In a normal day, a message has been sent to me, saying that my bank account has been hacked.
"Please, insert your data into the following link for verify for an unusual access to Your account"
No, it's not translated bad. It is shitty in Italian so I translated accordingly
I knew it was for sure a phishing attempt to gain bank credentials.
Report the phishing website to safebrowsing.google.com
My first though was to immediately report this website to safebrowsing.google.com
When you get this kind of phishing email/sms, you need to be sure that browsers will update their phishing databases, so eventually users will be alerted about the risk when they try to reach the domain.
Reconnaissance - OSINT
First of all, I run a simple
whois on the domain.
Technical Contacts Name: MARCO IODICE Organization: MARCO IODICE Address: via roma 55 Napoli 80140 NA IT Created: 2020-05-26 17:25:17 Last Update: 2020-05-26 17:25:17 Registrar Organization: Aruba s.p.a. Name: ARUBA-REG Web: http://www.aruba.it DNSSEC: no
This site looks like is coming the same phishing campaing, since it looks like the previous website that I encountered. All of them were hosted on Aruba.it.
Unfortunately, the name of the domain's owner changes everytime but I see that it comes always from the same Region and the same Address.
The first thing that popped into my mind was performing a directory bruteforce.
Since the website is inside the
conto directory, I ran dirsearch on that path.
dirsearch -u http://phishingsite.it/conto/ --r --random-agents --plain-text-report=dirsearch.output -b -e php,html,js,asp
The only thing that I found interesting was
https://www.phishingsite.it/conto/config.ini. Basically, they forgot to deny http requests to that file.
And this is its content.
[database] DBHOST = 89.46.****** DBUSER = Sql143**** DBPASS = 5087**** DB = Sql143**** TABLE = INTES****
For what I know, you can't access to the DB without using the Aruba's portal. So no sql client, just browser.
Knowing the database credentials, I headed to mysql.aruba.it and used the credentials that I found to log in.
Basically, I had access to the database's website. The last thing to do was to change the tables' names (suggested by Billy, a friend of mine) so that all the query executed towards those tables would fail (unless they restore the tables ofc).
I didn't drop the tables because this would've meant making the forensics work harder to find proofs that they were actually collecting users' data.
Thanks to Sara for the emotional support. :')