#l33bo #PhishingKitAuthor #phishing #phishingkit
On 5/26/2019 @ANeilan documented a phishing kit made by l33bo called RSJ and in particular it said RJS V1.3.1 and the kit targeted Apple users. l33bo ( https://phishingkittracker.blogspot.com/2019/05/l33bo-phishing-kit-author.html ) is a well documented re-occurring phishing kit author that creates many kits such as this RSJ one. The RSJ kit appears to grab all kinds of data such as passwords, credit cards, street address, photo identification, etc. The RSJ kit also appears to have a full blown administrative panel and ability to manage the data that is being stolen.
Upload-Identity.php contains the text
"...attempted to send you a completed form containing abusive language. l33bo_Phishers is against abusive form filling..."
and text
#RSJ #l33bo #PhishingKitType #phishing #phishingkit
++--------[*RSJ V1.3.1*]--------++
ProcessLogin.php also says
"...Created by l33bo_phishers -- icq: 695059760..."
++-----------[*HIRORSJ RESULT*]------------++
setting.php also says
$panel = "HiroRSJTeam";
$Your_Email = "rsj@example.com"; // Set your email
$SenderEmail = "result-$randomnumber@rsj.tech";
panel.php also says
From: Empas Apel <empasRSJ.team>
Reply-to: RSJ.team
===================== RSJ =====================
From: Bin Colletions <binRSJ.TEAM>
From: RSJ Report <reportHIRO-RSJKING.TEAM>
folder structure
\readme.txt (contents: "For Read : Login to Server and Click BLOG" )
\Step1.php (collects user data, seems targeted at Mobile Devices)
\Step2.php
\Step3.php
\Upload-Identity.php ( uses www.cardbinlist[.]com to validate Credit Card #'s the victim enters)
\Verify.php (collects user data, seems targeted at Desktop pcs, and posts to Verify2.php)
\Verify2.php
\assets\failed.php (gives user a message then forwards them to Verify.php)
\assets\invoice.php (gives user a message then forwards them to Verify.php)
\assets\locked.php (gives user a message then forwards them to Verify.php)
\assets\signin.php (gives user a message then forwards them to Verify.php)
\assets\includes\AES.php
\assets\includes\blacklist.dat
\assets\includes\blockers.php
\assets\includes\netcraft_check.php
\assets\includes\ProcessLogin.php
\assets\css\
\assets\fonts\
\assets\img\
\assets\js\ (javascript for form validation like password, address, credit card, etc.)
\assets\js\jquery.payment.js
\assets\logs\
\uploads\
Verify.php checks the screen width and if small (e.g. mobile device) it sends them to Step1.php with a random string in the url
example 1:
md5 61e508432ab5ebdb73895b544d195c37
https://www.virustotal.com/#/file/2e93c663773f859e183b067064d15ce50fe80c40bfeff344442a172abc052e47/detection
hxxp://manage-purchase.appleid.bogemails.info/rsjrofficialARIE.zip
screenshots
https://imgur.com/a/kNh03Sr
references
https://twitter.com/ANeilan/status/1132725931519483905
Comments
Post a Comment