Finding cyber criminals from OPSec errors
Attention this analysis is speculative and may contain errors
Intro:
I was as usual wandering around on Telegram, looking for something interesting, when several spam messages related to a phishing panel attracted my curiosity.
The curious thing is that normally these panels are sold and not given away or enjoyed for free, but this is not the case.
Within minutes, this message was spammed in a few hundred groups related to cyber crime, and from there my hunt began.
Inside the phishing panel:
I decided to visit the site promoted in the telegram groups, at first I thought to do it with TOR unfortunately the site is not reachable from TOR network so I connected my VPN and created a temporary email for site registration.
The control panel is very simple and contains phishing templates for different social networks, email and gaming platforms, just mash on link to create the phishing link on fastly.
As you can see from the screenshoot, the links are available in various languages
following are some examples of phishing pages:
The control panel has been edited and changed domain several times over time, however with the hash: 24caa90b896a77c016ddaf04f700c9a237d9ebca8549fcdb13fa00d4533eb86c
it is always possible to locate the new panels
1st OpSec Error: Vulnerability in the pannel.
Searching for information about this kit I came across an analysis done by another researcher who found a vulnerability in the panel and was able to get the emails of all the Threat actors connected to the panel, the admin email, and all the stolen accounts.
From the information obtained from this blogpost we immediately come to understand the inexperience of some TAs who used emails directly linked to their accounts to convey phishing
However, I was interested in finding the creator and not the inexperienced TAs. one must therefore find the source
Fortunately, the blogpost has the admin email from a previous panel: admin@arspam.com
2st OpSec Error: malware
A reverse search for the email yields no useful results, so I decided to analyze the domain. Looking for references of that domain in the leaks I spotted an interesting result, someone accessed that domain using a public computer, however this computer was infected with REDLine stealer.
Both the username and password are Egyptian, so we are looking for a likely Egyptian person.
The presence in the phishing kit of the Egyptian language also gives us this hunch
Because it is a public computer, there are several people who have used it, but I started filtering by username and password, in the same REDLine Stealer file.
BINGO!
we have the occorence we are looking for, along with a new clue the email.
Attention Mail and password have been redacted for privacy issues
By entering the email on paypal, we get this data, even the phone number prefix confirm!
We are looking for an Egyptian
Reverse Search by email
I then did a reverse search for the identified email, finding a whopping 22 accounts, all with the same name and username.
Bingo Again!
The END
