Introduction

As Yarix Cyber Threat Intelligence (YCTI) team, we regularly monitor, track and counter phishing websites that aim to steal user-sensitive data (e.g., login credentials, phone numbers, credit cards). One of the most challenging aspect of proactively countering and tracking phishing campaigns is hunting and analyzing exposed phishing kits. The analysis of these archives enables CTI analysts to understand the structure and behavior of the phishing, extract IOCs, identify potential vulnerabilities and leaks, uncover and map the threat actor behind the malicious activities to proactively detect (and prevent) future ones, and other cool stuffs.

During one of these research activities, we stumbled upon an interesting phishing kit linked to a cybercriminal group that, from now on, we will track as Win$ton. Win$ton is an unsophisticated, prolific and active Russian-speaking threat actor (TA) that primarily targets Middle-Eastern users by deploying multiple phishing websites that impersonate international fast-food chain brands. Less frequent, but still intercepted, phishing campaigns are carried out by cloning portals related to other companies such as international – including Italian – banks and financial services.

The aim of this blog post is to provide insights about Win$ton activities by illustrating its capabilities and victimology, describing its phishing kit and uncovering malicious infrastructures and campaigns by means of OSINT techniques.

Overview

As previously mentioned, Win$ton is an unsophisticated, Russian-speaking threat actor that operates by deploying phishing websites to fool users and collect sensitive information, particularly credit cards data.

Based on the investigations conducted, Win$ton is active since at least October 2022 and has carried out more than 300 different phishing campaigns. On the second half of January 2023 Win$ton rebranded itself as Laco$t. Below are reported two telegram profiles, linked with high confidence to one of the scam group leaders, before and after rebranding:

Win$ton primarily targets Middle-Eastern users by deploying phishing websites that impersonate international fast-food firms (e.g., Albaik, KFC). Other phishing campaigns are carried out against international banks, financial services, retails, logistic, entertainment and crypto wallet platforms. To increase the chances of tricking users by submitting data on phishing websites, we observed that the TA also deployed different campaigns leveraging Instagram, YouTube, Google and TikTok sponsored Ads. As a result, we identified many scammed users reporting Win$ton fake Ads on platforms such as reddit:

Moreover, by monitoring the group’s activities, we were able to identify more than 55 Telegram users involved in phishing campaigns. Among them, at least 5 are deemed to be the group’s leaders. We linked some of these users to accounts registered on popular Russian underground carding forums such as WWH-CLUB.

Given the number of identified members, it is unclear whether Win$ton is a closed group of scammers or it follows a Phishing as a Service (PaaS) business model.

Phishing Kit

The analyzed phishing kit has the following structure:

Except for some minor changes (e.g., index.php instead of winston.php, sendToTg.php instead of postTg.php, or static asset folders), the same structure was found in other phishing kits used by Win$ton. The slightly different naming of the aforementioned files could be related to a rebrand of Win$ton’s activities that we observed around the end of January 2023. Below is a “version 2” sample of the kit:

The winston.php (or index.php) file contains the HTML code of the phishing web page. The rendered content is almost identical to that of the legitimate targeted web pages, making it more difficult for an unaware user to identify the scam.

Digging into the winston.php source code, we immediately noticed a JavaScript AJAX POST request to sendToTg.php. This function collects the credit card details inserted from the victim and forwards them via a POST request to the sendToTg.php resource. If successful, the user is redirected to a bogus form to enter the one-time password, which will then be forwarded to the TA (the 2FA feature is not always present in the analyzed phishing kits).

The sendToTg,php file contains the logic responsible for sending the collected credentials back to the scammer group.

The sendToTg.php file loads some variables from config.php and calls a function named message_to_telegram() , where a message template containing the submitted credit cards data, victim IP and phishing domain is defined.

As suggested by the name itself, the function is responsible for sending the message containing the compromised data to a specific Telegram chat through telegram bot APIs. In fact, the config.php file contains the chat ID and telegram bot token required by the function.

While analyzing the phishing kits and campaigns, we also observed that Win$ton exposes general blog webpages on “inactive” domains (i.e., domains under its control that are not currently exposing phishing content.)

Infrastructure Pivoting

DISCLAIMER: The information provided below may not reflect the current infrastructure, as Win$ton periodically changes its hosting servers.

By analyzing one of the IP linked to a Win$ton phishing domain, 62[.]204[.]41[.]61, we detected some patterns useful for pivoting over the phishing infrastructure. More specifically, both SSL certificate and SMTP responses contain references to “winston.example.com”.

Leveraging “winston.example.com” pattern, it was possible to pivot and discover other IPs belonging to the malicious infrastructure:

Additional evidences resulted by searching for hosts and domains exposing the blog template’s HTML title described in the previous section:

The IP 62[.]204[.]41[.]242 exposed several services. In this case, the research was conducted after the Win$ton rebranding, and that explains why CN lacost.host replaces winston.example.com.

Furthermore, a search on urlscan for “winston.php” yielded interesting results:

By pivoting all these indicators as well as many others, it was possible to broaden the results even more.

According to the investigation carried out, we identified at least 650 unique domains used to deploy phishing websites. The domains identified were either compromised, new, or expired and recently purchased.

Victimology

In order to understand the victimology and targets of Win$ton, we classified over 110 unique phishing kits and tracked over 300 different phishing campaigns.

Based on the phishing kits classification, we identified at least 46 different targeted brands belonging to the following industries:

Each phishing kit is built for a specific audience and country. Therefore, the phishing kit is shaped according to the targeted brand; the language of the phishing content; and additional elements such as the title of the phishing webpage (e.g., KFC United Arab Emirates). Based on these indicators, we mapped the target countries for each phishing kit. Phishing kits targeting United Arab Emirates (32%) prevail, followed by Saudi Arabia (6%); Taiwan (6%); USA (6%); and Italy (6%):

Categorizing a phishing kit provides a “passive” point of view of the scam group targeted brands, sectors, and countries. In addition, we attempted to answer the following questions: “What phishing kits are actively used? What are the most prolific?” by monitoring and tracking the different active phishing campaigns and mapping them to the targeted brand sector. As showed by the chart below, food brands are the most targeted.

Based on our telemetry, we were able to intercept more than 14.600 unique compromised credit cards as well as to identify more than 15.000 customers victim of Win$ton phishing campaigns. As the following plot suggests, the victims are mainly located in the following countries: United Arab Emirates (75%); Saudi Arabia (5%); Qatar (5%); Kuwait (2%); and USA (1%).

The high number of victims located in Middle-Eastern countries is due to the Win$ton’s numerous customized Arabic phishing campaigns targeting fast-food brands, particularly Albaik and KFC.

Diamond Model

Given the prolific ongoing campaign conducted by Win$ton against Middle-Eastern users, we mapped the collected evidences related to this specific campaign on a Diamond Model. To the best of our knowledge, no information has been made public about this threat actor and the related campaign. We hope to contribute and assist other CTI teams in any investigation by sharing this intelligence.

Indicators of Compromise

Recently active phishing domains:

• albaik[.]drunkgnomes[.]com
• seangroathouse[.]com
• knowtheledgemedia[.]com
• modernmtman[.]com
• neelroadbaptistchurch[.]com
• meyaway[.]com
• drmelsmusings[.]com
• gymbotest[.]com
• goldensand[.]org
• uae-kfc[.]vigilantalliance[.]com
• emiratesdraw-uae[.]staypift[.]com
• aaryatables[.]com
• guildclone[.]com
• stylessierra[.]com
• drdermashop[.]com
• zeemanvacatures[.]com
• rmr-rfq[.]com
• toplinees[.]com
• maxframesss[.]com
• listcaves[.]com
• pricesonz[.]com
• allpcsz[.]com
• topnethsz[.]com
• promo.tajtechau[.]com
• dkanedev[.]com
• albaik-uae[.]nysxfund[.]com
• albaik-promo[.]healthyingo[.]com
• albaik-promo[.]drupality[.]com
• albaik-promo[.]novazgrada[.]com

Phishing hosting servers observed over time:

• 62[.]204[.]41[.]242
• 62[.]204[.]41[.]145
• 62[.]204[.]41[.]61
• 185[.]137[.]235[.]119
• 185[.]161[.]248[.]250
• 194[.]26[.]135[.]188
• 31[.]41[.]244[.]47
• 62[.]197[.]49[.]94

If interested, we are available to provide additional information about the reported threat. Please, reach out to us through this contact form.

Author

Giovanni Barbieri is a member of the Yarix Cyber Threat Intelligence Team. He has a master degree in computer engineering and, in addition to research and threat intelligence activities, he enjoys making some noise with his electric guitar and travelling.