cybportdal - Phishing lab 1

Phishing Analysis (GrabThePhisher - Cyberdefenders)

Scenario

As a cybersecurity analyst at an educational institution, you receive an alert about a phishing email targeting faculty members. The email appears to be from a trusted contact and claims a $625,000 purchase, providing a link to download an invoice.

Introduction

A decentralized finance (DeFi) platform recently reported multiple user complaints about unauthorized fund withdrawals. A forensic review uncovered a phishing site impersonating the legitimate PancakeSwap exchange, luring victims into entering their wallet seed phrases. The phishing kit was hosted on a compromised server and exfiltrated credentials via a Telegram bot.

Your task is to conduct threat intelligence analysis on the phishing infrastructure, identify indicators of compromise (IoCs), and track the attacker’s online presence, including aliases and Telegram identifiers, to understand their tactics, techniques, and procedures (TTPs).

Methodology (Steps I took)

Step 1: Finding the wallet used for asking the seed phrase

Identifying the sender's IP address with specific SPF and DKIM values helps trace the source of the phishing email.

figure 1. Wallet used for asking the seed phrase

NB: MetaMask simplifies the interaction with blockchain networks and DApps by providing a browser extension and a mobile application that ensures a user-friendly experience while securing critical data like private keys and seed phrases.

In this scenario, a phishing kit was designed to impersonate legitimate services and target unsuspecting cryptocurrency users. The phishing kit includes a directory that focuses on MetaMask, a clear indication that the attack is aimed at users of this specific wallet.

figure 2. PHP file used

NB: Hackers use malicious PHP files to create backdoors, gain unauthorized access, and execute remote commands on web servers. By exploiting vulnerabilities in poorly coded or configured PHP websites, they can install these scripts to manipulate data, steal sensitive information, or take full control of the server.

figure 3. Analysing the file

NB: Upon inspecting the PHP file, we realise that The attacker has crafted a malicious web page that asks users to input sensitive information, such as their MetaMask wallet's seed phrase, under the guise of restoring access to their accounts.

Step 2: Further analysis on the php file

figure 4. Service used to retrieve victim's machine informatio.

NB: Sypex Geo is a popular geolocation service offering precise and scalable solutions for identifying user locations based on their IP addresses. It is typically used for legitimate purposes, such as customizing user experiences or enforcing regional restrictions. However, in this phishing scenario, the attacker misuses the service to enrich the stolen data.

figure 5. Medium used for credential dumping.

NB: We realise that the medium used for credential dumping in this case is Telegram Bot. The script contains functionality to send the stolen data, including wallet information and seed phrases, to a Telegram bot using an API token and chat ID.

figure 6. Aliases of the phish kit Developer.

NB: The alias of the phishing kit developer, as indicated in the script, is j1j1b1s@m3r0. This appears to be a moniker or handle associated with either the developer or someone credited within the phishing kit. Such aliases are often used by cybercriminals to remain anonymous while operating within underground forums or dark web communities. By including this alias in the code, the developer may be acknowledging their collaborators, associates, or seeking recognition from others in the community.

Step 3: Identifying the number of seed phrase stolen

figure 7. IP address of the server hosting the malicious file

NB: If we analyze the log file, we realise that the attacker had successfuly collected three seed phrases.

Conclusion: This project strengthened my ability to analyze phishing attacks, extract malicious indicators, and trace attacker techniques. It also reinforced the importance of user awareness and layered defenses in mitigating social engineering threats.