BLOG

Facebook Phishing Kit by Fudsender Targets Facebook Users

Another day, another phishing kit. Over the past year, the ZeroFOX Alpha Team has witnessed a spike in phishing kit and phishing-as-a-service sales. These phishing kits (like the 16Shop model identified by ZeroFOX earlier this year) offer less sophisticated actors the opportunity to conduct full scale phishing operations quickly. The ZeroFOX Alpha Team has obtained a Facebook phishing kit that is freely available on a popular Telegram cybercrime tools group, specifically targeting users of the popular social networking platform. The kit was first posted on July 30, 2020. 

Phishing is a prime tactic often used by attackers to steal user data by masquerading as a trustworthy entity. In this case, the phishing kit uses a fake login page identical to a legitimate Facebook login page to trick the victims. This phishing kit also offers crawler/bot detection to prevent automated tools from scanning the fake page.

The Anatomy of the FudSender Phishing Kit

Phishing is a low-cost, low-barrier to entry form of cyber-attack that aims to obtain sensitive information or data by tricking a victim into believing that they are on a legitimate website. The phishing kit landing page spoofs the legitimate login page of Facebook and prompts the victim to enter credentials.

Facebook phishing kit landing page
 Figure 1: Landing page of fake phishing kit

Two scripts,  `login.php` and `access.php`, are loaded upon entering the credentials. The function of the `login.php` script is to grab the username and password information entered by the victim.

FudSender login script
Figure 2: login.php script, used to log victims’ usernames and passwords

The other script, `access.php`, grabs the IP address of the victim and uses it to fetch details such as City, Region, Internet Service provider (ISP), User-Agent, Screen Resolution, etc., from the location intelligence provider site “ipapi[.]co”.

FudSender access script
Figure 3: access.php script, used to log victim IP address and its related information

Both of the scripts `login.php` and `access.php` are configured in such a way to dump all the collected information from victims into a “logs.txt” file, every time a new victim enters their credentials.

Facebook phishing kit information
Figure 4: Information dumped into “logs.txt” file

The Facebook phishing kit has an extra crawler and bot detection feature that uses “CrawlerDetect”, a PHP class created by Mark Beech which can detect 1,000’s bots/crawlers/spiders via the user agent and http_from header. “CrawlerDetect” has been used by several phishing kits, including prolific ones such as 16Shop, as well as free kits like this one. It is open-source and available in Mark Beech’s public GitHub repository.

Facebook phishing kit CrawlerDetect
Figure 5: CrawlerDetect used to detect bots/crawlers/spiders

The phishing kit also has two additional scripts `badAgents.php` and `index.php` to further prevent bots from accessing the fake web page. The script `badAgents.php` grabs the IP address from the incoming HTTP/HTTPS requests and fetches its organization details from the location intelligence site “ipapi[.]co”. The organization information, which is typically the owner of the ASN returned by ipapi, is then compared against the list of organization names of security providers.

Facebook phishing kit badAgents script
Figure 6: `badAgents.php` script, to detect the organization name of phishing detection providers.

The second script `index.php` uses the hostname, user agent and IP address information already collected by `access.php` script and compares it against the list of hostnames, user agent and IP address of well-known phishing detection and URL scanner service providers. The phishing kit is designed in such a way that it responds with an “HTTP 404” error if it detects a bots/crawlers/spiders/web scanner.

Facebook phishing kit index script
Figure 7: `index.php` script, to detect hostnames, user agents, and IP addresses of phishing detection providers.

This kit is available for free on EvilLeaks forum and their associated Telegram group has 5242 followers with almost 1100 views specifically of the Facebook phishing kit. The kit download page remains active at the time of this publication.

FudSender Telegram group
Figure 8: Telegram group of EvilLeaks, advertising Facebook kit.

The texts in the screenshot shared by the EvilLeaks group in their Telegram post led us to another website fudsender[.]com, which is the actual source of the Facebook phishing kit. FudSender is an illegal shopping site that sells hacking tools, malware, and phishing kits.

Facebook phishing kit website offering
Figure 9: FudSender Website Offering Facebook Phishing Kit.

The phishing kits offered by FudSender allow the attackers to spoof trusted brands, increasing the chances of someone clicking on a fraudulent link. 

FudSender phishing kits
Figure 10: Phishing Kits available for sale on FudSender that spoofs popular brands 

The Crawler/Bot detection feature makes this Facebook phishing kit hard to detect with traditional security scanning technology. The availability of phishing kits makes it easy for cybercriminals, even those with minimal technical skills, to launch phishing campaigns. A phishing kit bundles phishing website resources and tools that need only be installed on a server. Once installed, all the attacker needs to do is send out emails to potential victims. 

Recommendations on How to Stop Phishing Kits 

  • Consider enabling multi-factor authentication for all accounts to prevent potential account takeover
  • Always verify the sender of suspicious or unexpected emails and messages
  • Never download attachments from unknown senders or suspicious emails

Conclusion

Phishing is a serious threat and hackers are deploying new tactics to steal information, for extortion, or even conventional fraud. The Facebook phishing kit is freely available and making it accessible to a wide range of would-be attackers, especially given that the group advertising this campaign has a considerable amount of followers. Protect your business from becoming the next victim of phishing kit attacks by actively monitoring for phishing kit activity before it reaches your customers. For more information on how phishing kits operate, read our full Anatomy of a Phishing Kit Whitepaper here.

Stay Informed

Best practices, the latest research, and breaking news, delivered right to your inbox.