Simple Form2Mail2 - Phishing Kit Type
#SimpleForm2Mail2 #PhishingKitType #phishing #phishingkit
@m1crome1t documented a phishing kit targeting Yahoo passwords that was very simple in that it only had 3 files and looked like a scrape/crawl of the legit yahoo site using all yahoo.com's images, etc.
folder structure
\login.html (the phishing page, posts to form2mail2.php)
\form2mail2.php (contains the #threatactoremail)
\index.php (just redirects to login.html)
@ActorExpose came across a 2nd example that also had all links to yahoo.com urls, no images or css stored locally
folder structure
\form2mail2.php
\index.php
\login.html
contains text
Yahoo ReZult Hacked by Pedro
example 1:
md5 ee181ca99624f75c3fae5d4725e49be8
https://www.virustotal.com/#/file/ff3c69b21aa8d81f5345b772165eb7f4396f6dc24093576351d72062ce1fb481/detection
example 2:
md5 7e5e7c3ef38def9c43c7cdcd390ed29e
https://www.virustotal.com/gui/file/aa404e24b415353ab912232618330545f105906e3d0159ade614d93d4618d0d4/community
hxxps://lavernesjohnson[.]gq/
niloson.hopto[.]org
References
https://twitter.com/m1crome1t/status/1133115659011928065
https://twitter.com/ActorExpose/status/1133711942479167490
@m1crome1t documented a phishing kit targeting Yahoo passwords that was very simple in that it only had 3 files and looked like a scrape/crawl of the legit yahoo site using all yahoo.com's images, etc.
folder structure
\login.html (the phishing page, posts to form2mail2.php)
\form2mail2.php (contains the #threatactoremail)
\index.php (just redirects to login.html)
@ActorExpose came across a 2nd example that also had all links to yahoo.com urls, no images or css stored locally
folder structure
\form2mail2.php
\index.php
\login.html
contains text
Yahoo ReZult Hacked by Pedro
example 1:
md5 ee181ca99624f75c3fae5d4725e49be8
https://www.virustotal.com/#/file/ff3c69b21aa8d81f5345b772165eb7f4396f6dc24093576351d72062ce1fb481/detection
example 2:
md5 7e5e7c3ef38def9c43c7cdcd390ed29e
https://www.virustotal.com/gui/file/aa404e24b415353ab912232618330545f105906e3d0159ade614d93d4618d0d4/community
hxxps://lavernesjohnson[.]gq/
References
https://twitter.com/m1crome1t/status/1133115659011928065
https://twitter.com/ActorExpose/status/1133711942479167490
Comments
Post a Comment