Interestingly, we have found a phishing kit from a cybercrime forum and started with the analysis and found that the actors have already started using the phishing kit to launch a phishing campaign targeting Disney+ login page to steal credentials and credit/debit card information.
Based on the language used in the source code comment, a Dutch or French-speaking actor likely created the phishing kit designed to target European people.
Blocking Bots and Security Scan Engines
This sophisticated phishing kit is designed to block the security search and scan engines.
It also stores the blocked IP inside a text file.
C2 Panel Integrated
The C2 panel is also configured with this phishing kit on this path: https://phishing.site/panel/panel.php
These stats show the count of visitors to the phishing site, logins by attempt by the victims, billings count, the number of victims who filled in their PII and address information, and counts of stolen credit card information.
Phishing Kit Workflow
The workflow consists of the following steps:
- Steals login credentials
- Shows warning message to create a panic situation
- Asks Billing information
- Steals credit/debit card information
- At the end, it steals the OTP and then redirects it to the original disneyplus.com login page
Exposed Victim’s Credentials and CC Information
While investigating this phishing kit, we noticed that the stolen credentials and the stolen credit card information can be accessed through this path of an active phishing site: https://phishing.site/info/send/rez_txt/rez_login.txt
Multiple Data Exfiltration Modules
This phishing kit exfiltrates the stolen data through the Telegram Bot, Email, and Inbuild panel.
Phishing Sites
hxxps://signin0d7d023c-disnyeplus-web[.]avplannersinc[.]com/index1[.]php?3uHxaft2JOrnAozz23UEmVxj5jaXZLnVDVqg7AIMqNyxqjJVQuOpM8sSXWgoPA52AICTXmOLnHSVdAHTeiM196H6cDTlnS1Molz0vJNdfG0rxQavKHdsApto
hxxp://netflix-service-account[.]com/
hxxps://signin11ee0293-disnyeplus-web[.]avplannersinc[.]com/index1[.]php?VEQ0UYnR7uUPeQcvYEfL51J4ZpZm8LiChYI0vHzu9MuLNEMLb42v2wmYnbjTj2esSUJlHGLICuJZx5G6tSI1CitPo1JjyOVfbt6n2u7Og6WjFJpKuHOYVtpD
hxxps://csme[.]caricom[.]org/disney-worldwide/disneymiauwfinale/
hxxp://uptodateinfos[.]wpenginepowered[.]com/wp-admin/dreamcomtrueacces
hxxps://disney[.]invoice-error[.]com/
hxxps://old[.]csme[.]caricom[.]org/
hxxps://vod-ymg[.]com/
hxxp://customer-help[.]support[.]65-20-115-5[.]cprapid[.]com/verify/info/waiting[.]php?enc=e2fb362aa4e3533de6f9de02c913b747&p=1&dispatch=1e91ef115e94cb19efb5f3b0f4239a50a453adb6&nocache=0[.]5302983480695622&nocache=0[.]9638136274348368&nocache=0[.]23485160589578946&nocache=0[.]08895513710863123[.][.][.]~311~[.][.][.]346&nocache=0[.]7691207865667511
hxxps://konto-infos[.]net/
hxxps://vod-tkd[.]com/
hxxps://disq[.]us/url?url=hxxps%3A%2F%2Fib[.]bringfood[.]com%3A1nZ2RI2eN6Tf6Sg8xpY5IgHISsg&cuid=2751344
hxxps://signin179b02f6-disnyeplus-web[.]avplannersinc[.]com/index1[.]php?B373X9qHkTWzHrGxHWV3z6tsCEnRmMzxUcKyZ7paUb60fa5MgoH6bfDRkSFZHzj3EZUU1FBwtLQzpLFlOkfnwQbzbSRVtjNV4CoUeVwspNWHJfBcp89LfHuJ
hxxps://account-finalization[.]de/
hxxps://signin11ed0293-disnyeplus-web[.]avplannersinc[.]com/index1[.]php?8SrQLm30vTOI1dOwx2zfh1Q9lYXv4VplF5V2yKjtHGTcwJHUIG9t6VoxpjOoeZto7qhkvqU5FX1kPPfdAlO0xv4IzI7DpZRNom0Ftbmc03zPGgeL3JfItESr
hxxps://acco-streming-re[.]net/
hxxps://signin0d7e023d-disnyeplus-web[.]avplannersinc[.]com/
hxxps://vod-vpw[.]com/
hxxp://vod-idy[.]com/
Phishing Kit:
DisneyMulti-WithPanel.zip (3.1 MB)