Phishing — fickgirl69 [+18]
Today I saw a message that was posted in a content share platform by a bot, who sent the message direct to the users that have been registered in this platform. The mentioned message is:
Afrаid to bе blоcкеd. Dоn’t wanna сhat hеrе. сliск the link аnd writе tо mе there. — hxxp://fickgirl69[.]club-75
This URL points to a page with a Javascript call to redirect to another one: hxxps://kisses-room2[.]com/?u=f7qkd08&o=mtrplz0&t=me, which have a page with sexual content and texts in French language saying that it’s a meeting website as it’s showed below.
This button with the text “Ok!” has the class parameter “btn-block action-btn” and the implementation of this actions is in a Javascript code within the HTML, which we can see in the code below:
<script>
(function ($) {
$(document).ready(function () {
var $aBtn = $('.action-btn');
$aBtn.on('click', function (e) {
e.preventDefault();
$(this)
.closest('.box')
.addClass('hidden')
.next()
.removeClass('hidden')
.addClass('animated fadeIn');
});
});
})(jQuery);
</script>The page has some <div> tags with a class “box hidden and according to this code, each time that the button is clicked, the next <div> is called. After the button is clicked for the first time, it becomes two buttons: NON and OUI (NO and YES in English), and the 3 questions are showed, where in the third question the buttons become SAUTER and SUIVANT (SKIP and NEXT in English). After that, a message is displayed with the button CONTINUER (CONTINUE in English), if the user click it, will be redirect to hxxps://fickgirl69[.]club/web.
The last URL mentioned redirects to hxxps://localhookup33[.]com/l/25/timerv2/1-w2m/global/?c=86f4da5a-5bef-4f51-b14e-40
e154b8dcc5&a=webl69810&s=23&s1=web&s2=&s3=DK&s5=7bAgE48eg2HolN38d
xiXpluHcmlJ72u3ADsTG7tTpbHLbsheCboC3Zo415bu3lShrjx-2z1n8A5d3_4i_5qcIT4-kP
YbG0s_SIFkXc8x8O3ugGUVzyfsUqYzepS-Rmz9ylzex6pE_phXMbNaE5ZpsFeTg9OQv5Z
K_6kB2oXv02KpLn7Mdbb0t5K-2RoMaomnuXKtICp3k46c9OiCa17SBba_dBsj0lA-cVwF
P18XxX01&d=0, which have already a sexual content as we can see in the image below.
In the top of the page we can see a Denmark flag. This flag is generated via Javascript getting the victim’s location.
Like the previous analyzed page, this one has different steps where in each one the user need to provide some information and click in “Next”. The third step ask for a password and the fifth ask for the victim e-mail.
After provide the e-mail in the last step, a HTTP POST request is made via Ajax sending all the information provided to ‘/reg.aspx’. During the analysis, nothing happened when was tried to send the information. The code with the Ajax request is the following:
function runAfterSent(data){
if (data == "sent" || data == "msg") {
$('#success-mail').text($('.email_p .input').val());$('#Fr1>p,#as_back,#as_next,#as_agree,#free_step_01,#free_step_03,#free_step_05,.bullets,.item1').hide();
$('#success-message').show();
} else {
setTimeout(function(){
document.location.href = data; // url from server
}, 200);
}
}
function handleSending() {var c = getParameterByName('c') ? getParameterByName('c') : '';
var aid = getParameterByName('a') ? getParameterByName('a') : '';var formData = {
'a' : $('.birthday.day').val(),
'e' : $('.email_p .input').val(),
'z' : 0,
'p' : $('.pwd_p .input').val(),
'c' : c,
'aid' : aid,
'l' : 0
};
//console.log("formData", formData);nextBtn.addClass('disabled');$.ajax({
type: 'POST',
url: urlReg,
data: formData
}).success(function(data) {
runAfterSent(data);
}).error( function (jqXHR, status, error) {
nextBtn.removeClass('disabled');
console.log(jqXHR.responseText);
});}
As nothing happened trying to send the information, when the URL is visited directly in the browser, it raises a HTTP 500, maybe because it only expects a POST request and don’t handle when receives a GET request. With this request it was possible to identify that system server is a Windows Server with ASP.NET language and the Nginx webserver as we can see below.
Two cookies variables were generated when the page was visited, the respective names and values of them are:
Name: fpd ; Value: W3sia2V5IjoidXNlckFnZW50IiwidmFsdWUiOiJNb3ppbGxhLzUuMCAoTWFjaW50b3NoOyBJbnRlbCBNYWMgT1MgWCAxMF8xNF81KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvODMuMC40MTAzLjYxIFNhZmFyaS81MzcuMzYifSx7ImtleSI6IndlYmRyaXZlciIsInZhbHVlIjp0cnVlfSx7ImtleSI6Imxhbmd1YWdlIiwidmFsdWUiOiJlbi1VUyJ9LHsia2V5IjoiY29sb3JEZXB0aCIsInZhbHVlIjoyNH0seyJrZXkiOiJkZXZpY2VNZW1vcnkiLCJ2YWx1ZSI6OH0seyJrZXkiOiJoYXJkd2FyZUNvbmN1cnJlbmN5IiwidmFsdWUiOjE2fSx7ImtleSI6InNjcmVlblJlc29sdXRpb24iLCJ2YWx1ZSI6WzE2MDAsMTIwMF19LHsia2V5IjoiYXZhaWxhYmxlU2NyZWVuUmVzb2x1dGlvbiIsInZhbHVlIjpbMTYwMCwxMjAwXX0seyJrZXkiOiJ0aW1lem9uZU9mZnNldCIsInZhbHVlIjotMTIwfSx7ImtleSI6InRpbWV6b25lIiwidmFsdWUiOiJFdXJvcGUvQmVybGluIn0seyJrZXkiOiJzZXNzaW9uU3RvcmFnZSIsInZhbHVlIjp0cnVlfSx7ImtleSI6ImxvY2FsU3RvcmFnZSIsInZhbHVlIjp0cnVlfSx7ImtleSI6ImluZGV4ZWREYiIsInZhbHVlIjp0cnVlfSx7ImtleSI6ImFkZEJlaGF2aW9yIiwidmFsdWUiOmZhbHNlfSx7ImtleSI6Im9wZW5EYXRhYmFzZSIsInZhbHVlIjp0cnVlfSx7ImtleSI6ImNwdUNsYXNzIiwidmFsdWUiOiJub3QgYXZhaWxhYmxlIn0seyJrZXkiOiJwbGF0Zm9ybSIsInZhbHVlIjoiTGludXggeDg2XzY0In0seyJrZXkiOiJ3ZWJnbFZlbmRvckFuZFJlbmRlcmVyIn0seyJrZXkiOiJhZEJsb2NrIiwidmFsdWUiOmZhbHNlfSx7ImtleSI6Imhhc0xpZWRMYW5ndWFnZXMiLCJ2YWx1ZSI6ZmFsc2V9LHsia2V5IjoiaGFzTGllZFJlc29sdXRpb24iLCJ2YWx1ZSI6ZmFsc2V9LHsia2V5IjoiaGFzTGllZE9zIiwidmFsdWUiOnRydWV9LHsia2V5IjoiaGFzTGllZEJyb3dzZXIiLCJ2YWx1ZSI6ZmFsc2V9LHsia2V5IjoidG91Y2hTdXBwb3J0IiwidmFsdWUiOlswLGZhbHNlLGZhbHNlXX0seyJrZXkiOiJhdWRpbyIsInZhbHVlIjoiMTI0LjA0MzQ3NzIxNDY0In1d
Name: fph ; Value: IjI3MTBhMTJlZTA2Yjg1YjE2YzI0MDIwOD
M2NzBkZjAwIg==
It was detected that these two cookie values are Base64, so, decodifying the values we have:
Name: fpd ; Value: [{“key”:”userAgent”,”value”:”Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"},{“key”:”webdriver”,”value”:true},{“key”:”language”,”value”:”en-US”},{“key”:”colorDepth”,”value”:24},{“key”:”deviceMemory”,”value”:8},{“key”:”hardwareConcurrency”,”value”:16},{“key”:”screenResolution”,”value”:[1600,1200]},{“key”:”availableScreenResolution”,”value”:[1600,1200]},{“key”:”timezoneOffset”,”value”:-120},{“key”:”timezone”,”value”:”Europe/Berlin”},{“key”:”sessionStorage”,”value”:true},{“key”:”localStorage”,”value”:true},{“key”:”indexedDb”,”value”:true},{“key”:”addBehavior”,”value”:false},{“key”:”openDatabase”,”value”:true},{“key”:”cpuClass”,”value”:”not available”},{“key”:”platform”,”value”:”Linux x86_64"},{“key”:”webglVendorAndRenderer”},{“key”:”adBlock”,”value”:false},{“key”:”hasLiedLanguages”,”value”:false},{“key”:”hasLiedResolution”,”value”:false},{“key”:”hasLiedOs”,”value”:true},{“key”:”hasLiedBrowser”,”value”:false},{“key”:”touchSupport”,”value”:[0,false,false]},{“key”:”audio”,”value”:”124.04347721464"}]
Name: fph; Value: “2710a12ee06b85b16c2402083670df00”
It was identified that the page has a Javascript file called fprint2.js, which get the values and append with their respective keys to store the result in cookies. We can see that the last keys are related to validation, to be sure that the stored values are authentic.
Looking for the IP at OTX Alien Vault, we can see that there are many Hostnames related to this IP, where the first was registered in 2020–07–17 and the last in 2020–09–17. The Hostname related to this analysis was first seen in 2020–09–11.
One more detail is that the three domains use certicates issued by Let’s Encrypt, fickgirl69 and kisses-room2 are valid from 2020–09–11 to 2020–12–10 whereas localkooup33 is from 2020–08–12 to 2020–11–10. Looking into the WHOIS Register, the fickgirl69 website was created in 2020–09–21, kisses-room2 in 2020–07–01 and localhookup33 in 2019–08–19.
To conclude, it seems that this malicious URL doesn’t have any executable file to be executed in the victim’s computer but it sends many informations (including a password) to the attacker, so it can collect informations about the users to help in a future phishing or help to crack the password of the victim (if would be different than the password informed by the victim).
IOCs
URLS: hxxps://kisses-room2[.]com, hxxps://fickgirl69[.]club, hxxps://localhookup33[.]com
IPS: 176.31.31.36, 5.101.45.13, 5.8.34.130
