A Tale of Two Phishing Sites: A Deep Dive into Cybercriminal Tactics

By /

Listen to this Post

Cybercriminals constantly refine their tactics to stay ahead of security defenses, and phishing attacks are no exception. While many attackers rely on pre-made phishing kits, the final execution of these scams can vary significantly. Even when using the same tools, different threat actors apply their unique modifications, resulting in distinct methods of operation and security evasion. This article examines two phishing campaigns that initially appeared identical but ultimately revealed crucial differences under closer inspection.

The Evolution of Phishing Techniques

Phishing campaigns follow trends just like any other industry. Attackers tend to adopt new techniques that improve their chances of success. This often leads to multiple cybercriminals using the same phishing kits, but the way they implement them can differ significantly.

A case in point involves two phishing attempts detected through an email address publicly listed on the ISC website. This address has been repeatedly scraped by malicious bots and added to phishing campaign lists. Recently, two emails stood out, not because of their content—both used generic lures like “your mailbox is almost full” and “your domain registration is expiring”—but because of the websites they directed victims to.

Upon investigation, both phishing emails led to legitimate but compromised websites hosting identical credential-stealing pages. This suggested that the same phishing kit had been used. However, upon further examination, the similarities stopped at the surface level.

The first phishing site’s code was straightforward, without obfuscation, making it easy to trace where stolen credentials were being sent—specifically, another compromised web server.

The second phishing site, despite its identical appearance, was significantly different under the hood. The attackers had obfuscated the HTML code using Snap Builder, a basic encoding function. While this protection was easy to bypass, there was an additional layer: part of the code was further obfuscated using a simple substitution method.

Even with these extra steps, decrypting the phishing

hxxps[:]//api.telegram[.]org/bot7246282440:AAHJb7KssReEsgMVGaXOjj0TL_3mJGAMIcA/sendMessage

Despite both phishing sites originating from the same kit, the execution varied in security measures. This highlights how cybercriminals can adopt similar tools while implementing them differently to evade detection and maximize their success.

What Undercode Says: A Technical Analysis

Phishing has evolved significantly, and this case provides insight into how attackers experiment with different methods of obfuscation and data exfiltration. Here are key takeaways from these phishing sites:

1. Obfuscation Tactics Are Increasingly Common

  • The first phishing page had no obfuscation, making it easy to analyze and trace.
  • The second page used Snap Builder obfuscation, combined with a substitution mechanism, to slow down analysis.
  • Despite these efforts, modern security tools and skilled analysts can still uncover the true intent.

2. Telegram as a Data Exfiltration Platform

  • Traditionally, stolen credentials were sent to attacker-controlled web servers.
  • In this case, credentials were sent directly to a Telegram bot, leveraging its API for data exfiltration.
  • This method provides attackers with real-time access to stolen data while avoiding traditional detection mechanisms.

3. Compromised Websites Are Preferred Over Fake Domains

  • Instead of registering new phishing domains, attackers hijacked legitimate websites.
  • This approach improves credibility and bypasses domain reputation checks.
  • It also allows attackers to operate without the risk of their domain being blacklisted too quickly.

4. Phishing Kits Continue to Evolve

  • Many attackers use off-the-shelf phishing kits, making it easier to launch attacks without deep technical expertise.
  • However, more advanced groups modify these kits to add layers of protection and obfuscation.
  • This creates variations in phishing pages, even when they originate from the same base kit.

5. Security Awareness Remains Crucial

  • Email phishing remains one of the most effective attack vectors.
  • Organizations should train employees to recognize common phishing tactics.
  • Advanced email filtering and domain monitoring can help detect and prevent these attacks.

This case study demonstrates that while cybercriminals share tools and techniques, their individual implementations vary. The ongoing arms race between attackers and security professionals requires continuous adaptation to new threats.

Fact Checker Results

  1. Phishing sites often originate from the same kits but differ in execution, proving that attackers personalize their tools for efficiency.
  2. Obfuscation techniques are increasing, but they remain relatively easy to bypass with the right expertise.
  3. Telegram API is becoming a preferred exfiltration method, providing attackers with quick, anonymous access to stolen credentials.

Understanding these evolving threats is key to staying ahead of cybercriminals. By recognizing patterns and adapting defenses accordingly, organizations can better protect themselves from phishing attacks.

References:

Reported By: https://isc.sans.edu/forums/diary/A
Extra Source Hub:
https://stackoverflow.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Explore More: