[Phishing Kit] Recent Disney+ Phishing Campaign Analysis

Interestingly, we have found a phishing kit from a cybercrime forum and started with the analysis and found that the actors have already started using the phishing kit to launch a phishing campaign targeting Disney+ login page to steal credentials and credit/debit card information.

Based on the language used in the source code comment, a Dutch or French-speaking actor likely created the phishing kit designed to target European people.

Blocking Bots and Security Scan Engines

This sophisticated phishing kit is designed to block the security search and scan engines.


It also stores the blocked IP inside a text file.

C2 Panel Integrated

The C2 panel is also configured with this phishing kit on this path: https://phishing.site/panel/panel.php

These stats show the count of visitors to the phishing site, logins by attempt by the victims, billings count, the number of victims who filled in their PII and address information, and counts of stolen credit card information.

Phishing Kit Workflow

The workflow consists of the following steps:

  1. Steals login credentials
  2. Shows warning message to create a panic situation
  3. Asks Billing information
  4. Steals credit/debit card information
  5. At the end, it steals the OTP and then redirects it to the original disneyplus.com login page

Exposed Victim’s Credentials and CC Information

While investigating this phishing kit, we noticed that the stolen credentials and the stolen credit card information can be accessed through this path of an active phishing site: https://phishing.site/info/send/rez_txt/rez_login.txt

Multiple Data Exfiltration Modules

This phishing kit exfiltrates the stolen data through the Telegram Bot, Email, and Inbuild panel.

Phishing Sites

hxxps://signin0d7d023c-disnyeplus-web[.]avplannersinc[.]com/index1[.]php?3uHxaft2JOrnAozz23UEmVxj5jaXZLnVDVqg7AIMqNyxqjJVQuOpM8sSXWgoPA52AICTXmOLnHSVdAHTeiM196H6cDTlnS1Molz0vJNdfG0rxQavKHdsApto
hxxp://netflix-service-account[.]com/
hxxps://signin11ee0293-disnyeplus-web[.]avplannersinc[.]com/index1[.]php?VEQ0UYnR7uUPeQcvYEfL51J4ZpZm8LiChYI0vHzu9MuLNEMLb42v2wmYnbjTj2esSUJlHGLICuJZx5G6tSI1CitPo1JjyOVfbt6n2u7Og6WjFJpKuHOYVtpD
hxxps://csme[.]caricom[.]org/disney-worldwide/disneymiauwfinale/
hxxp://uptodateinfos[.]wpenginepowered[.]com/wp-admin/dreamcomtrueacces
hxxps://disney[.]invoice-error[.]com/
hxxps://old[.]csme[.]caricom[.]org/
hxxps://vod-ymg[.]com/
hxxp://customer-help[.]support[.]65-20-115-5[.]cprapid[.]com/verify/info/waiting[.]php?enc=e2fb362aa4e3533de6f9de02c913b747&p=1&dispatch=1e91ef115e94cb19efb5f3b0f4239a50a453adb6&nocache=0[.]5302983480695622&nocache=0[.]9638136274348368&nocache=0[.]23485160589578946&nocache=0[.]08895513710863123[.][.][.]~311~[.][.][.]346&nocache=0[.]7691207865667511
hxxps://konto-infos[.]net/
hxxps://vod-tkd[.]com/
hxxps://disq[.]us/url?url=hxxps%3A%2F%2Fib[.]bringfood[.]com%3A1nZ2RI2eN6Tf6Sg8xpY5IgHISsg&cuid=2751344
hxxps://signin179b02f6-disnyeplus-web[.]avplannersinc[.]com/index1[.]php?B373X9qHkTWzHrGxHWV3z6tsCEnRmMzxUcKyZ7paUb60fa5MgoH6bfDRkSFZHzj3EZUU1FBwtLQzpLFlOkfnwQbzbSRVtjNV4CoUeVwspNWHJfBcp89LfHuJ
hxxps://account-finalization[.]de/
hxxps://signin11ed0293-disnyeplus-web[.]avplannersinc[.]com/index1[.]php?8SrQLm30vTOI1dOwx2zfh1Q9lYXv4VplF5V2yKjtHGTcwJHUIG9t6VoxpjOoeZto7qhkvqU5FX1kPPfdAlO0xv4IzI7DpZRNom0Ftbmc03zPGgeL3JfItESr
hxxps://acco-streming-re[.]net/
hxxps://signin0d7e023d-disnyeplus-web[.]avplannersinc[.]com/
hxxps://vod-vpw[.]com/
hxxp://vod-idy[.]com/

Phishing Kit:
DisneyMulti-WithPanel.zip (3.1 MB)

7 Likes

Good find!!
Is this kit being used widely?

3 Likes

Hey, thanks! Yes. You can refer to the phishing sites shared at the end of the post!

1 Like

great find! thanks @kithunter