XaouFi - Phishing Kit Type
#XaouFi #PhishingKitType #phishing #phishingkit
@MaelSecurity documented a phishing kit called XaouFi that targets Paypal passwords.
It may contain strings such as
XaouFi V5 PPL IDENTITY
From: XaouFi V5 Ppl Identity
XaouFi V5 PPL FULLZ
From: XaouFi V5 Ppl Fullz
XAoufiX PPL LOGIN
XaouFi V5 PPL SELFIE
From: XaouFi V5 Ppl Selfie
All Created by AdEm AouFi
https://www.facebook.com/ad.emaoufi.524
ICQ : 746200545
The folder structure is likely similar to this
\app
\extra
\prevents
\proof
The author advertises himself in "extra\mine.php" and that is also where the #threatactoremail who purchased or bought it will put their email address.
It may contain files numerically named like step1.php, step2.php, step3.php, step4.php in a folder extra\stockers\
It appears to ask for all kinds of information such as password, credit card, selfie photo, etc.
There's also a whole folder called \prevents\ aimed at blocking bots, researchers, etc.
It may save stole passwords in files like
../../stored.txt
example 1:
md5 7af74bab786aee062fe266875a51f6eb
http://restorelimitedaccountcenter.com/XaouFi-V5.zip
https://www.virustotal.com/#/file/5b0bdd009572e8ab9b13a91efaee039d80134546e11b22e4eed4238f29cc582e/details
References
https://twitter.com/MaelSecurity/status/1125060918004658177
@MaelSecurity documented a phishing kit called XaouFi that targets Paypal passwords.
It may contain strings such as
XaouFi V5 PPL IDENTITY
From: XaouFi V5 Ppl Identity
XaouFi V5 PPL FULLZ
From: XaouFi V5 Ppl Fullz
XAoufiX PPL LOGIN
XaouFi V5 PPL SELFIE
From: XaouFi V5 Ppl Selfie
All Created by AdEm AouFi
https://www.facebook.com/ad.emaoufi.524
ICQ : 746200545
The folder structure is likely similar to this
\app
\extra
\prevents
\proof
The author advertises himself in "extra\mine.php" and that is also where the #threatactoremail who purchased or bought it will put their email address.
It may contain files numerically named like step1.php, step2.php, step3.php, step4.php in a folder extra\stockers\
It appears to ask for all kinds of information such as password, credit card, selfie photo, etc.
There's also a whole folder called \prevents\ aimed at blocking bots, researchers, etc.
It may save stole passwords in files like
../../stored.txt
example 1:
md5 7af74bab786aee062fe266875a51f6eb
http://restorelimitedaccountcenter.com/XaouFi-V5.zip
https://www.virustotal.com/#/file/5b0bdd009572e8ab9b13a91efaee039d80134546e11b22e4eed4238f29cc582e/details
References
https://twitter.com/MaelSecurity/status/1125060918004658177
Comments
Post a Comment