What happened?
In a normal day, a message has been sent to me, saying that my bank account has been hacked.

"Please, insert your data into the following link for verify for an unusual access to Your account"
No, it's not translated bad. It is shitty in Italian so I translated accordingly
I knew it was for sure a phishing attempt to gain bank credentials.
Report the phishing website to safebrowsing.google.com
My first though was to immediately report this website to safebrowsing.google.com

When you get this kind of phishing email/sms, you need to be sure that browsers will update their phishing databases, so eventually users will be alerted about the risk when they try to reach the domain.
Reconnaissance - OSINT
First of all, I run a simple whois
on the domain.whois phisingsite.it
Technical Contacts
Name: MARCO IODICE
Organization: MARCO IODICE
Address: via roma 55
Napoli
80140
NA
IT
Created: 2020-05-26 17:25:17
Last Update: 2020-05-26 17:25:17
Registrar
Organization: Aruba s.p.a.
Name: ARUBA-REG
Web: http://www.aruba.it
DNSSEC: no
This site looks like is coming the same phishing campaing, since it looks like the previous website that I encountered. All of them were hosted on Aruba.it.
Unfortunately, the name of the domain's owner changes everytime but I see that it comes always from the same Region and the same Address.
Directories Bruteforce
The first thing that popped into my mind was performing a directory bruteforce.
Since the website is inside the conto
directory, I ran dirsearch on that path.
dirsearch -u http://phishingsite.it/conto/ --r --random-agents --plain-text-report=dirsearch.output -b -e php,html,js,asp
The only thing that I found interesting was https://www.phishingsite.it/conto/config.ini
. Basically, they forgot to deny http requests to that file.
And this is its content.
[database]
DBHOST = 89.46.******
DBUSER = Sql143****
DBPASS = 5087****
DB = Sql143****
TABLE = INTES****
For what I know, you can't access to the DB without using the Aruba's portal. So no sql client, just browser.
Knowing the database credentials, I headed to mysql.aruba.it and used the credentials that I found to log in.

Basically, I had access to the database's website. The last thing to do was to change the tables' names (suggested by Billy, a friend of mine) so that all the query executed towards those tables would fail (unless they restore the tables ofc).
I didn't drop the tables because this would've meant making the forensics work harder to find proofs that they were actually collecting users' data.
Thanks to Sara for the emotional support. :')