- A threat actor has advertised the sale of a phishing toolkit service, named ‘NakedPages’.
- Toolkit claims to be battle-tested and effective for phishing entities like Google & Microsoft Office.
- Data collected from phishing sites could be sold on the dark web.
- It would equip malicious actors with the details required to launch sophisticated ransomware attacks.
- Monitor for anomalies, in user accounts and systems, that could be indicators of possible account takeovers.
- Implement MFA across accounts.
’s contextual AI digital risk platform XVigil
discovered a threat actor advertising a “battle-tested” reverse proxy/PHP phishing app called “NakedPages”, on a cybercrime forum.
[caption id="attachment_19520" align="alignnone" width="1156"]
Post advertising “NakedPages” phishing app or Phishing Toolkit[/caption]
Analysis and Attribution of Phishing Toolkit
Information from the Post
The advertisement on the cybercrime forum claims that:
|"Naked Pages is the phishing tool any serious developer//spammer needs with more features than any other reverse proxy combined or PHP phishing framework combined."
Recruitment pitch in the post
- The post mentions that there is a possibility of providing software licenses, if the buyer can pay USD 1000, upfront.
- The post also mentions that the open-source project is available on GitHub and that they are recruiting new developers to join the team.
- A Google form, as shown in the image below, was shared in the post. Those interested in purchasing the toolkit, can contact the threat actor by filling the form. Respondents purportedly get access to a private Github repository.
- Not much is known about the contents of the repository. However, it can be inferred that it is related to the phishing software that the threat actor/ group is developing.
[caption id="attachment_19522" align="alignnone" width="640"]
Google forms questionnaire for interested customers[/caption]
Information from Open Source
- NakedPages phishing toolkit has been advertised on a few Telegram channels as well.
- The Telegram channels and the GitHub repository use the same logo for the advertised phishing kit.
Build Features of the Phishing Toolkit
- The binary used to orchestrate the software is a nkp.app.
- As the phishing toolkit is designed to work on Linux, it requests for R-W-X permissions from the “user” and further requests for R-X permissions from both “group” and “others”.
Functionality of the Phishing Toolkit
Based on information gathered from Telegram and cybercrime forums, the phishing kit’s features are:
- Fully automated, and comes preloaded with 50+ phishing templates/ site projects, in the ./projects file.
- It has fully integrated and battle-tested anti-bot functionality, which is database integrated, and detects bots of all kinds from 120+ countries.
- One-click setup and launch with command bash setup/sh and one-click support for working in a local environment with mkcert.
- Database Storage with MongoDB.
- Readymade Project Generation with 0 lines of code, with command node generate-project.js.
- Auto SSL and domain configuration with bash change-domain.sh script.
- Rendering PHP files and passing data from PHP to reverse proxy and vice versa. Unlike other reverse proxy apps, this is real life tested to handle multiple sources of traffic.
- Assets can be stored inside the executable to make it even more portable.
- Strong Session AUTH with Fingerprints and Cookies. Results, Cookies, and User Fingerprint details are sent to the Telegram channel configured in config.env.
- It allows threat actors to manually receive results, decode responses, add cookies, and filter users from the user Js config.
The Threat Actor
- The threat actor is a new user on GutHib and the cybercrime forum, and both the accounts are less than a month old.
- There have been no concrete samples shared by the threat actor. Repeated attempts for establishing contact were made by our source, but the threat actor hasn't responded.
- The actor has no reputation on the forum.
- The database shared by the actor can be termed valid, given that there are no complaints against the actor.
- The reliability of the actor can be rated C.
- The credibility of the advertisement can be rated 5.
- Giving overall source credibility of C5.
[caption id="attachment_19523" align="alignnone" width="775"]
Some metadata about the threat actor, from patch versions on Github[/caption]
[caption id="attachment_19524" align="alignnone" width="1083"]
Telegram channels associated with this phishing toolkit[/caption]