Tax Season Phishing
Recently, we came across a phishing document impersonating Form 1040. This is an IRS tax form filed by residents in the United States during the tax season. Attackers usually take advantage of the tax season and distribute their malicious files while masquerading as legitimate forms and documents.
In our case, the PDF document was called “2018 1040 Tax Forms5.pdf” and was uploaded to Google Drive. In addition to its misleading name, victims may be less suspicious of this document since it is available from a legitimate Google service.
Surprisingly, the document contains three links:
- hxxp://tny[.]sh/dNoT2Qe
- hxxp://go2l[.]ink/1tL7
- hxxps://ondrivefile[.]org/review
The first two links are no longer active and might have been left there from previous versions of this document. Clicking on the “View Files On OneDrive” button leads to the third link, which is still active, and impersonates a OneDrive login page:
Accessing the homepage of ondrivefile[.]org shows that this website has directory listing enabled,
This allows us to see the available directories and files in this website, including an archive called “newoffice.zip” which is the phishing kit being used. Looking at the source code of the phishing kit, we found out that it was supposedly created by someone who uses the avatar “RuleByGunz”:
Looking up this avatar online did not yield any interesting results, nor did it lead us to a real individual. One of the PHP scripts in the phishing kit archive shows that after the credentials are stolen, they are sent to the attacker via e-mail:
The attacker’s e-mail in this case is peterquest@protonmail[.]com:
Attackers using this phishing kit are instructed by its authors to add their e-mail address to the code in order to receive the stolen credentials. The authors include a “user’s guide” or a “manual” in the phishing kit to instruct the attackers on how to use it”
Interestingly enough, this was the only place where the phishing kit authors used a different avatar than “RuleByGunz” and referred to themselves as “Mircboot”. Looking up this avatar led us to accounts in multiple hacking forums:
In addition, we found websites where Mircboot was promoting their services and offering things such as spamming tools, stealers and more:
We managed to find multiple websites associated with Mircboot, and which have been involved in phishing attacks in the past.
Attacker’s Malicious Artifacts:
ondrivefile[.]org
ondrivefile[.]com
ondrivefile[.]co
ondrivefile[.]net
1nedrivelive[.]live
peterquest@protonmail[.]com
Phishing Kit Authors’ Malicious Artifacts:
ephonepremium[.]com
h4ckingsh3lls[.]com
fud007[.]com
c99shells[.]com
keyfinhome[.]com
toolstuff[.]me
mircboot@gmail[.]com
linuxforce3@gmail[.]com