A few hours ago Matrix identified a phishing kit targeting customers of the Italian bank Intesa San Paolo (intesasanpaolo[.]com).
This site is hosted on cprapid[.]com, the full url is weblntesasanpaolo[.]35-180-129-166[.]cprapid[.]com.
I just report it as malicious on urlscan.io.
The kit code is a mess 😦 I don’t think the low quality indicates attempts at evasion, more likely the author is a junior dev 😀
The code and comments are in Italian.
The author of the kit offers support to his criminal customers via the Smartsupp platform using the key 8a501f860d70f42e5100568c07885c9b3daa8ceb.
In an attempt to reduce the risk of being identified, in the configuration panel we find a flag set to make the phishing site visible only to mobile devices. Obviously it doesn’t work 🙂
eca's blog 