Investigating Phishing Campaigns Targeting US Credit Card Customers
Overt Operator Researcher Releases Findings
Hok Man So
September 29, 2023
On the joyful morning of her first payday, "Joan" was eagerly checking her paycheck when an alarming email popped up, warning her of a compromised account. She clicked on the link in the email, logged in, and seeing nothing unusual, continued with her day, unaware that a threat actor had just snagged her credentials.
As technology progresses with each passing year, revealing a spectrum of new threats against both digital systems and individuals, phishing steadfastly remains a formidable threat that targets both consumers and corporations alike.
Phishing threat escalation stems from the underpinning of phishing lies in exploiting human psychology, rather than technology, making it a persistent threat. This nefarious practice is detrimental on multiple fronts: it imperils personal privacy, and financial security, and can also undermine the digital infrastructure of institutions and even nations to some extent.
Cyber security researchers contributing to Overt Operator have investigated one such phishing threat revealed to be a potential credit card harvesting phishing campaign targeting US-based customers.
Initial Contact
The researcher initially reviewed an innocent-looking email containing a UPS tracking number with content that encouraged the user to click on a link to visit a site for more information. The email was sent by the address: address: J71izUwfAbdrU2MX22TU_ ltqxffzzlzrgudkh[@]3tzyzhh0qvksyoqkmu.sia4k.pic. The link was an s3 bucket
(https://hfuzejfzeofihzeufhzeifuzehf.s3.eu-west-3.amazonaws[.]com/fudchjbfhecczeucieuhcubciuegcze.html#4zGqhW92431zgRj99mdqqznmkcm954XTKDFIBLOGJODML887637/166785d21) which would direct users several different phishing sites.
When accessing some of the links in Page URL history, such as accessing the yukkyslime[.]com URL, it would direct users to another phishing site with a completely different domain name.
While playing around as a victim, the site would direct a user to another site in order to have the user enter their credit card details. Noticeably, many of these sites seem to only target US credit card holders as the victim was unable to change their location with the presented inputs.
These phishing sites with Credit card forms identified would call out a 3dsintegrator.com API which likely acts as some kind of credit card authenticator. To test this out, the transaction was denied when the researcher attempted to enter false billing details.
Phishing Sites calling out TRK-{NAME}.com
One of the key things found was that after clicking the S3 bucket link. The 1st redirected phishing site would contact trk-essursta[.]com and call for a certain script which will be discussed more in detail later on.
Based on a search on UrlScan, several links were found to the same URI which revealed that trk-essursta.com is just one of many TRK domains that are used.
Campaign Tracking from TRK Domain Script
Looking at the script retrieved from the TRK domain unveiled itself to be some sort of campaign tracking, When running the Tabloo API URL found in the script, it revealed to be creating new user IDs if a person had not visited the site previously.
Close up on the script.
An interesting point was that the API keys found were identical to other TRK domains as shown below where it was called trk-epicurei[.]com.
However, based on the URL pattern found, it is possible to find additional phishing sites that may possibly help with this research.