:: Phishing Admin Panel Hunting Thread ::
In this thread we will find ways to hunt and attribute phishing admin panels.
This is a continuation from my #phishing hunting thread released earlier this year. ()
Please retweet to knowledge share among others.
In this thread we will find ways to hunt and attribute phishing admin panels.
This is a continuation from my #phishing hunting thread released earlier this year. ()
Please retweet to knowledge share among others.
Firstly we need to understand what an admin panel is in relation to phishing sites. There are many phishing-as-a-service (PaaS) offerings for threat actors to buy allowing them to quickly and easily deploy kits online. They normally consists of a threat actor buying an API key.
In this thread I will show you how to fingerprint some of the major panels, if you feel I have missed any let me know as I would love to keep this thread current and up-to-date on new threats.
First kit is #YoungSister this panel uses Apple lures. To find the panel go to "panel.php?panel=admin" A sample from a panel is shown in the image.
#KuyShop the panel for this kit is located at "initpanel/index.php". Again this kit uses Apple themed lures.
A big player is #16Shop this uses Apple and more recently Amazon lures. There are also a number of cracked versions of this kit.
To check if a site is uses 16Shop navigate to "/admin" or "/server.ini"
To check if a site is uses 16Shop navigate to "/admin" or "/server.ini"
#AppleKit targets Apple. This kit also has the ability to unlock iPhones and other services. To check if a Apple phishing page is part of this kit navigate to "/admin/login"
I have a thread on AppleKit here ::
I have a thread on AppleKit here ::
Apple FMI-remover kit is a less prominent kit. Locate the login panel at "/painel"
#Hijalyh targets Apple. Admin panel located at "/HijaIyh_App/hijaiyh-panel.php"
#BadCode using Apple as the lure. Admin panel found under "/wtf/?path=signin"
#KucingHitam / #RSJKingdom panel can be found at "PanelKH.php" - Note the capital 'P'. The source code for this panel has been leaked as the same panel is seen with the #BekasiSpammerz
#BekasiSpammerz same code as the #KucingHitam panel. Admin panel can be found at "panel.php?account=on"
#XBALTI panel can be located at "mazon/admin". This kit targets Amazon.
That is all the panels I have been able to locate admin pages for. If you know if any more please include them in this thread for others to use and benefit from.
Also a big thanks to @dave_daves @ninoseki and @friedphishes for their contributions to the community.
Also a big thanks to @dave_daves @ninoseki and @friedphishes for their contributions to the community.
@dave_daves @ninoseki @friedphishes #iPanelPro - New panel to add. Targeting Apple credentials. Panel login can be found at "/admin/login.php"
Credit to @ANeilan for finding this panel.
Credit to @ANeilan for finding this panel.
Nice addition by @illegalFawn this is a
#adrenaline kit built by cazanova haxor admin login can be found under the /admin directory
#adrenaline kit built by cazanova haxor admin login can be found under the /admin directory
New admin panel found by @makflwana. Located under /login_admin. Seems to target NAB in the sample observed. No indication on a fingerprint for the admin panel though.
New panel #Clouds added.
Private key (password) panel location is here /admin/login.php
Default private key on panel is "CLOUDS"
Thanks to @ActorExpose for finding
Private key (password) panel location is here /admin/login.php
Default private key on panel is "CLOUDS"
Thanks to @ActorExpose for finding
New Panel #HiroRSJTeam
Can be accessed with the following PHP parameters: /panel.php?panel=HiroRSJTeam
If you access the panel without the parameters the alert pictured is displayed. Thanks to @sagar_ruta for alerting me to it.
Can be accessed with the following PHP parameters: /panel.php?panel=HiroRSJTeam
If you access the panel without the parameters the alert pictured is displayed. Thanks to @sagar_ruta for alerting me to it.
New Panel #ForeverYoung admin panel. Access to the panel is found under: "/panel/"
Seems to target Amazon creds as well and email and card details. Also fingerprinting can be done via the Facebook link to the threat actor author.
Thanks to @malwrhunterteam for alerting me.
Seems to target Amazon creds as well and email and card details. Also fingerprinting can be done via the Facebook link to the threat actor author.
Thanks to @malwrhunterteam for alerting me.
@malwrhunterteam New Panel Added.
#Phoenix panel. Used Apple as a lure on #Phishing pages.
The admin panel is located /admin/?attempt=1
Thanks to @ANeilan for the tag.
#Phoenix panel. Used Apple as a lure on #Phishing pages.
The admin panel is located /admin/?attempt=1
Thanks to @ANeilan for the tag.
New Panel to add. Using Amazon as a lure. Named 'Something Panel V1'
created by facebook.com/founder.agility
Thanks to @420spiritz for finding it!
created by facebook.com/founder.agility
Thanks to @420spiritz for finding it!
