Category:
Adversary Intelligence |
Threat Type
Phishing |
Industry
Multiple |
Region:
Global |
Source*:
C5 |
Executive Summary
THREAT |
IMPACT |
MITIGATION |
- A threat actor has advertised the sale of a phishing toolkit service, named ‘NakedPages’.
- Toolkit claims to be battle-tested and effective for phishing entities like Google & Microsoft Office.
|
- Data collected from phishing sites could be sold on the dark web.
- It would equip malicious actors with the details required to launch sophisticated ransomware attacks.
|
- Monitor for anomalies, in user accounts and systems, that could be indicators of possible account takeovers.
- Implement MFA across accounts.
|
CloudSEK’s contextual AI digital risk platform
XVigil discovered a threat actor advertising a “battle-tested” reverse proxy/PHP phishing app called “NakedPages”, on a cybercrime forum.
[caption id="attachment_19520" align="alignnone" width="1156"]
Post advertising “NakedPages” phishing app or Phishing Toolkit[/caption]
Analysis and Attribution of Phishing Toolkit
Information from the Post
The advertisement on the cybercrime forum claims that:
"Naked Pages is the phishing tool any serious developer//spammer needs with more features than any other reverse proxy combined or PHP phishing framework combined." |
- The post mentions that there is a possibility of providing software licenses, if the buyer can pay USD 1000, upfront.
- The post also mentions that the open-source project is available on GitHub and that they are recruiting new developers to join the team.
Recruitment pitch in the post
- A Google form, as shown in the image below, was shared in the post. Those interested in purchasing the toolkit, can contact the threat actor by filling the form. Respondents purportedly get access to a private Github repository.
- Not much is known about the contents of the repository. However, it can be inferred that it is related to the phishing software that the threat actor/ group is developing.
[caption id="attachment_19522" align="alignnone" width="640"]
Google forms questionnaire for interested customers[/caption]
Information from Open Source
- NakedPages phishing toolkit has been advertised on a few Telegram channels as well.
- The Telegram channels and the GitHub repository use the same logo for the advertised phishing kit.
Build Features of the Phishing Toolkit
- The NakePages software has been developed using NodeJS Framework and runs using auto-generated JavaScript code.
- The binary used to orchestrate the software is a nkp.app.
- As the phishing toolkit is designed to work on Linux, it requests for R-W-X permissions from the “user” and further requests for R-X permissions from both “group” and “others”.
Functionality of the Phishing Toolkit
Based on information gathered from Telegram and cybercrime forums, the phishing kit’s features are:
- Fully automated, and comes preloaded with 50+ phishing templates/ site projects, in the ./projects file.
- It has fully integrated and battle-tested anti-bot functionality, which is database integrated, and detects bots of all kinds from 120+ countries.
- One-click setup and launch with command bash setup/sh and one-click support for working in a local environment with mkcert.
- Database Storage with MongoDB.
- Readymade Project Generation with 0 lines of code, with command node generate-project.js.
- Auto SSL and domain configuration with bash change-domain.sh script.
- Rendering PHP files and passing data from PHP to reverse proxy and vice versa. Unlike other reverse proxy apps, this is real life tested to handle multiple sources of traffic.
- Assets can be stored inside the executable to make it even more portable.
- Strong Session AUTH with Fingerprints and Cookies. Results, Cookies, and User Fingerprint details are sent to the Telegram channel configured in config.env.
- It allows threat actors to manually receive results, decode responses, add cookies, and filter users from the user Js config.
The Threat Actor
- The threat actor is a new user on GutHib and the cybercrime forum, and both the accounts are less than a month old.
- There have been no concrete samples shared by the threat actor. Repeated attempts for establishing contact were made by our source, but the threat actor hasn't responded.
Source Rating
- The actor has no reputation on the forum.
- The database shared by the actor can be termed valid, given that there are no complaints against the actor.
Hence,
- The reliability of the actor can be rated C.
- The credibility of the advertisement can be rated 5.
- Giving overall source credibility of C5.
References
Appendix
[caption id="attachment_19523" align="alignnone" width="775"]
Some metadata about the threat actor, from patch versions on Github[/caption]
[caption id="attachment_19524" align="alignnone" width="1083"]
Telegram channels associated with this phishing toolkit[/caption]