A Look Inside an Apple iCloud Phishing Panel.

in #technology5 years ago

So by sheer dumb luck today, we managed to nab a nice phishing panel and gain access to its backend literally as it got deployed to the internet.

We were monitoring the Certificate Transparency logs for new SSL certs being issued with suspicious domains, and running some quick scans on the ones that triggered a match, when we came across this lovely iCloud phishing page.

Screenshot 2019-05-25 at 14.52.15.png

So lets step through the scam. After we log into the fake iCloud site, get told our account has been locked! OH NO!

Screenshot 2019-05-25 at 14.52.57.png

So we click through to verify our apple account, and we get asked for some nice payment information and security questions.

Screenshot 2019-05-25 at 14.53.21.png

It then tells us our card was declined, and nicely asks us to try another card...

Screenshot 2019-05-25 at 14.55.35.png

After we submit another card, getting ripped off twice here, we are congratulated with a message telling us its all good now! This page lasts about 5 seconds before we get redirected to the legitimate Apple website.

Screenshot 2019-05-25 at 14.59.07.png

Luckily, we managed to catch it seconds before it was deployed, and got ahold of a zip file being served from the webroot, named "SCP.zip". We took a quick look inside it, saw it was something we had not seen before, and quickly realized we might be able to actually have a look inside this scam.

Screenshot 2019-05-25 at 15.05.19.png

Looks like we got ourselves some login details here, lets go check out panel.php.. It asks us to log in!

Screenshot 2019-05-25 at 14.51.29.png

Luckily, we got some tasty credentials from that config file. Lets go log into this mess...

Screenshot 2019-05-25 at 14.51.05.png

So far there are no victims, but notice how it says "Double CC" is active? This fucking thing literally tries get you to enter your card twice by design, to steal two cards off you. How rude. Luckily, there were not yet any victims, besides our test run, so we cleared the logs and buggered off. I might start logging in at random to wipe their logs and piss them off.

So I've put a copy of this kit up on https://github.com/friedphish/phishkits as usual, my next step I think will be seeing if I can find a way to get code execution via the panel, as the PHP looks fucking horrendously janky and honestly, pwning phishers seems like a fun endeavour.

Sort:  

Most of this goes above my head, but @balor, I commend the work you're doing! Man, what people go through to set this stuff up; too bad they couldn't put their energies into doing something productive!

Thank you to @mayb for choosing your post for her Pay it Forward Curation Contest (@pifc) entry!

Warm welcome, @balor. Your content is pretty unique. That's why I decided to recommend it in my @pifc post, today.
https://steempeak.com/payitforward/@mayb/pay-it-forward-you-guys-killed-my-mana-now-go-upvote-those-folks-for-me

Good to have you on Steem. There will be a lot to learn but from what I see, you won't have problems with things like that. Have fun learning steem and thanks for keeping the internet safe for all of us!
I resteemed and followed and will upvote as soon as I can.

Hi @balor welcome on Steem. Quite a great job you're doing in dealing with phishing. A very intellectual task :)

Anyways, have you heard of Partiko and Actifit?

Partiko is a mobile app that rewards users for every comment, upvote and post made through the app. You can start earning with partiko like I'm doing. First, download the app;

https://partiko.app/referral/akomoajong

Also, start earning with actifit by installing the app and post your daily fitness level acquired. Download the app;

Android: http://bit.ly/2CLWDqT

iOS: http://bit.ly/actifit-ios

PS: Login with your posting keys. Never use your master/owner keys to login on any site.

You can equally reach out to me for help or assistance at the Steem terminal discord server which aims at helping new Steemians;

https://discord.gg/Tsd79m3

Posted using Partiko Android

I've been meaning to try out Partiko for posting travel photos and the likes, probably will install it once I've gotten around to replacing my current phone in the coming couple of weeks.
Currently also evaluating eSteem for the desktop (where I do most of my posting at the moment).

Yeah, esteem is good too. I only use esteem to post and this is once in 48hrs when I'm sure to get their upvote because they take 10% of author rewards.

Partiko doesn't take a cut of your rewards and has a much better interface. This why I prefer it to esteem.

Posted using Partiko Android

Congratulations @balor! You have completed the following achievement on the Steem blockchain and have been rewarded with new badge(s) :

You got a First Reply

You can view your badges on your Steem Board and compare to others on the Steem Ranking
If you no longer want to receive notifications, reply to this comment with the word STOP

Vote for @Steemitboard as a witness to get one more award and increased upvotes!

I’m often amazed at how many of these phishing scams are out there and I wonder if they couldn’t just put their efforts into something more constructive!

Even though it’s done pretty half heartedly it clearly works if people continue to create new ones all the time

Posted using Partiko iOS