Behind the Scenes of a Tailor-Made Massive Phishing Campaign

hi everyone it's an honor to be here for the second time in B Tel Aviv we hear about fishing scams all the time and yes fishing is not a new thing out there but in this session we're going to talk about a specific campaign a global and a massive one that caught our attention since one of our colleagues almost fell pray to it and it became personal we'll share with the Stu that we have done as researchers to analyze this entire operation and the techniques used by the attackers to deceive victims and steal their sensitive information but before we start let me introduce myself my name is arit I'm a senior security researcher at impera my main focus is we

application and as part of my job I develop algorithms to detect and protect against attacks hello everyone my name is Yan cam I'm senior security Reser as well I've been focusing in web application security and Mal analysis and if you want to follow me you can use this uh Twitter link let's start with our story it all started when a colleague tried selling a car seat on a secondhand website I'm sure all the Israeli people in this audience are familiar with udge time but for those who are not so this is one of the most popular ones he posted his phone number to be a so people be able to contact him and ask him about the

product and he waited a couple of days after the publication he received a WhatsApp message from a potential buyer asking for details about the product and after a few messages the scammer introduced him a deceptive paining service with the Ed time branding now I must stop here for a second to highlight some of the social engineering tricks this scammer used first the use of the Israeli phone number with a nice picture on top are quite convincing the friendly messages uh talking in Hebrew and the use of a smiley are also a nice addition um and actually the use of what application is quite uncommon all of this combined make it a very convincing fishing operation now pressing on the link open

this web page we can say that the site looked pretty good it had the theme the logo of fudge time and also included all the details of the product it was with atps with a valid certificate which in most cases comes with an unjustified sense of security uh and indeed it wasn't the legitimate vendor site um also having y time with the URL is not enough pressing on the orange button forwards the victim to this uh paying um paying paid um and actually uh the the the cral information being forwarded to the scammers now at this point we wanted to understand how their operation really works so we submitted an empty preped card in order to better understand how

it works and we got an SMS for from the credit card company notifying us on a payment reest for mon direct which is a Ukraine service they asked for 4,5 500 Ukraine currency which is around 400 uh American dollars this was the start of our investigation we wanted to know who is behind this campaign what is the scale who are the targets and for how long it is being active the initial point was our scam domain and these are the St that we have decided to take first gather information from open source intelligence then perform static analysis and last if needed perform Dynamic analysis and we will elaborate on each and every one of the steps and

show and show you what we finally achieved we use who is to get information about when the domain uh was registered and we saw that the date was just a few days earlier we also wanted to know who registered the domain unfortunately this information was sealed since a person that created the domain ask you to be protected next URL scan URL scan if you're not familiar with the service enables you to submit URLs and it would use automated browser to fetch uh and load all the resources of the page and will store it in the ug database and enables user to perform search queries on this database so use URL scan to get and find additional sites like

ours and there is a nice option to search by string and also to get similar URLs or URLs related to the same IP and also see all the HTP transaction of the site and actually this step gave us a lot of leads and eventually um we found and revealed a lot of similar sites like the scam site from before and last the well-known virus total we use it to create a graph of the campaign we discovered thousands of domains and T of thousands of URLs and I think that at this point we understood that we are dealing with something big that worth F investigation the various total graph that we created gave us the opportunity

to compare the structure between the different scam sites it was a single page application written in angular and there were multiple JavaScript files with a total of 100K of lines and while digging into those uh into this code we discovered 320 different banks located all around the world but at this point we didn't understand what was the purpose of them we saw 48 different languages uh that were used as part of the scam sit which means that everyone is a target no matter if you're talking in Hebrew Dutch German whatever you might be a victim to this campaign we saw 340 different targets uh different companies that were um that this campaign targeted among among them uh well-known Banks Postal

Services social social media sites like ety eBay booking and this again this ref finding show us that this is indeed a massive campaign next we spot in some hidden URLs in the code and when we tried to access them we were actually redirected to the SL root login and got this screen by reviewing the source code a bit more closely we notice a strange DNS s that was performed by the browser and at this point we we decided to go and do the D Dynamic approach to better understand the front and functionality the dynamic approach give us the precise understanding of the communication between the front end and the back end server of the attackers

let's see how it looks without our intervention so we have a victim that clicks on a malicious link this opens the web the website the scam site in here browser and the browser communicates with the backend server of the attackers now in order to better understand the how the scam site really worked so we created it in our lab and added the man midle proxy to be able to manipulate the response from the server now there is uh some advantages of using man the midle proxy is that it can generates on the Fly certificates uh assuming that you already created the uh the root certificate which means that if you want to analyze different domains different

scamming sites you don't need to worry about certificates anymore in addition you don't need to implement the entire server uh you just need to create handlers for specific F queries that you want to perform and it's like you're creating a minimalist server uh for quick and efficient testing here is an example of a response from the from the server we noticed 20 different template IDs but but we didn't know what was their purpose only by doing Dynamic analysis we could really understand how the site worked we realize that changing the template ID actually changes the entire layout of the site when we used template ID equals 1 we got overal leak layout and when we

changed it to 13 we got DL small change and the site looked completely different another another parameter controlled the language of the site and there was another one who was responsible for the payment method that will be displayed to the victim would it be credit card information like we saw before or Bank information which was the answer to a open question from before what was the purpose of the 320 different banks now remember this this strange DNS query um that prevented us to reach all the hidden uh end points in the code so actually if you were wondering no this domain doesn't exist on the internet it actually belonged to the local network of the attackers uh which we can say

that it's kind of a security mechanis mechanism and anti- umis anti-analysis technique yeah devolved by the attackers now let's go back to this to be able to bypass this DNS query issue we added a domain to our host file and also created a local server listening on p443 and now instead of talking to the real oh sorry in instead of talking to the real uh server of the we are talking to our local server and by that we could be able to see what was behind those hidden URLs that were only available to the scammers so the root login root index sorry was the main page of the of the scammers you can see it's written in

Russian and we added a translation in in red and it's relevant for the entire picture that you see in the presentation um another uh the great Bank gave them the ability to add support of new banks that this that this scaming U uh operation uh will use and the great fform you can add new targets to the campaign now another cool thing that we saw in the Cod was hidden uh scammer chat we notice when a victim writes something on the chat there is a real person a scammer a worker actually that is answering his questions we can see that the victim is being called a mammoth and the scammer as a worker so until now we were able to

answer almost all of our questions besides who is behind this campaign which in most cases this question stays unanswered but during further investigation that we did in the past month we were able to find a leak version of the Beck in source code and Yan will tell you more about it thank you very much s um so uh until now we were uh at this point we are pretty satisfied of our understanding of the front end of this fishing campaign who had an idea of the scale of the campaign the number of supported sites the number of supported Banks as well languages but we wanted more wanted to know how it worked in the back end wanted to know who was behind

this operation and how they operated so we discovered a leak source code Associated to our campaign it came from a mysterious ktf actor and it was created at the end of 2023 we have a few assumptions regarding the origin of this leak but we'll talk about it later before having this leak s Cod this is what we knew more less in a short summary the victim connects to a fishing Ural with a unique ID based on this unique ID the server will generate a Json that will enable the front end to customize specifically for this victim thanks to this back end source code this is what we understood about what happens behind the scene so there are two main servers the

first one is a NOS web server that exposes the fishing content that we saw earlier it's hosted behind Cloud flare and domains are regularly updated in order to harden detection by Security Solutions the second server is a NOS server that uses the telegraph library in order to communicate with a telegram bot this bot manages the whole workflow of scammers from their recruitment to their generation of fishing links even the communication with the victims there are few reasons why to use this kind of architecture one of them it enables collaborator to work and communicate with each other without sharing any of their identity or their fingerprint and besides that it also enabled to rely on the security and high level of

encryption that the telegram application provides the scammer only needs to provide his Bitcoin wallet and he's ready to go but before really diving into the components of this back end let's talk a bit about the third actor because indeed this was one of the key question when we were given this fishing link who are the guys that are doing this so in this L source code we found found uh a link to uh a private GitHub um repository uh this attracted our attention because it was private and it was from a Mr U Mr enigman account so we tried to search for this nickname on the internet and actually we found it in an ad for a scan Team Management platform

in an underground for dingo this was exactly what we were looking for at the end of this message there were links two telegram handles uh one of them actually being nrcam so we just followed this lead from nrcam we went to another one here hjs and from hjs we were able to find uh a telegram Channel called Haron rent and we discovered that this uh telegram channel was the main channel for advertisement of the very scam Team Management platform that we had in our hands as you can see here uh on the left side have the man flyer to advertise this service so they emphasize on the quick domain rotation and the 247 support and this is when we understood

why this campaign was so massive because here this channel includes like 400 members uh possibly 100 teams are being us are using this uh this platform so it was so massive because it's a swarm of campaigns that are using this scam team measurement platform to perform their operation so we went over the messages being exchanged in this telegram Channel and also in the related ones and we were able to highlight a few things first of all all messages were written in Russian uh and actually the currency um this platform is being sold is uh Rubble so we can clearly associate this operation with Russians secondly uh it's quite affordable the price for runting this platform is $100 a month so even a small

scale team can afford this then uh there are a lot of slangs being used in these uh messages so we can associate it with uh young adults and lastly there is some kind of community Spirit here uh tutoring uh teaching is recommended uh is even promoted we'll see even that later advice on how to become a better scammer is being provided in this CH Chan channels so this is why it makes this uh fishing campaign so effective in my opinion we continued reviewing the messages in this telegram Channel and we found this one uh published on November 15 2023 uh from the owner of the platform uh Haron rent uh he told about uh the

end of collaboration with a software developer that used to work for him what he said more or less is that due to uh disagreeing Financial moves he decided to close the access to this software developer what's interesting here is the date when this message was posted and the date of the creation of our link was in the same week so we suspect that this leak actually originates from this uh this software developer so this highlights the the importance of Insider threats uh whether it's legit companies or illegitimate ones Insider threat is always uh concern and things to to be taken care of okay now that we finish talking about the intelligence part let's talk a bit

about the architecture about the components of this um fishing platform so first of all let's look at the workflow so the let's say uh would be uh scammer would first submit an application to uh to an admin to the bot in order to be part of a team the administrator will accept or reject the application and then the scammer will have the ability to uh first find an ad on the internet like a potential victim create a fake profile and generate a link then he'll be able to send this link to uh victim either via SMS or WhatsApp and finally he will able to use the telegram interface in order to communicate with the victim through the Super

Chat once the victim fails into the Trap his sensitive information credit card number are being stored in a server the admin will receive oh that mean we receive u a message in a dedicated telegram Channel and he'll be able to manage workers U mentors and so on we'll see that in detail just now um so these are the component that we'll go over just now uh first of all if at some point in your life you'd like to be part of a scam team I hope you won't uh these are the kind of questions that you may be asked so first of all uh which team have you worked for before second What's the total amount of your

profits that you made and lastly how did you find out about the team the point here is to uh know first of all if you're not a scam yourself and second of all uh to know uh some references to know if there are some peoples uh people that someone can ask questions about you uh so once the application is accepted this is the main interface that uh the scammer will see that you will see uh you'll have the ability to generate links to manage your links possibly disable them uh and then you have also the ability to add a monter so this monter will help you become a better scammer but on the other hand he

will take a portion of your of your commission so this is the interface how the interface looks like when uh the scammer generates a link so on the left side no yes you can see the the scam page being generated and on the right side you can see the interface in the telegram Channel when the link is gener you can see the link at the bottom and here is actually the video of oh sorry I made a mistake just just start the video thank you could you start we started for you okay okay um so here you can see the interface uh when the victim sends a message uh in the platform to ask questions about uh let's say he's not

feeling very comfortable sending uh information to uh or using this platform actually so he sends a message to the chat automatically here in the telegram uh interface the message is being received uh everything is in russan uh so he'll have the ability to to write an answer so here uh we in the other side just generated this this dummy

answer and then the attacker can see that indeed the message was seen and then we come back to the to the victim part and indeed the message was received okay once the victim falls into the Trap as I said the data is being stor into stored into a database and message is being sent into dedicated telegram channel the left side you can see the message that the administrator receives what's interesting to uh keep in mind here is that the own of the platform also will get access to those stolen to this stolen information because it will be stored in the mySQL database and then the administrator of the B will have the ability to manage worker as I

said earlier adding more Manors maging the status of workers rotating domains and so on but one question that you may Wonder now is did we try to infiltrate a team and the answer is yes uh so actually we found a team which submitted an application it was accepted and this gave us a much broader vision of what happens behind the scene so first of all uh we knew like we had an idea of the number of teams based on the number of subscribers to the har R Channel but then we were able to find a team with more than 700 members so it gives can give an idea of let's say the potential scale of a single team uh and then in

the messages being submitted in this uh channels we could see the amount of money generated by uh the top scammers and you can see that some of them are making more than $20,000 so a very quick computation uh can give us like the the an idea of the the scale of the market and we can said that it's worth reasonably tens of millions of dollars so this is it about what we wanted to share regarding this uh massive fishing campaign uh first of all uh we looked at the architecture of a fishing as a service software being used in this in M campaign then we talked about the tools and the methodology in order to analy such a

campaign uh then we talked about the threat related to Insider threats and finally uh we discover together the scamming uh uh actors ecosystem I hope you like this speech and if you're any if you have any questions we are here to answer uh we published a Blog regarding this story uh you can use the QR code here you