Dissecting the Newest Phishing Kit Targeting the Qatar Post


Name brand postal services have been increasingly targeted by phishing campaigns. We previously published a blog post surrounding one of these scams, specifically a USPS phishing campaign.

Bolster Research Labs recently discovered a phishing kit that impersonates Qatar Post, a national provider of postal services in Qatar. This phishing kit is available for free in cybercrime marketplaces. The phishing kit is sophisticated, and can evade detection by blocking various bots, security vendor IP addresses, and user-agents. In this blog, we will discuss its capabilities in detail.

Acquiring the Phishing Kit

While researching cybercrime marketplaces, the Research Team discovered numerous phishing kits designed to impersonate most postal service organizations globally. The Qatar Post phishing kit was posted recently[Jan29,2024] and shared for free in one of the marketplaces.

Qatar post phishing kit

Workflow of the Phishing Kit

Websites created using this phishing kit always check the visitor’s IP address and user agent before displaying the phishing content. When submitting the credit card details, it validates the credit card type and number before sending via TG bot.

Phishing Kit Analysis

The phishing kit involved in the Qatar Post campaign is written in PHP, JS, and, interestingly, the improvised version of previous phishing kits the Bolster Research Team analyzed. Some enhancements to the phishing kit incorporate blocking security vendors’ IP addresses and desktop user agents to validate card numbers using Luhn Algorithms.

Phishing website example 1


Phishing website example 2

Credit card validation

While looking into its source code, the phishing kit not only validated the entered credit card types using the validateCreditCard() function [Fig2], but also checked for credit card number length using Luhn’s algorithm [Fig3], which determines whether or not a credit card number is valid, making it less spammy while stealing credit card information.

Fig2: validating credit card number


Fig3: Luhn’s algorithm

Evasion techniques

This phishing site can block users based on user agents, IPs, and IP ranges to get less unwanted traffic [Fig4].

Fig4: Functions for blocking users based on IP and user agents

Also, it can redirect to google.com using the killBot() function [Fig5] based on the user’s IP location. These capabilities help phishing sites stay undetected by most AI detection engines.

Fig5: Blocking bots based on their user agents
Fig6: Redirecting IP address to scan the phishing page

Exfiltrating credit card information

Like other sophisticated phishing kits, this phishing kit also uses a telegram bot to steal the credit card information and the OTP. [Fig7]. Among actors, stealing PIIs is a more popular technique to avoid detection and works as a zero-investment infrastructure.

Fig7: Data Exfiltration via Telegram bot

Indication of future development

While reviewing the source code of the phishing kit, we found an interesting function named isValidKey(). This discovery suggests that the phishing kit’s creator intends to improve this version. However, it remains unclear which specific key the actor intends to validate.

Fig8: An indication of a new version of the phishing kit is on the way

Conclusion: Protecting Your Business From Phishing Attacks

With similar sophisticated phishing kits, we expect more phishing sites to be created targeting the courier and logistics industry. Vigilance and proactive detection practices are crucial for organizations and individuals to protect against these threats. Continued monitoring and analysis of such threats are essential to staying ahead of cybercriminals and maintaining the security of postal services and their customers.

Bolster AI helps protect businesses from phishing attacks and scam sites with our trained LLM’s. By detecting and taking down even the most sophisticated attacks, you can trust Bolster to protect your consumers from hackers as techniques continue to evolve. Request a demo with us today.