 63f73f4bc9fc243cb919708286c700d8
https://www.virustotal.com/#/file/06be80d28dd6a0cf906b0e7a24054dce23f0a62c982a1eacb83ffbe7073f8dba/detection

Comments

Popular Posts