Analyzing a Phishing Campaign that Tricks Victims into Submitting their Credentials
Hi all!
During my Threat research journey, I surf a lot of forums to learn about trending phishing techniques and ongoing campaigns. Recently I came across this Reddit Post.
The post talked about an ongoing phishing campaign that aims to steal the Facebook and Instagram credentials of an unsuspecting user by tricking them into an online celebrity voting contest.
Following is the tale of exploring and reporting this scam to the relevant stakeholders.
This phishing Campaign
Below is the phishing domain:
https://desicourtesy.vercel.app/
As can be seen, the phishing page is designed to attract the audience who are generally into a lot of social media and celebrity chit-chats. These victims are not all, however, a majority of them are non-tech savvy and are easy to trick as they do not suspect such websites. The reason is that lots of marketing, PR etc agencies keep organizing such campaigns on a regular basis and this phishing campaign fits right in between without being easily noticed.
Once you click on the voting button you are presented with a very basic and newbie UI. This prompt provides you the option to cast your vote either by Facebook or Instagram. Once you click on either of the above choices you are redirected to a Facebook/Instagram login phishing page as shown below
Now when I tried entering random credentials to check where the requests are being made by analyzing the “Network” tab of the inspect element, it wasn’t very fruitful as all the requests being made were getting invalidated.
From the Reddit post, I also knew to check for JS files to look for the Firebase key. Upon analysing the JS files, I came across a file named firebase.js
which was entirely obfuscated. I used this JS-deobfuscate website to get the JS to make sense and I found the API key and the Firebase instance URL of this phishing website
Upon visiting the Firebase URL, I could observe thousands of credentials of the victims who cast their votes on the above-shared phishing website.
Delivery Mechanism
The delivery of this phishing website was quite simple. Unsuspecting victims were flooded with a simple message requesting them to cast their vote in support of a user[scammer]. These scammers created fake Facebook and Instagram profiles, slid into the DMs of their victims and shared the phishing links with them. Below is a screenshot of a similar scenario.
Hunting such websites!
Coming across this website was pure luck, this does not mean we cannot identify other similar phishing websites. Let’s have a look at how can we find them. We are going to use urlscan.io for this.
Scanning the above website on urlscan.io gives you the following results:
The above screenshot reveals things like the IP where the website is hosted, moreover it has already been marked as “Malicious” by Google. Diving further into this, we can also check the HTTP requests the website makes. To do so, move to the HTTP section of urlscan.io
It can be observed that the phishing website is fetching lots of resource files such as media, scripts etc. We can use the hash of these files being fetched and scan the hash to find similar phishing websites which use the same file. Just click on any of the unique files and click on the hash, a new window will pop-up displaying other phishing websites.
Above we have chosen the firebase.js file because that most probably would be a JS file with some custom changes and personally identifiable.
Below are some other similar websites hosting the above firebase.js file
Additionally, you could also scan the IP used to host the website to broaden your research. Let us take the IP of the newly found phishing website and scan it for other similar sites.
Digging more into this we can find more websites. However, we shall keep that for later blogs. Thanks for reading. Cheers!!
Thanks, Anshu for proofreading the blog.
The credits for finding this phishing website go to the Reddit user sab50312 who shared the above post in r/hacking.
You can connect with me on Twitter.