Friday, July 20, 2018

Uncovering A PayPal Phishing Campaign

While browsing the DC9723 group, we stumbled on a screenshot which one its group's members had just shared with the rest of the DefCon group. The group member had received what he claimed was a PayPal phishing email. He claimed he had received it in the previous day (July 14th) and that it contained a fake receipt for a purchase he had never made from an alleged Italian internet hosting company.

When we looked into this "Aruba IT" company - we saw that it actually was a legitimate internet hosting and domain registration company based out of Italy.
Which raised our curiosity to further look into the email itself and see if anything else could be recovered that points to any clues to this campaign, who else might be being used as a front, and if we can identify any malicious activity.

The screenshot shared by the DC9723 user.
Fake Receipt Phishing

By using a fake receipt like this, an attacker wishes to alarm that a substantial purchase had just been made in the recipient's name. Hoping such a message will motivate the recipient into taking action where a more traditional phishing email might not.
The attacker in this case copied the main PayPal template for electronic receipts, by doing so the attacker wishes to scare the recipient into logging into the PayPal site and give away their credentials.
Conveniently so,  as seen in the above screenshot, a line which isn't present in a real PayPal receipt had been added -
" You don't recognize this transaction? " with an embedded link that can be seen at the bottom of the email.

In all probability, this had been added to further guide the potential target along the attacker's desired path of action in which he'd like him to take; and it serves as correlated pretext to resolve this supposed receipt misunderstanding.
Upon a further look, we can also see this email contains some spelling mistakes and mistyped numbers. Perhaps intentional to add a state of confusion to the already dire financial situation the target could feel he is in, and an even further sense of urgency to resolve this whole issue. Or more likely this just means that this was recompiled in haste.  

The reply emails:, stand out as obvious spoofs.  

pavpal[.]com had been seen in old phishing activity in the past and had since been registered by the actual PayPal company in probable efforts of blocking this type of activity.
paypai[.]com had also been observed in numerous scamming attempts and phishing campaigns with its domain belonging to Moniker Online Services.
Both are widely reported websites. This makes arriving to the conclusion if this attacker actually has current control of these email boxes very hard.

The embedded link to the fake PayPal resolution center this attacker chose to use was
based on Twitter's link shortener:
  • t[.]co/Tv5Zo3ig7v
Taking a peek at the link and looking at its redirect chain:

We can identify that the actual target domain was paypa[.]com-verifyseeds[.]support

By searching for similar pages based on the resource path we could identify similar domains being used in the past two weeks:
  • paypal[.]com-webapps[.]site
  • paypal[.]com-webappsinfo[.]reviews
  • paypa[.]com.lakukerascok[.]com
  • paypal[.]com-accountverify[.]support
  • paypal.accountinfoverify[.]support
  • paypa[.]com-verifyseeds[.]support
  • paypal[.]com-verifyaccount[.]center/ 
  • paypal[.]com-accountservice[.]info
Along with the following redirects:
  • t[.]co-d3gbfd[.]city
  • huit[.]re/tettew
  • huit[.]re/shrt
  • huit[.]re/_Ebfo0oe
  • xt[.]lv/XJiEa
  • alif[.]idseedapp[.]in
  • huit[.]re/webappss
  • kuntulmaju[.]ml/cuk 
  • huit[.]re/satumilyar
  • 1.googleincsafe[.]org/brinjilan
  • https://ok[.]ru/dk?cmd=logExternal&st.cmd=logExternal&
  • https://ok[.]ru/dk?cmd=logExternal&st.cmd=logExternal&
Based on these different redirects made us suspect a phishing kit was being used here and spread during these couple of weeks.
The live domain which is currently still live and being used through the redirection chain is:

Which can be seen redirecting us to
www.paypa[.]com-verifyseeds[.]support - the redirection domain from our screenshot
And www.paypa[.]com.lakukerascok[.]com

Since the email was immediately reported to PayPal, we can witness the effectiveness of redirection chains to the longevity of phishing scams.
Both of these websites are hosted on the same Google server - 142.4.14[.]169
Along with a now empty Apache server:

All pointing to the same styled ‘/stylec0de’ path like the following full URI path example:


Using a redirection path utilizing Paypal’s own authentication API backbone to piggyback as a means of seemingly legitimate Paypal correspondence.
A victim looking to quickly resolve a financial issue might not go over the very long link, and miss the spoofed URL at the end of it - giving away his credentials to the attacker. By using a malicious iframe like this, a sophisticated campaign can be achieved relying on a victim’s

Source code.

Screenshot of the Spoofed login page.
Twitter Activity

From this point on, we only had the now blocked websites left to go over, however since we can trace back activity to Twitter - we can actually hunt for anyone that was spreading these links and see if there’s any new activity, or maybe even find out who is behind this. This is due to the attacker’s choice of a shortened link.

We were able to identify the following accounts that seem be based out of Indonesia:
All of these accounts were using the same method and similar links. The original link from the screenshot could be found being spread by @uboldmild
Tweet of the original link.

As an elementary step of an investigation like this we checked for the usernames and names left by these individuals.

The Twitter user “Donna Curry” was registered under the handle ‘uboldmild’. Once we pivoted it to a simple search engine search, we managed to find it was connected to numerous phishing websites with the same scheme registered under the email

Websites such as :
  • step-verivy[.]com
  • app-recoveryicloud[.]com
  • data-recoveryicloud[.]com
  • idmsa-accounts-security[.]com
  • datarecoveryicloud[.]com
  • com-verifyaccountappstore[.]info
  • responsibilitiesmacintosh[.]com
By looking at the Twitter account we can further correlate this by looking at what sort of links have been tweeted out by the user:

With what looks like the first tweet being made to test out how the link shortener works on June 2017.
This shows us how the phishing kits they used may have evolved along the past year, the same initial weaponization point of utilizing Twitter’s link shortener had not.

When checking the rest of the users, we found that the user @StyleC0de has been doing the same - which can be seen through his Twitter account as well, however, he has done so under his actual name which can be traced back to numerous social media profiles he has under his name. Including a Youtube video showing a script he intended to sell in 2017:

His latest exploit which was still live when we were writing this post is the one we showed you under his still currently used username/calling card ‘StyleC0de’.

SlackerC0de spam group

SlackerC0de is an Indonesian hacking group popping into activity around 2015 with various low level scripts aimed at financial scams.

When we checked the user @nugslackerc0de from Twitter, his username stood out as well. This was what led us to the Indonesian group which can be found at - and this group might actually prove to be the potential connection point between these Indonesian users.

An Apple account checker script shared on Pastebin.

The main name that kept popping up at various source codes belonging to the group was a ‘Malhadi Jr.’ with websites like hosting online tools like email bots and account checkers. Along with even an old personal Github account - sharing similar repositories.

We managed to see that one of his tools was used for a phishing website last year with a similar URL.

Source: ServiceHostNet

So when considering our recent finding, it indeed seemed to us like the Slackerc0de group was a key factor in identifying the common points between the different users.  

Slackerc0de themselves invite any prying eyes to a public group on Telegram where they share their tools of the trade.

When we peeked inside the group, we were able to see behind the scenes of a relatively close knit group collaborating in phishing efforts, like this user asking what a good subject for Yahoo email recipients is:

A now deleted user instructing another member on his preferred link shorteners like Twitter and Owly:

And another one sharing PayPal Phishing Kit’s source code for download:

A user sharing a screenshot of using a mailer with their Apple phishing website present in the background:

We can see this Indonesian group is active with focused efforts in cheating people out of their money, adding insult to injury with boasting their success while sharing screenshots of incoming credentials:

An attacker sharing his harvested credentials.
Tactics,Techniques, and Procedures

This group and those like it operate by initially gathering email lists, ones that can be curated manually, or downloaded from the various cyber crime forums online. Once they have an adequate enough list they will move to their next step - checking the emails for corresponding accounts. They will input the emails they have into account checkers made by the likes of Malhadi Jr from SlackerC0de and see what emails have PayPal accounts, what emails have Apple accounts by utilizing various API calls to these services and see their response. Both these companies seem to be their favorite targets.

Once they have amassed a large enough list to move on and start attacking them, these attackers will create a phishing infrastructure for the most crucial steps of their campaign. They will create an online website, mostly hosted by Amazon,Google, or Aruba (the same company they used as a fake receipt for one of their emails)  from looking at how this specific group operates. They will host their phishing kit and start mass emailing their list using a bought emailer software from their closed forum marketplace or shared by somebody from the chat group.

To receive the incoming credentials they manage to steal, they will set up an inbox based on free email services like Yandex. Not much skill is needed to run such a scheme - they will need to only configure the source code for their email, upload to a server, and use an email template.  By going over their correspondence we saw how users with no skill whatsoever were asking for resources,more experienced users sharing them, and the backbone to these groups - the tool creators or sellers which supply the 955 members of the group with the easy means of creating their own campaign.

We witnessed how they share their various setbacks after they launch their campaign, such as Amazon blocking their accounts, screwing up the %email field, failing to configure a server, and more. Meaning even an attacker at the lowest level of skill will be spoon fed the answer to his mistake and how to correct it for the campaign to work. Causing dire consequences to the victims which fall due to this criminal crowdsourcing.
An attacker sharing a screen capture of his Phishing email.

An attacker sharing a screenshot in hopes of troubleshooting an error.

An attacker sharing a screenshot of his blocked Amazon account.

Historical Observations

We then tried to look for historical correlation and past activity this group may have been connected to, so we started looking through RecordedFuture’s threat intelligence platform for further relationships and activity.
When we initially looked at the main domain - we were looking for what malware RecordedFuture may have seen connected to SlackerC0de[.]us, if any at all. In this case we were able to see that some ransomware activity and various intertwined domains were connected to SlackerC0de[.]us.

Source: RecordedFuture
So we continued to look for connected phishing campaigns, and saw that prior to the July 2018 PayPal and Apple campaign that started our investigation, the group ran earlier campaigns in January - mainly targeting Apple and Facebook users.

Source: RecordedFuture
Meaning this group is probably constantly busy all year round targeting all the varied popular services in efforts of scamming people out of their money and credentials.




DeepEnd Research has already notified Apple and PayPal of these findings prior to the publication of this post.

7/27 - Update:

Since the publication of our blog post the Twitter accounts we found along with the associated YouTube account have been suspended from each respected platform.
During this time we were also continuing to monitor for any renewed activity by any new users possibly using the same methods outlined in this campaign, since the identified ones were suspended.
We managed to find that there is currently one newly registered Twitter user still using the same construct of various shortened links leading to PayPal login phishing pages:

This user is registered under the name 'Tanya D Campero' - 

The links tweeted out by this user lead us to the following new websites and infrastructure used by this campaign:

No comments:

Post a Comment