I would love if any interested sifu here to help me reverse-engineer this site. i've dig some digging myself, but think i might missed out some stuff.

the fishing link is



see some of their php code snippet here:


some facts?
- domain name went live ~ 2 weeks ago.
- attacker hosted from china/hongkong guangzhou region.
- coder probably cina mainlanders, judging from the cinis comment on their php code
- it may have geoblock too far countries like USA? this theory is not verified yet.
- the php first check for smartphone useragent, if you use browser, it will redirect to legit banking website without even loading a single byte of the spoof code (change ur useragent in devtools>more tools>network condition)
- attacker use websocket to sent back response to client after victim submit the username.
(reason behind this is i think is so attacker can relay the legit secureWord back to their fising site, high possibility that they manually validate the username. also it means got person manning behind the computer to do those validating stuff after they launch their fishing campaign via sms/whatsapp)
- i have no gone pass the enter password part because no response from the websocket after i submit the id. lol.






thx

This post has been edited by taga: Jul 25 2022, 04:42 AM

Its china, so that is possible. What is more likely they have a headless browser running as a scrapper. It just has to load the website, then input the username and scrape for the word/image. This can even be done natively in windows 11 with power automate.

I remember someone saying in a programming facebook group that these words/images are a good way to prevent phishing, and I told them no it is not, and demo-ed this exact method of attack.

there are hundred thousands users...they gonna scrap all of it?

Don't need to scrap all, just when the user types in their username. Phishing site sends the username to their headless browser. Headless browser runs and inputs the username on actual website. Actual website shows the image/text. headless browser scraps it, and returns it to the phishing site.

So to the user will see their image/text on the phishing site as though its real. Basically the "security feature" is easily hijacked and now the user has a false sense of security on a compromised page.

Banks actually have a lot of horrible security practices that are more theatre than actual security.

Just FYI, this is the phishing SMS others apparently received.




They don't need to scrape. But in this case, the person had already clicked it and entered his/her/their username.

Anyway, advised them to change password already.

FYI, shodan.io has more info on the IP address. They're running a very China based app server for PHP (workerman).

Have fun.

lmao, the grammatical error, and the occasional caps...

Oh my gosh, what happens to CIMB, this is another fake one: https://www.clickocimb.xyz/

Oi, stop blaming CIMB for people pretending to be CIMB.

Both fraudulent "CIMB" websites above have been took down, cannot be opened anymore.

Thanks goodness.