Sometimes phishing campaigns are not conduced with phishing kits only, actors behind those phishing campaigns can use different tricks to prevent their work being takedown, as using protected web redirectors.
A campaign we can see this days use this redirector trick on several domain names. This campaign target DHL customers, impersonating the delivery company.
A captcha protected redirector
More, the redirector is protected by a Google reCAPTCHA challenge:
Like this a scraper, a robot, can’t continue behind this page to get the final landing phishing page.
Downloading sources with StalkPhish
With the help of StalkPhish, we can try to download the source code of pages if it is available somewhere, and bingo! we can find a zip file archive containing sources of this tool:
The index.php file call the challenge.php one which present the captcha challenge, once the captcha completed and validated the zabk.php page
is call which redirect the user to the landing page: https://trakscloth.cc/manage/
…which is, surprise, the phishing kit landing page (I can’t show you because the domain doesn’t work anymore).
Pivoting on a string using StalkPhish
To have an idea of the magnitude of the campaign, you can use StalkPhish one more time to retrieve several informations about it, for that you can use the -s option of stalkphish with the name of the directory (haktmcha) the files are installed, as:
>python3 StalkPhish.py -c conf/example.conf -s haktmcha
Then you can retrieve several domains and URLs where this redirector is or was installed: