What happened?

In a normal day, a message has been sent to me, saying that my bank account has been hacked.

Screenshot of the message
"Please, insert your data into the following link for verify for an unusual access to Your account"
No, it's not translated bad. It is shitty in Italian so I translated accordingly

I knew it was for sure a phishing attempt to gain bank credentials.

Report the phishing website to safebrowsing.google.com

My first though was to immediately report this website to safebrowsing.google.com

Screenshot of safebrowsing.google.com

When you get this kind of phishing email/sms, you need to be sure that browsers will update their phishing databases, so eventually users will be alerted about the risk when they try to reach the domain.

Reconnaissance - OSINT

First of all, I run a simple whois on the domain.
whois phisingsite.it

Technical Contacts
  Name:             MARCO IODICE
  Organization:     MARCO IODICE
  Address:          via roma 55
  Created:          2020-05-26 17:25:17
  Last Update:      2020-05-26 17:25:17

  Organization:     Aruba s.p.a.
  Name:             ARUBA-REG
  Web:              http://www.aruba.it
  DNSSEC:           no

This site looks like is coming the same phishing campaing, since it looks like the previous website that I encountered. All of them were hosted on Aruba.it.
Unfortunately, the name of the domain's owner changes everytime but I see that it comes always from the same Region and the same Address.

Directories Bruteforce

The first thing that popped into my mind was performing a directory bruteforce.
Since the website is inside the conto directory, I ran dirsearch on that path.

dirsearch -u http://phishingsite.it/conto/ --r --random-agents --plain-text-report=dirsearch.output -b -e php,html,js,asp

The only thing that I found interesting was https://www.phishingsite.it/conto/config.ini. Basically, they forgot to deny http requests to that file.
And this is its content.

DBHOST = 89.46.******
DBUSER = Sql143****
DBPASS = 5087****
DB = Sql143****

For what I know, you can't access to the DB without using the Aruba's portal. So no sql client, just browser.
Knowing the database credentials, I headed to mysql.aruba.it and used the credentials that I found to log in.

Basically, I had access to the database's website. The last thing to do was to change the tables' names (suggested by Billy, a friend of mine) so that all the query executed towards those tables would fail (unless they restore the tables ofc).
I didn't drop the tables because this would've meant making the forensics work harder to find proofs that they were actually collecting users' data.

Thanks to Sara for the emotional support. :')