A Guide To Compromising Phishing Infrastructure - Vangelis Stykas & Felipe Solferini

from phelipe so welcome to our Talk inside the fish tank a guide to compromising fishing infrastructure which is a pretty fancy talk of me and Felipe going Brew on some okay on some fishing uh uh panels all my talks start with that where viewer discretion is really advised if you are easily offended good for you you can live my last talk was in Saudi Arabia I wasn't allowed to say [ __ ] a lot so I'm going to double on that I have promised to Philippe that I'm going to say only five times the word [ __ ] I already said it too so [ __ ] [ __ ] [ __ ] we are all out of [ __ ]

that's me fancy photo uh you can follow me on Twitter [ __ ] Elon Musk it's Twitter it's notex uh I'm the CTO at the penetration testing firm called atropos which is specialized uh in uh renewable energy and API penetration testing I'm also kind of well known for my research on apis H for iot and uh sorry for the past uh 3 years going after malware ransomware APS if there is crime I'm after it and that nice duties my name is Philipe I have like a pretentious job title and I pretty much hack whatever dodgy link he sends me yeah that's his research is me saying Philipe can you check this and every time it's like is this illegal is this

illegal so like it's a fine line that we pass at some point uh we are here to talk about the phone sing and how we are going to kind of hack them [ __ ] them and I don't know we're going to see later is it an epidemic it seems that it's becoming an epidemic in here in London that most of you live phone snatching in London it's getting out of hand uh most of them are are being stolen by a bike a scooter or whatever and then they are sent to China for parts unless they can be unlocked we can see here video the criminals Etc you have the phone on your uh uh on

your hand someone is sprinting or on a bike on a KN bike or whatever next to you it just uh grabs the phone of you and you're pretty much [ __ ] you just lost your phone some nice statistics uh it seems that most of the it is happening in Westminster in all my wisdom there is where I live for this week so I don't get my phone outside my hand and uh there's a lot of uh uh snatching and uh everything happening in the center of London and we're getting to the criminals way uh selling it for parts means way and I mean way less money so if you can find an unlocked phone it

goes for a new iPhone it goes four to 500 uh pound for parts it's just 150b so it's way less and as all criminals do they wanted to maximize their profits capitalism so they had to find a way to unlock the easiest way to unlock was fishing so what's happening once you get your phone stolen you will get one of those those are indicatory they're changing templates and everything you're going to get uh the phone to your recovery uh phone number or your own phone number or on your new because when you lock your phone there is a screen that says uh call this or whatever that says uh your lost iPhone has been found

by the police department department check the details or your plus iPhone was found by Apple check the details you can see the uh the links in there that they're not obviously apple apple if it finds your phone it will probably sell it back to you and not give it to you like that but what you got in there is this uh once you are being fisted or you or whoever else got their phone stolen they're getting their identity so they're getting their their iOS their uh Apple Store their whatever Apple Cloud I don't know I don't remember why it's called so they're doing it was used to for people to stall the just the phone

now it seems they are stealing everything so they're stealing Bank credits they're stealing uh because they have access to iCloud backup so they can also get emails they could get steal the whole personal this is mostly the timeline of how is it going the phone is stolen as we said then it's sold to a criminal another criminal the one who stole you is also a criminal uh who ID defies the phone model which is usually oh this is an iPhone uh sends the fishing SMS to victim or relative or whoever is the recovery iPhone message iPhone contact if they're fac they're still their credentials and then they profit of them so what we did fishing as a service

we were able to identify four different families there are a lot of uh uh installations but those are four different panels we're going to call them families one went B up during our research uh we have some indication that our research guide them to made them go bely up but this is just what we think most of them have telegram based Communications and all of them have a monthly fee for their users this is a shout out to a really good friend I imagine I consider him a friend uh it's gwor uh please drop him a follow on Twitter uh or anything else on on his link tree he has done the heavy lifting of CTI of uh threat deligence I

personally suck at threat deligence I don't understand how they do it I don't understand how they find all this [ __ ] but Philip is also pretty shitty I don't even know what it is I had to Google so yeah he did all the heavy lifting uh we went there and told him we think that this is an epidemic can you help us and he was like instantly saying yeah this is a family this is another family this is another family you go do what you do so yeah thanks zor I would really want an Applause for an Applause for him because he's going to see the video thanks a lot that's for you jig uh my methodology is the same pretty

much all my talks so what I do is identify the panel the web panel the web page or whatever try to find an account probably a demo or something that they create so that we can see find any or all vulnerabilities and P them again my tool set is kind of repeating on all my talks uh it's deer search or if phelipe is doing it who really fancy ffuf burp suit several droplets of digal otion because we get blocked a lot so Dano so that we can bypass a certain company that is um everyone is hiding behind it it's Cloud flare real scanio which was used by gwm to find all those families tet tokens

info so that we could extract uh info from the telegram tokens and my Android phone because that's what I do let's set some goals as I said identify fishing sites that's already done done by the gwor we can have a check try to find vulnerabilities we're going to see if we find vulnerabilities identify anyone behind them try to disrupt panels and threat actors we're going to see how we could disrupt them and what we did do not disturb any active Al investigation that's always one of the biggest fear that we have that if we're going after a criminal and Al is also going after a criminal we make him uh uh go under we disrupt it uh

my Greek friends will understand don't be a malakas never do something that would cause harm to anyone else and the win for any panel is remote command execution anything L the moon command execution we're going to have half the points not all the points what are the typical panels uh they're advertised in underground forums as we said there is a monthly fee that uh the users are pay for fishing they handle pretty much everything so they call it full service you do everything uh all the sms's all the handling all the automated way of uh unlocking iCloud and it's accessible obviously from a web panel that's why I'm here the web panels are PHP you all know how much I love PHP

because it's pretty [ __ ] they rarely use any framework uh they use SMS Services a lot of SMS services and a lot of API tokens and they are hosted usually behind [ __ ] Cloud flare I'm going to be honest I hate them a lot because they just ignore anything that you report them when you report something Cloud flare they just say yeah we talk with the client he's okay with that but it Bend you yeah no they haven't bed me yet how we can disrupt the panels one is the obvious thing like delete everything that's not a great idea because one you destroy pretty much everything and then they just rebuild and they know they

have an issue so you have to find a more constructive way of uh stopping them you could report the API keys to Cloud flare as we say said they don't give a [ __ ] uh or their SMS or they ban their sms's you could dump all data and then communicate those to Apple and pray to whatever your G is that Apple will act on it you can report to Apple and last but not the Fest is Spam their telegram channel so that they're not going to know exactly which data is correct and which is not so the first panel we're going to talk about is the barbudo panel they've been around for around three years their main

target are Apple devices and they are mainly focused on the Brazilian Market as well when barbudo is a Portuguese word that means like a thick beard so this is pretty much how you know it's like thi beard and you can see like this is their landing page so you have like guys drinking whis cigars they're branded guys H they seem fancy right yeah yeah they seem very fancy so yeah then you have like login page so we started with the basics run deer search you can see that they're running PHP you can see a link for C panel and then from there we also identified um the like the dashboard they were using this is unauthenticated

but with this we can actually check the calls you know won't have authentication if you're not check the authentication you might end up getting something and they it turns out they are allergic to single quotes so yeah they had a blind time based sequence action which is really slow which is very slow very painful prone to error and slow and painful and yeah we managed to dump after a lot of time we managed to dump the admin password but it was Big Crypt and every time he sends me a big cre pass like d my life I hate you I want to say also that we took it short time because most of the H of the tables and of the columns

were in Brazilian so there's no portug sorry about that it was in Portuguese sorry so you get like it took out some time to find what P Portuguese for password stands he's Portuguese he should know it but I'm Brazilian but yeah yeah [ __ ] off so yeah basically we got like a nice big CRI P like oh [ __ ] but stop saying [ __ ] sorry uh so they were like he used the term morons I prefer naive so they're like okay we're using bcrypt we're safe but their password was 11122 3 3 44 so you just run hash C he C like in a second it was cold that day it was I was so happy I was going to have

cuz I'm a cheap [ __ ] so I didn't turn the hitting on I was so happy that I was going to have some some hit in the room but no correct like another second you can see like the amount of Tri it's ridiculous you know it's like top 2,000 something from Rocky you know it's like a [ __ ] CTF really so you know at least you try you know they did the kind of right thing using big Crips if they just had like two exclamation marks we wouldn't be able to crack that thing but yeah so we got add me access to the panel pretty easy and then from there you can see they have like a fancy

dashboard with like messages that they can there's an Administration in there that says all your users yeah you can see and other Portuguese things I don't understand I know service notifications Server email domains server configuration so yeah so you can list all the users and that's pretty much we did we dump all the smss They sent all the users they had we we could we have access to the SMS as well and then V was kindly writing the slides because he's better at is than I was but he's also you know he gets distracted so he was just like oh let me keep you hacking these [ __ ] well it we didn't have RC as we said yeah get all the

points you need RC so while I Was preparing the slides because he had to go somewhere so I was writing the slides I said why don't we try some variations of some passwords yeah so he he checked the configuration F like oh what if I change this likee add a couple of extra characters remove a couple of extra characters then access to the C panel so yeah just downloaded everything like full access to Everything download the code download the database report to Apple and then 10 of 10 would not recommend it was actually a very fancy panel they have loads of features they they have loads of like templating connection to it was very fan

they even have like other services like link shorteners I I was impressed I was like oh okay I understand where they're coming from but yeah to Crime okay this one is an extra that we have there it's a state red is not a fishing exactly for that it's a mainly a calling panel it also has some SMS features so it was used uh for fing for stolen phones but it was mainly used as a calling service that was fishing older people first appearance was 3 years ago it was masked as a scripted call service and it was mainly targeting Boomers and vulnerable people again [ __ ] Cloud flare I used San IO because I don't know

I'm a hacker so I found the direct IP address they had an exposed gft repository and can you tell me what you seeing here so you get that's also an authenticated you don't need to be authenticated so the path if the get path is set read the file and show it and that's as far as I remember a local file include which means [Music] sorry so from there full admin on the panel database dump shared with authorities and Tech Rants and Tech RS did what they always do they did uh some kind of article got the Boomer how sub criminal steal one time passwords yada y yada and then in their web page that uh they were you can say

that they had the actual messaging board and everything they had that out that says uh is the API back on is the API back on then the admin just said no nothing is on deleted everything and I would say that yeah that's a win that's another RC so these guys are like my favorite really they were the biggest of all they have loads of installations been around for a long time and we call them no name because they're City and they have no name so yeah we if anyone wants to give them a name I'm happy to collaborate with anyone and call them as you want but right now it's called No Name yeah they had like over 30 installations

thousand domains PHP because you know PHP is nice if I you're doing I guess but you know don't use PHP use something like no JS I don't know and they no youp if you're doing crime don't go no yeah they Wasing the code ignited framework and yeah this is the like their landing page if if you Google it you can can still find it still there and they had like some nice things saying that I think my Spanish is not think the strongest uh [ __ ] I forgot the term uh like the strongest challenge is the one within yourself or something must spend you know some like something read from like Joe Rogan something so yeah um yeah and

again allergic to single quotes you know logging if you're just like oh actually my email is single quotes would sh the bad and but the main problem was the first one we talked was just we found was just arabas and that's awful cuz you know it's it time so we managed to move towards error based by U like verbos one by just doing typ casting which was nice but we couldn't run SQL map because they had immunity 360 which was blocking everything so we did to do manual testing it was hard to guess because everything was in Spanish the tables almost everything and I tried pretty much everything as chat GPT to guess the name of the table the password table and

I couldn't get it right was PW the name of the colum sorry which is sucks you know should be like my third guess but whatever um so there is something small on the bottom right as you can see in there can you see that really small flame in there this is code igniter thebug bar yeah that's why we wanted to use a freaking framework so they are secure they [ __ ] up with SQL injection and they also had it in debug mode so once you click on it and the problem with this one is that actually they had more debugging than the other ones yes and you got luck it was the first one and I

was like oh that's beautiful because they were yoling so hard cuz you can see you can check like the database calls the files the The Roots so we could actually see the API call so most of the time was just like clicking sending like C to endpoint and checking the database see if they were going to do something the password to try to map the database and you could also see the the last 20 calls with everything all the details like server variables everything cision stands for code need their cision which stands for your login and also yeah at some point I was just clicking and I was like wait I didn't send this one what's going on somebody just logged

in they had me logged in and the we could just see the session token there so was like okay it's life just a CTF what's going on here so I just like look at this look at this like oh [ __ ] yeah [ __ ] so yeah but no we got lucky so we just started doing everything we just with aess we could see you know pretty much everything they were doing the their servers the apis templates all the domains and we actually because we had access that this is uh what a Vic sent you can see like some codes there the emails the you know phone numbers and then from there we could just get access to

the um C panel as well we could dump the C panel and then now that we knew how to do it we could retrieve from using secing jaction so we we could had full access to everything we that's through the C panel we had access to everything we could get code back up we could download the database then we could report to Apple but the problem is there were like so many installations we couldn't do it manually so yeah we had to weaponize it V was like phip oh we need to automate it it's was like okay and and by we is me it's always me writing the code because he hates writing code yeah so based like python

script just you know check if it's going your DNS is resolving if it's going over HTP htps and then yeah just exploit sing action we could get like 32 bytes at a time because of like how it was truncating but yeah we so yeah just with python script with d all the credentials and then we download everything that's pretty much it with found like 18 active instances uh 30k compromise accounts 150 different users we found a guy who had half an Apple store with him you can see he had like four MacBook airs two iPhones and I don't he has lot a lot of stuff yeah and you're likei said you're more than welcome to name them because

we could give I could have chosen like three or four names I wasn't sure he wasn't sure and we don't care to be honest I was leaning about SE panel but yeah last one is the one that got us in uh it's called SMS kit and this SM kit official I really love when criminals use the word official because you can see here uh that they're mostly based on Telegram and they're explain how it works how what they're expecting how to use their tokens what they're expecting uh for the victim to get and how to interact with them we have identified three servers multiple installations on them servers uh it was around uh for about 2

years and again everything was behind [ __ ] Cloud FLIR if there's a cloud for emlo in here I had once my talk and there was their CTO not a great experience would not recommend so again uh me being me and being super hicker I just run teirs uh they had a lot of er logs exposed and even more open de as you can see in here they were leing about uh tokens not that fancy right when I say a lot of uh open deers I mean a lot of open deers and a lot of exposed logs you can see here another SMS message in Morocco that guy uh got hacked got fisted I don't

know the exact term and on one of those funnels they had the zip file with source code I did some code review because yeah you don't really need code review I just went for system and it has get run if the get run is there get command system the CMD all good all good indeed does anyone know what that means it means my good friend is [ __ ] Buck RC remote command execution pretty much everything else full access to everything and I mean everything code backup because you know you always need to back up their code database backup reporting to [Music] Apple they pulled an exit scam unfortunately that's the one that went belly up they took offline all their

websites they deleted all telegram channels so all in all I would say that's Perfection that's the ultimate disruption in my point of view we're getting to the end of our talk and this is probably one of my favorite and least favorite things to talk about are we the Buddies we practically broke I practic broke a lot of uh laws phip didn't do anything I'm the B here we're in Greece Greece has a really strange situation about that so they have to legally the person who you hacked has to legally go after you if they want go after me be my guest uh I always wanted to see myself as not a vigilante but a atic fly uh the

fly who will go around the bad persons and disrupt them interrupt them and don't make them feel that comfortable not make them feel that they are invulnerable that's for my good friend he said I should add that the secret ingredient for success is crime we're not doing crime they're doing crime we are taking away their secret ingredient [ __ ] the Fishers so let's check what we did for our goals we identified the fishing sites I think we found enough vulnerabilities right we didn't you say that we identified not all but some of the people behind them we disrupted some of the panels we're still working in disrupting some more I believe we did not disturb any

active Al investigations if we did we usually get a phone call with someone screaming I failed on the D BM malakas but that's just me because you always fail yeah I always fail and I think I won on pretty much everything because we got our C on everything what are the next steps we're we're going to continue scanning for new panels we will try to find better contact at Apple so that again if someone is working at Apple please reach out I'm more than happy to provide you with all our info so that we can help the people who lost all their phones and last but not least hack the bad guys always HCK the bad

guys thank you and if you have any questions feel free to ask

no questions thank you oh you have you have a microphone or microphone um great talk great topic quick question do you know um the economic side of it you were talking about the number of or the the cost of selling the iPhones or the revenue they were having do you have any any idea on the disruption that you CA to the criminals like million because you know the users you know how much their phones would be sold like in the future in the next 10 years if they continue their business how much ion no I I I could give you a ballpark of probably 5 million per year but that's an educated guess it needs to be

properly reviewed and um I don't like the I like hiking [ __ ] sorry Sor my question is how did you go about finding their domains during your I said zor did all that heavy lifting he provided all the domains and everything I don't understand CTI I'm a [ __ ] I just understand SQL ejections sorry anyone else said to in countries that no I did report of some leas but most leas don't really care about these kind of things I have enough connections to leas nowadays due to people due to situations they do care about that's not one of the things they care about again if someone is ala in here and they want

their data please reach out I'm more than happy to provide them to you anyone else when you crack that b cash and it was an easy password you worried that be the canary or B of injection there is know what Canary is and even for was tough luck you know we're not getting paid to do it they had SQL injection an authenticated SQL injection their Lin there are no canaries in there or if they were they're already dead like decades ago anyone else no thank you again guys