Over the weekend, while leisurely browsing the internet, I came across a unique and suspicious link designed specifically for an Indonesian audience. This scam had a fresh approach that piqued my curiosity, prompting me to investigate further.

As I delved into the fraudulent website, I uncovered additional templates resembling WhatsApp Group Invitations, which ultimately served as a disguise for stealing people’s Facebook login credentials. What made this even more alarming was the content shared within these WhatsApp groups, as they were primarily centered around the distribution of viral and explicit adult videos.

In this blog, I’ll discuss my methods for thoroughly investigating a scam campaign, starting from the very basics. Along the course of this campaign, I also came across the phishing kit that had been utilized.

The Phishing Page

I uncovere this phishing page while surfing through a Telegram Channel. It was impersonating the WhatsApp Group Invitation Page which was focused on sharing sharing viral and explicit adult content[Fig. 1].
Phishing URL: hxxps://chatwpscpij.terbaru-2023[.]com/Faxt16jOoXfq6

Since all the content was written in the Indonesian language, it was clearly targeted towards the Indonesian people. Upon clicking the “Bergabung Ke Chat” or “Join the Chat” button, it redirected to a Facebook login page, prompting users to enter their login credentials and loaded go.php file.

When attempting to enter random credentials and clicking the Login button, it triggered the execution of the check.php file on the backend, resulting in a blank page but internally taking the data and saving it to a data.json file[got the filename later when I discovered the phishing-kit for the same template].

Discovering the Phishing-Kit

After exhaustively exploring various methodologies and inspecting the endpoint that led to a blank page, it initially appeared to be a dead end. However, my determination led me to explore alternative methods to gather more information about the phishing domain. During one of these methods, where I attempted to gather information about the certificates associated with the phishing domain, I conducted a search on crt.sh. To my surprise, this search revealed the existence of additional subdomains linked to the phishing domain through their SSL certificates. One of the previously mentioned subdomains inadvertently exposed the phishing kit.

Workflow of the Phishing Kit

Upon downloading and thoroughly analyzing this phishing kit, the entire workflow of the phishing template became clear and comprehensible.

In the final stages of examining the entire workflow, I made a crucial discovery when inspecting the last executed file, wana.php. It became evident that all the collected credentials were sent to a different endpoint, as depicted in Figure 7. As I investigated the remote host server, I found a message in Indonesian that read: “Mau Nyolong? wkwkkwkw” (translated to English as “Want to Steal? hahahaha”), conveying a sense of trolling or mockery from the threat actor behind this campaign . See the Fig 8.

What makes this situation particularly intriguing is that, upon examining the source code, it becomes apparent that the scammer or group of scammers responsible for this campaign lacks technical sophistication. This is evidenced by the fact that they have hardcoded a few Gmail addresses and making it possible for anyone to access victim data simply by reviewing the source code[Fig 9]. Upon inspecting the active phishing sites, it appears that there hasn’t been a significant number of victims so far. This suggests that the campaign may have only recently begun, and its impact has been limited thus far[Fig 10]

Similar Phishing Site Hosted on the same Domain

During the writing of this blog, I came across several more phishing websites hosted on the same domain, all of which were actively engaged in similar phishing activities. These websites appeared to follow a similar workflow but utilized different phishing-kit templates, indicating a coordinated effort by the scammers to target victims using multiple variations of their scam.

Phishing Domains:

hxxps://grup-warxik.terbaru-2023[.]com/vhsfhqpdhdxih1
hxxps://grup-wakcor.terbaru-2023[.]com/vhsfhqpdhdxih1

Additionally, I encountered another type of phishing website that employs a different tactic to lure victims by impersonating Mediafire brand. This website tricks users into divulging their Facebook credentials under the false pretense of granting access to download viral adult content videos. It’s evident that these scammers are employing various deceptive strategies to steal sensitive information from unsuspecting individuals.

Phishing Domain:

hxxps://mediafirejeryghx.terbaru-2023[.]com/Faxt16jOoXfq6

While having a conversation with the founder(Bradley Kemp) of phish.report about this canmpaign he shared me some insights on how we can track more similar website, using the tool IOK(which is based on URLScan.io API query) by phish.report.

By utilizing URLScan.io and inputting a filename from the phishing kit, we can hunt additional similar phishing URLs from the platform.

Query URL: https://urlscan.io/search/#filename:%2220230920-195253.png%22

filename:"20230920-195253.png"

Indeed, it is observed that scammers are employing various techniques to lure victims, but their ultimate goal remains straightforward: stealing social media credentials. This campaign has illustrated that scammers can impersonate not just Facebook but potentially any other social media platform, using different templates. It emphasizes the need for heightened vigilance when clicking on shared links in WhatsApp groups or Telegram channels. Furthermore, we must be conscious of when and where we provide our login credentials to protect ourselves from falling victim to these scams.

In closing, I encourage you to share this blog with others to spread awareness about these phishing campaigns and the importance of online security. For threat hunters and cyber threat researchers, this might serve as a valuable starting point in uncovering and addressing other phishing campaigns lurking in the digital landscape. Your contributions to our collective online safety are greatly appreciated.

Your feedback is invaluable, so please connect with me on Twitter or LinkedIn to share your thoughts and insights. Together, we can help protect ourselves and our online communities from cyber threats.

Appendix