So all you have to do is ask?

I haven’t had much time to write here lately, but today I noticed something funny (maybe). I came across this website: bankstatementkit[.]com

It reminded me of a website from many years ago that allowed users (who weren’t too bright) to check if their credit card had been compromised, obviously by asking them to enter all their card details.

Today’s site, on the other hand, lets users upload their credit card statement as a PDF to get an Excel file in return. At the bottom, they promise to be honest, not to save anything, and to comply with the GDPR. That might even be true, but I’ve never seen a criminal website admit it publicly.

I have no reason to believe that this website isn’t a legitimate business. Its aims are, in my opinion, so absurd, and the idea that someone would upload their own bank statement is so ridiculous that it leads me to believe there aren’t actually any criminals behind it.

If it’s a legitimate business, I wish them the best of luck. If they’re criminals and manage to get their hands on someone’s data, we’ll be able to say that, once again, it’s not just the criminals who are bad, but the users who are stupid, too.

I love optimists

I don’t know much about how Clawdbot works. I’ve never installed it and I’ve only had a quick look at the repo.

Let’s just say I know I don’t know shit about it.

But do so many people really need to expose the service on the internet? Without any restrictions whatsoever?

Have respect for those who study…

please, don’t call every idiot who commits crimes using a computer a “hacker”. I know I’m harping on about this, but it’s very important to me. The term “hacker” refers to an individual who studies, commits himself, and is driven by an indomitable passion. The press, however, decided that this term was appropriate for any idiot who commits a crime using a computer.

Today I bring you a splendid example of an idiot that some will call a “hacker”.

This genius registered a domain (helpvdeskerify247[.]com) to install a kit to steal credentials from Bank of America customers. Matrix discovered the domain and reported it as “opendir.”

The domain was flagged on urlscan some minutes after registration 😉

Since it was clearly suspicious, Matrix continued monitoring. After a few hours Matrix intercepts a change on the site and identifies a cloacker, which it then reports as a possible threat.

A day later, the criminal takes down the site and exposes the kit: Matrix then intercepts, downloads, and analyzes it. It identifies and reports it, highlighting the threat.

Here, the criminal already proves he’s no genius. Analyzing the kit, however, reveals a hidden gem… To secure the credentials, the kit uses a Telegram bot:

7937236406:AAGHUl2hThlX_SuxhkIuxVk2ZhAPoxuW8Ao

Okay, nothing unusual, so what’s the strangeness? The genius, instead of leaving the information in the bot’s queue, decides to record a callback. The attack therefore seems a bit more complex than usual. But here’s where the genius shines: the callback is based on the same domain where the kit is located!

So, after traveling around the world, where did the stolen credentials end up? In a damn JSON file on the same machine. 😀 😀 😀

I challenge anyone here to use the term “hacker” to describe this guy!!!

Besides, after two days, GSB and VT continue to ignore this domain. Very well, I’d say.

How to use a Telegram token

In the following article I talk about some approaches to mitigate the damage from a criminal attack. I am not sure if what I am talking about is legal in all countries, so do your research first. Or use a VPS in Russia 😀

Telegram is one of the main tools used by criminals to receive stolen information through various types of attacks, including of course phishing sites.

Below I outline some simple actions we can take to mitigate Telegram bot-based attacks. But first let’s see how to use a token.

For this post I will use a token identified in these hours within a kit distributed on different domains:

  • psyclum.org
  • lwonsio.org
  • peyssc.org
  • katjrig.org
  • katjriv.org
  • sorajfm.org
  • niondin.org

Analyzing the deployment methods of the kit, we can see how the criminal registered the various domains and only after several days installed the kit. This in an attempt to avoid being intercepted. Fortunately, Matrix also manages these situations 🙂

Let’s move on to the kit, as always it’s a piece of junk written in PHP. Inside we find the Telegram bot token to which stolen credentials are sent to unwary users.

Now let’s move on to the main topic of this article: we have a token, what do we do with it? First, let’s study. Here is the documentation on how to use bots: https://core.telegram.org/bots/api

Using VS Code and the amazing “REST Client” extension we can query bots and use it to mitigate criminal action.
First, using the “getMe” method I check if the token is active. The 200 return code and the Json in response indicate that the token is active and therefore ready to receive information from clients, including the phishing site itself.

When the unwary user enters their credentials into the phishing site, it sends the information to the Telegram bot. Two things can happen here: if there is a registered webhook, the information is sent to the resource indicated as the webhook, otherwise the information is kept in the bot’s message queue to be consumed via the “getUpdates” method.

Using the “getWebhookInfo” method we check the bot status and the possible presence of a webhook. In this case the webhook is not registered and therefore we must use the “getUpdates” method to download any messages present in the queue.

By calling the “getUpdates” method we see that there are no messages in the queue. If there were any, our call would have returned them to us by deleting them from the queue.

As mentioned, we have several ways to handle this situation. The first is to register a resource of our own as a webhook that will then receive the stolen information, allowing us to act promptly. For example, you could implement an alert system for the user to warn him that his credentials have been stolen and perhaps even deactivate his account and credit cards. As an alternative to registering your own webhook, you can implement a polling mechanism to download the stolen information, removing it from the criminal’s reach, and use it to mitigate the threat: as mentioned above, you can block the account, warn the user, and explain to them that they need to be careful.

Another approach is token deletion. I personally don’t like this approach because it prevents us from intercepting compromised accounts and therefore deprives us of the ability to act on users.

Phishing using SVG

Today I found an email with an SVG attachment in my secondary email account. The account is Office 365 and the email was not in spam, this is not good, especially considering how much 365 costs! Anyway, back to the email, it was clearly suspicious also considering the attachment, an svg file with the name “Your-to-do-List.svg” supposedly sent to me by itself.

I immediately downloaded the file and opened it with Notepad++ (all this without the antivirus having anything to say about it…), inside there was a script that through a simple algorithm made a redirect to a phishing site with the aim of stealing the credentials of the same Office 365 account.

The target URL is: hxxps://bzzrr[.]yiunwox[.]es/!7ijf9v9ehpNFEKt/$

When I tried to forward the message to my Gmail account, Google’s mail server correctly returns an error 🙂

As always, avoid downloading and opening attachments if you are not sure of the source.

Artea and ING phishing kit

Yesterday I came back from a weekend in Latvia and now I have come across an attack on Artea, a Lithuanian bank… The Baltics are calling me 🙂

Matrix has identified a series of patterns that have allowed them to quickly identify the various domains involved:

  • banklithuanial.net
  • lithuaniabankasl.net
  • arteasite-login.net
  • arteabankslogin.net
  • italyingbank.net

One of the sites used for the attack on Artea hosts an attack on ING Italia based on a variant of the same kit.

The kit is simple but decently done.

The comments are in Russian and the Telegram tokens used to transmit the stolen credentials are these:

  • 7621096866:AAFW8cGs93gcFPbpFmyK-mMJKTYYLp4ENwg
  • 7764061568:AAGVrwI8IukR8kqgjn_mEqywmHHtE3RJywE

Correios phishing kit

In the last few weeks I have noticed that attacks on Correios are constant. I have studied the matter a bit: it is the Brazilian state company that manages shipments and payments related to them.

The scam is always the same, attackers write to users saying that a shipment is blocked and that a small payment is needed to unblock it. What is interesting about this attack is that the user by entering the CPF (Cadastro de Pessoas Físicas) gets his data displayed on the page and this certainly appears to the user as something reliable.

The domain used for the attack is cpf-pendente[.]co[.]ua and it was registered few hours ago.

The first curiosity is that the archive is a RAR instead of a ZIP. Someone hoped to make life difficult for Matrix but I love writing code and this allows Matrix to open different types of archives, including obviously RAR 🙂

Aside from the type of archive, my curiosity about this kit was given by the functionality of extracting user data starting from the CPF. I do not know the Brazilian law but that from a simple number you can extract personal data seems unsafe to me.

The kit uses an external service to resolve the client data. This service I assume is part of the attack and probably uses another service in turn, perhaps legitimate or a leak from who knows where. This service is available at the domain anonimobusca[.]online. It was registered one week ago.

To obtain the user information, the phishing kit, uses a specific resource exposed by the second domain

Another aspect is related to how payments are collected. The kit does not in fact collect itself he payment data. The user makes the payment using systems that manage transactions. The services used to perform the transactions are:

  • paguesafe[.]com
  • atlaspagamentos[.]com

The URLs used are:

  • hxxps://checkout[.]paguesafe[.]io/pl/mn7xXvjg2N
  • hxxps://checkout[.]atlaspagamentos[.]com/pl/RQ9Kz7XTf8

Both services have been active for a short time, they use cheap providers for domain management and have free certificates. In short, I would say that nothing seems to give trust to these services.

To this I would like to add that the two graphical interfaces are practically the same.

Business breakfast with fraud

Looking at what ends up in the Matrix network I noticed a kit that targets Kraken customers.

As usual, the victim is frightened with an alleged compromise of their account.

The interesting aspect of this kit is that instead of asking the victim to enter their wallet details, the application suggests the victim to schedule a phone meeting. The user is asked to leave their phone number and is even provided with an .ics file with the appointment details, so that the victim remembers not to make other commitments 😀

The user data is sent to a Telegram bot as usual.

Looking for updates received from bots we find several messages waiting to be read by the fraudster. Since the domain where we found the kit does not yet have the kit online, it means that there are other sites with the kit already in operation.

Searching Elastic for domains with “kraken” in their names that are managed by the same DNS server (dnspod.com) brought up several other domains including kraken-centre.com which of course has the kit already online.