It's not often that a phishing case catches my interest, but just a little while ago I got a call that changed that.
Typically I've ignored phishing as a low-skill and uninteresting method of attack. I understand it's significance in the security scene but largely I have let others deal with the phishing cases that come in.
Recently I received a call, asking me to assist in a phishing case. Since my asistance was directly requested I joined in, and fairly quickly the case grabbed my attention.Due to the sensitive nature of DFIR engagements I must refrain from sharing details, but needless to say. I've caught the phishing bug.
Now, just hours ago I received a phish in my own inbox, one I haven't seen before. One posing as Proton Mail, stating that a new application has access to my mail account. Time to fry a phish.
As you can tell by the address, this email is very clearly fake. So for easier viewing, let's export it as an .eml file and send it over to PhishTool:
Going straight to links, since that's where the magic happens. Just as expected, this is blatantly malicious, curious that it passes my actual email as an argument. Let's put that link into Tor with my email changed to something phony and start poking around.
First thing I notice, that email from the URL is passed into the email box on the site to give a sense of legitimacy, interesting but lets take a look at good ol' devtools. Nothing... they disabled right-click and ctrl-shift-i/ctrl-shift-U does nothing. Easy enough, I'm able to select it from the hamburger menu.
Digging into the content, what I want to see is the code that's executed when I click this "next" button. There's a JS file tied to it, although I'm not too familiar with the language I'm sure we can put two and two together. Before moving on I decided to throw a cheeky message their way also allowing me to observe the result of clicking the "next" button. Entering a value into the password box, I press send and watch as several POST requests are made, some back to a different subdomain, and some to a secondary domain. Scrolling through those POST requests, clear as day, the request containing my creds in plain text was staring back at me. No JS analysis needed. It's right in front of my face.
Time to do a little recon and see what we can have done about this infrastructure. Looking a little more into the domain, Vercel is a legitimate cloud hosting provider. It looks like they will provide a free domain name to their customers with the caveat that they all end in Vercel.app. This also means the server and domain are provided by the same entity, one abuse report for both. We'll see if there is any form of response or if my email just falls into the void.
As for the sender email address, I was able to locate the hosting provider and domain registrar, and although I may not get a response, or see any actions taken. Both companies have been informed that their platforms are being abused for malicious actions.
With that, I believe I can consider this phish fried. All done in just a matter of one hour. Thank you for reading, and as always...
"You may stop this individual, but you can't stop us all... after all, we're all alike."
Voodoo, over and out.
