, 22 tweets, 16 min read
My Authors
Read all threads
:: Phishing Admin Panel Hunting Thread ::

In this thread we will find ways to hunt and attribute phishing admin panels.

This is a continuation from my #phishing hunting thread released earlier this year. ()

Please retweet to knowledge share among others.
Firstly we need to understand what an admin panel is in relation to phishing sites. There are many phishing-as-a-service (PaaS) offerings for threat actors to buy allowing them to quickly and easily deploy kits online. They normally consists of a threat actor buying an API key.
In this thread I will show you how to fingerprint some of the major panels, if you feel I have missed any let me know as I would love to keep this thread current and up-to-date on new threats.
First kit is #YoungSister this panel uses Apple lures. To find the panel go to "panel.php?panel=admin" A sample from a panel is shown in the image.
#KuyShop the panel for this kit is located at "initpanel/index.php". Again this kit uses Apple themed lures.
A big player is #16Shop this uses Apple and more recently Amazon lures. There are also a number of cracked versions of this kit.
To check if a site is uses 16Shop navigate to "/admin" or "/server.ini"
#AppleKit targets Apple. This kit also has the ability to unlock iPhones and other services. To check if a Apple phishing page is part of this kit navigate to "/admin/login"
I have a thread on AppleKit here ::
Apple FMI-remover kit is a less prominent kit. Locate the login panel at "/painel"
#Hijalyh targets Apple. Admin panel located at "/HijaIyh_App/hijaiyh-panel.php"
#BadCode using Apple as the lure. Admin panel found under "/wtf/?path=signin"
#KucingHitam / #RSJKingdom panel can be found at "PanelKH.php" - Note the capital 'P'. The source code for this panel has been leaked as the same panel is seen with the #BekasiSpammerz
#BekasiSpammerz same code as the #KucingHitam panel. Admin panel can be found at "panel.php?account=on"
#XBALTI panel can be located at "mazon/admin". This kit targets Amazon.
That is all the panels I have been able to locate admin pages for. If you know if any more please include them in this thread for others to use and benefit from.
Also a big thanks to @dave_daves @ninoseki and @friedphishes for their contributions to the community.
@dave_daves @ninoseki @friedphishes #iPanelPro - New panel to add. Targeting Apple credentials. Panel login can be found at "/admin/login.php"

Credit to @ANeilan for finding this panel.
Nice addition by @illegalFawn this is a
#adrenaline kit built by cazanova haxor admin login can be found under the /admin directory
New admin panel found by @makflwana. Located under /login_admin. Seems to target NAB in the sample observed. No indication on a fingerprint for the admin panel though.
New panel #Clouds added.

Private key (password) panel location is here /admin/login.php

Default private key on panel is "CLOUDS"

Thanks to @ActorExpose for finding
New Panel #HiroRSJTeam

Can be accessed with the following PHP parameters: /panel.php?panel=HiroRSJTeam

If you access the panel without the parameters the alert pictured is displayed. Thanks to @sagar_ruta for alerting me to it.
New Panel #ForeverYoung admin panel. Access to the panel is found under: "/panel/"

Seems to target Amazon creds as well and email and card details. Also fingerprinting can be done via the Facebook link to the threat actor author.

Thanks to @malwrhunterteam for alerting me.
@malwrhunterteam New Panel Added.

#Phoenix panel. Used Apple as a lure on #Phishing pages.

The admin panel is located /admin/?attempt=1

Thanks to @ANeilan for the tag.
New Panel to add. Using Amazon as a lure. Named 'Something Panel V1'

created by facebook.com/founder.agility

Thanks to @420spiritz for finding it!
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Jake

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!