← Home


BlueTeamLabs Investigation: Phishy V1

Published: 12/6/2022


You have been sent a phishing link — It is your task to investigate this website and find out everything you can about the site, the actor responsible, and perform threat intelligence work on the operator(s) of the phishing site.

When attackers deploy phishing websites, their OpSec, or lack thereof, allows security researchers and investigators to download a copy of the phishing kit for further analysis. In this scenario, a full ZIP file containing the phishing kit was left in an open directory on the web server.


Phishing Website

The phishing site is located at the URL hxxp://securedocument[.]net/secure/L0GIN/protected/login/portal/index1.html?1614546319649.

The page is an attempt at copying an Office365 secure document transfer website and asks the user to provide their O365 credentials to view the shared file.

screenshot of the phishing website

The top left of the page says Microsoft Docs. While this does exist, Microsoft Docs is used for Microsoft’s documentation on its products and not for document transfers. The website also uses HTTP and not HTTPS, as would be expected from a legitimate website.

Viewing the page’s HTML code reveals a suspicious PHP file named jeff.php to which the credentials entered into the login form are sent.

screenshot of the HTML page source

The HTML comments contain the phrase Thanks to PHP Bloke. This text would good to use as a pivot to uncover other phishing websites in the wild using this kit, or similar.

If we view the source for the webpage CSS at style.css. The background behind the login form is actually an image named axCBhIt.png, not any HTML content.

screenshot of the webpage CSS

The webpage background image axCBhIt.png:

phishing page background image

These factors, and others, combined with the non-Microsoft URL prove in no uncertain terms that this is not a legitimate Office 365 file transfer website and is definitely a phishing site.

Phishing Kit

When searching the website for more information, the website hxxp://securedocument[.]net redirects to hxxp://securedocument[.]net/cgi-sys which is a default cPanel page.

screenshot of the default cPanel page

The source code of this page shows this page was actually copied from another website using HTTrack Website Copier.

screenshot of the default cPanel page source

Phishing operators will often redirect all non-phishing URLs to generic websites in an attempt to mislead analysts and automated scanning tools. The operator of the phishing website left a copy of the phishing kit in a .zip format at the URL /secure.

screenshot of /secure open directpry

ubuntu@ip-10-0-3-0:~/Downloads$ sha256sum 0ff1cePh1sh.zip

The file jeff.php is used to process credentials submitted in the web form. The PHP source code shows that the credentials are being sent to the email address boris.smets@tfl-uk[.]co. On submission of the credentials, the victim is then redirected to the legitimate website hxxps://www.office[.]com.

contents of jeff.php

Requests for index.html result in a redirect to index1.html along with a URL parameter derived from the current time using the getTime() JavaScript function.

contents of index.html

This phishing website will not actually work as intended, so the operator will not receive any credentials. This is because in the HTML form on the main page, the email and password variables are being assigned the names userrr and passss respectively. However, jeff.php expects the variable names user1 and pass1 to be passed from the submitted form.