We started researching this and due to the attacker’s clumsy decisions we found their GitHub and their operational Telegram bot.
Screenshot: https://imgur.com/a/FTy4mrH
Sometimes the attacker’s incompetence can be the defender’s best weapon.
The phishing page was a standard clone of an “email” from a non-branded ANF generic service. A little digging helped us find the site’s .git directory publicly accessible and list its contents.
By inspecting the requests we also found the first Telegram bot token. This is the digital equivalent of leaving the blueprint of your entire operation, including previous versions and deleted files, on the front lawn.
We extracted the repository, found several fake pages with automated deployments and various hardcoded Telegram bot tokens and chat IDs.
Along with the source code, repo, and active Telegram bot token, we filed a detailed abuse report:
– GitHub: We reported the repository containing the source code of the phishing kit. It was removed for violating TOS.
– Telegram: We reported the bot using the provided token and chat ID, causing it to be removed.
– Hosting provider: Malicious site was reported and taken offline.
Lesson learned? Never deploy a .git folder to production. Even if you are a criminal.
Acknowledgments: This was a collaborative effort by members of the BeyondMachines Discord community. Crowdsourced speed and collaboration helped us get it down much faster.