WP Analysis of a Massive Phishing Campaign | Imperva

Behind the Scenes of a Tailor-Made Massive Phishing Campaign

A global phishing campaign caught our attention after one of our colleagues was targeted by, and nearly fell victim, to a social engineering attack

The campaign involved more than 800 different scam domains and impersonated around 340 legitimate companies all over the world – including well-known banks, postal services, delivery services, social media, and eCommerce sites, such as Facebook, Booking.com, and other popular sites that see a high volume of traffic. 

By leveraging a high-quality, single-page application, the scammers were able to dynamically create a convincing website that impersonated a legitimate site, fooling users into a false sense of security.

Our investigation revealed a phishing campaign that employed sophisticated tactics featuring human interactions to deceive their targets and steal their credit card and bank details. While the origin of this campaign was Russian, the threat actors involved pretended to be Ukrainian. 

During our investigation, we analyzed several scam domains and reverse-engineered the front-end application. In this blog post, we will describe the attack infrastructure as a way to inform the broader community.

Executive Summary

We identified five Russian IPs and 800 different scammed domains associated with this campaign (listed in the IOCs). We traced the campaign back to at least May 2022. The campaign is still running and regularly updated.

In total, we found phishing sites in more than 48 languages impersonating more than 340 companies.

If we take into consideration how long this campaign has been operational, the number of domains scammed, and the variety of languages used, we estimate that thousands of individuals have likely fallen prey and been impacted.

Get ready to take a deep dive into this operation!

How it all began…

It all started when a colleague tried selling a car seat on Yad2. Yad2 is a website where you can find all sorts of used, second-hand goods. 

He received a WhatsApp message from a potential buyer asking for details about the product. After a few messages, the scammer introduced a deceptive paying service, with the Yad2 branding, and sent him a link (hxxps://yad2[.]send-u[.]online/4765567942451). In addition to the Yad2 logo and branding, the fake site also included an orange button to receive payment.

Yad2 website with a child's carseat item listing

Figure 1: Fake Yad2 site

The victim was then redirected to the following payment page (Figure 2), which forwarded the credit card details to the scammers.

Credit card payment page on fake Yad2 website

Figure 2: Payment page

Additionally, the site included a customer support chat interface, allowing the target to contact Yad2. To our surprise, the chatbot answered our questions!

A customer support chatbot on the fake Yad2 site

Figure 3: Chatbot

For the purpose of our investigation, we decided to ״take the bait״ and submitted an empty, prepaid credit card in order to better understand how the operation worked.

After inserting the credit card details, an SMS message from the credit card company notified us with a payment request from MONODirect, a Ukrainian service. They asked for 4581.00 hryvnia (UAH), the national currency of Ukraine.

SMS message from the credit card company

Figure 4: SMS message from the credit card company

This was the start of our in-depth investigation!

First steps

Aside from the scam domain, we used open-source intelligence (e.g. VirusTotal, AlienVault, and others) to progressively extend our view of the campaign and to uncover more domains.

Figure 5 shows a VirusTotal graph with the different domains, IPs, and URLs that illustrate the scale of this campaign.

VirusTotal graph with the different domains, IPs, and URLs involved in the phishing campaign

Figure 5: VirusTotal graph of the campaign

After plotting all of the domains on a timeline, ordered by the creation time (extracted from WHOIS), we determined that the campaign was running for at least a year, starting in May 2022.

Phishing campaign timeline of IPs

Figure 6: Timeline

The domains used for the campaign were created every couple of days in the following format:

target[.]cheap_domain.

For example, we encountered a number of scammed domains related to FedEx:

  • fedex.pay-i.cfd
  • fedex.send-nl.online
  • fedex.faster-deliveryt.online

As you can see, the first part is the target and the second part is the cheap domain.

Additionally, each domain had a short lifespan (only a few days), making it challenging to track and analyze them. 

At this point, we realized how large and global this campaign was, and we decided to dive deeper and to uncover as many details as possible.

Static Analysis

The VirusTotal graph we built gave us the opportunity to compare the structure of different scamming sites.

The first thing we saw was that each site had a main JavaScript page with approximately 50,000 lines of code. It was easy to get lost! 

After reviewing the code, we noticed it used a WebPack minifier and was written in Angular.

Angular syntax inside the JavaScript code

Figure 7: Angular syntax inside the JavaScript code

In order to understand how the single-page application (SPA) worked, we had to fully analyze the JavaScript code and divide it into sections, one for attacker’s code and one for library code.

A further analysis revealed a list of 320 bank names, located in different countries and their details, in JSON format.

JSON code analysis revealing users' bank data

Figure 8: Bank JSON data

But, we were not yet sure how this list was used as part of the scamming process.

As we continued our investigation of the code, we uncovered a list of languages used across the malicious sites. Each language was tagged differently. Alongside the words written in Ukrainian, there was a unicode string “\u0445\u04tar40\u044e\u0448\u0430\u0447\u0438\u0439”, which in English translates to “khryushachy”. In Russian, this word means “piggy”. What we can infer from this is that the campaign’s architects purposefully selected a seemingly derogatory term as a way to demonstrate disrespect, likely connected to the ongoing war between Russia and Ukraine.

Code snippet revealing language tag

Figure 9: Ukraine language tagged with the word “piggy” in Russian (Translation provided by Imperva Threat Research)

To further our investigation, we automated part of our research process and created a few regular expressions to find URL patterns, function names, outbound requests, and meaningful keywords.

From this operation, we discovered several interesting, and hidden, endpoints:

A list of hidden endpoints involved in the phishing campaign

But what exactly are these endpoints? Could it give us a clue about the phishing site infrastructure?

When trying to access these URLs, we were redirected to /root/login, and we got the following screen:

An image of the endpoint URL's /root/login screen

Figure 10: /root/login screen

By reviewing the source code of the application more closely, we spotted a strange DNS query that was performed by the browser.

Code showing front end security mechanism to hide hidden endpoints

Figure 11: Front end security mechanism to hide hidden endpoints

After analyzing the code, we ended up with more questions than answers! So, we adjusted our approach and began studying the behavior of the scam platform.

Dynamic Analysis (contacting the motherland)

A dynamic approach could give us a precise understanding of the communication between the backend API server and the front-end.

We downloaded all resources of the scam site and replicated it behind a man-in-the-middle (MITM) proxy. Next, we overwrote the server’s JSON responses to reverse engineer the application.

Code showing the partial JSON response from the malicious server

Figure 12: Partial JSON response from the malicious server

One parameter provided by the server called `templateId`controlled the entire layout and content of the scam page. For example, it could impersonate more than 340 legit sites including FedEx, CapitalBank, PostExpress — just by setting the value of the `templateId` field.

Screenshot of OLX website

Figure 13: OLX company style stolen when TemplateId=1

Screenshot of DHL website

Figure 14: DHL company style stolen when TemplateId=13

We also discovered that the `locale` parameter enabled the scam server to customize the front end’s content to the attacker’s desired language. The platform supported 48 languages!

Two screenshots of the same scam site, set in different languages

Figure 15: The same scam site with a different locale (left: en, right: ru)

Moreover, by updating the JSON response, scammers could control which payment method they presented to the target.

For example, the picture below shows a payment form of Halyk bank, where a victim must enter three fields: Login\Phone number\ID, password, and account number.

We believe these fields were probably used by the attackers to conduct an account takeover (ATO) attack that eventually led to account hijacking.

Payment screen to a bank account

Figure 16: Payment via a bank account

In total, 320 banks were supported by the platform.

The mystery of the hidden endpoints remained. It appeared that to make the hidden phishing site endpoints only available to the collaborators of the scammers, the front-end JavaScript tried to reach the domain `testSDNservssfg.com`. However, this domain doesn’t exist on the Internet, which means it was only available in the network of the collaborators who were involved in the campaign. We added the `testSDNservssfg.com` domain to our hosts file, created a local server listening on port 443, our enabling switch, and supplied the relevant response to the front-end.

By doing this, we discovered the content of the hidden endpoints normally only available to the scammers.

The /root/index was the main page the scammers used to control the platform. Figure 15 below shows that the scammers’ primary language was Russian.

An image of white page with three columns of Russian text

Figure 17: Main page

They developed two main features: `create-bank` and `create-platform`.

The `create-bank` endpoint gave them the ability to add new banks to the current list of 320. It contained a GUI to select the bank logo and all the fields required to “receive” a payment. The output of this method was an updated JSON with the new bank details, which the scammers just needed to insert in the right place within the JavaScript code.

Online banking portal screen

Figure 18: Create-bank endpoint

The `create-platform` endpoint enabled them to create a new template for a new target.

Backend portal for create-platform where fake user identities are created

Figure 19: create-platform endpoint

We also discovered a hidden chat interface, and managed to see the conversion from the attackers’ point of view:

An online chaat interface where scammers converse in Russian

Figure 20: The attackers’ secret chat interface (in Russian)

Customer chat interface on the fake OLX website

Figure 21: Customer chat interface

An online chat between the scammers

Figure 22: The attackers’ secret chat interface translated from Russian to English

The attacker’s backend chat interface was also written in Russian. We assume the attackers used an external translation service to respond in the appropriate language.

A sordid detail to mention is that the scammers referred to their targets as “mammoths”, while they called themselves “workers”. Therefore, we could imply that this malicious operation considered itself a company.

The image the scammers used for the chatbot was identical across all scammed sites. When we did a reverse image search, , we found a fake LinkedIn account, created in 2020, using the same picture (no followers and the current workplace is AJAX).

A fake LinkedIn profile used by the scammers

Figure 23: Fake LinkedIn profile

What’s Next?

We’re still tracking the activity of this threat actor to get more information that can hopefully lead to shutting down its operation.

Summary

This example illustrates that phishing campaigns are becoming more sophisticated. 

We believe Russian actors created this large modular phishing platform and launched a global campaign while pretending to be Ukrainian.

This campaign also featured advanced techniques to fool targets. We enriched the accompanying indicators of compromise (IOCs) resource with the domains we collected from this campaign. 

Imperva Threat Research is a team of analysts, researchers, data scientists, and security engineers. The team is always monitoring advanced threats to keep customers one step ahead of evolving threats.