# Phishing-as-a-Service: The Underground Card Shop’s Arsenal against 3DSecure - Strawberry Donut {%hackmd @HITCON/HkzqEGQsR %} > 從這裡開始 [TOC] ## Intro - 有犯罪者詐騙畫面，切勿拍照 - Strawberry Donut: Data Scientist - Godica Donet: Blue Team ## Backgroud and Scope - 拿取信用卡資料 - Server hacked :JavaScript injection, Data Breach - User side: Phishing, 木馬 - AI and LLM - 用 LLM 生產詐騙電郵 - 自動化 phishing，減少 95% 成本 - 釣魚網站可用AI在3分鐘內生成 - Example： - Amazon 2FA bypass - 10 分鐘內詐騙 73.6 Million Yen 目標:了解Real-time釣魚的架構與及它是如何改變了釣魚攻擊鍊 ## No-OTP Phishing vs Real Time Phishing ### No-OTP 1. Initial Setip 2. Phishing Site Preparation -> Phisher (詐騙者) 3. Domain / VPS Preparation -> Phisher 4. Phishing Mail Preparation & Delivery -> Carder (使用者) 5. Card Using Set up -> Carder 6. Use Card -> Carder 7. Monetization -> Monitizer ### Real-time Phishing:多數國家主要釣魚攻擊態樣 User <-> Adversary-in-the-middle <-> Server > 示範 omitted > 主要是 Linkt (phishing portal) <-> CMS 之間連接 > AiTM請參考 https://www.hypr.com/security-encyclopedia/adversary-in-the-middle --- ### OTP counter measurememnt - Always screen relay (reverse shell like) - ask user for challenge code (e.g. Micro$oft login) ## PhaaS: Phishing as a service - 中國已經有 online training 教如何信用卡 phishing ### SaaS model ``` mermaid graph LR; A(SaaS) --> B(Software Product) B --> C(Subsciprtion Cycle) C --> D(Phishing Actor) D --> A ``` ### Phass model Phaas Provider -> Phishing Site&Backend Management -> ### Types of Phishing-as-a-service - No PhaaS - Half PhaaS(framework only,requite Linux skills) - Full PhaaS(require more $$) 1. Prepare VPS 2. Setup Phishing 3. Get Domain 4. add DNS record to VPS 5. One-click deploy from AppStore 6. Send phishing link #### Case study 1- Panda Shop #### Case study 2 - Magic cat 賺 300k per year 如果查他們的IP 會發現很多IP會在同一個cPanel和VPS Python Framework ### PhaaS 如何快速搭建 Platform? - 寶塔 Linux 一鍵 install - 熊貓商店搭建教程 (又是你中國大陸) App Store -> US / SG Phishing Site > 感覺跟 trendmicro 的那個 [phishing](https://resources.trendmicro.com/Phish_Insight_WFH_campaign_EN.html) 測試工具有像 > one-click SSL application 註:Not applicable for cloudflare DNS Anti-Red 防紅 - 一個 domain mark as phising, 其他有關的 domain 都會被標記為 Phishing - 找方法 By-pass !! 1. IP API Key:GeoIP/Reputation lookup 2. White list IP,Countries 3. Redirect Url 4. Entrance Key when visiting URL Only when URL parameter is correct can the phishing site be accessed(只有輸入正確的路徑才可以存取釣魚網頁) ex:hxxp://tepco.phisher.tk? [x] hxxp://tepco.phisher.tk/(我忘記了) [V] 用意：避免 disclose phishing domain 被封殺，有點像 obfusciation ### System Settings - Ban Specific ...... Magic Cat platform explained - Noti sound - TG Notification - Voice Alert - Card Arrival - OTP code 當有魚上鉤提交卡號，Phaas會通知你 1. 寄個OTP驗證 2. 拒絕提交 Panda Shop有個可視化界面讓使用者知道幾個人上鉤 也有log紀錄 也可以找其他user一起合作(multitask) No PhaaS -> Full-stack OS Half PhaaS -> 源碼 Full PhaaS -> 魚塘 PhaaS的優點:更安全穩定的環境for信用卡詐欺者 ## 綜整 Real-time Phishing成功率是No-OTP Phishing的2倍 Real-time Phishing -> web dev trust device already (應該沒理解錯？) ### No-OTP Phishing挑戰 1. IP可透過Residential Proxy 改變 2. UserAgent 可用Adspower工具改變 #### 解決方案: 1. 建立Residential Proxy資料庫 2. 3DSecure Real-time Phishing -> no OTP -> responsibility 落入 user 手中 ### countermeasures - Card Issuer - Merchant --- PhaaS Real-time phishing 令 card holder 更多風險 Actors work 24x7 with LLM Collaborate for all stakeholders --- ## Q&A - SSL certification mismatch，如何偽造 CA? - 不用偽造 SSL - 錄影打電話罵 card Phisher - 精彩！ --- > 謝謝寫共筆的大家！