Backdoored Phishing Kits are still popular

CyberCrime & Doing Time 2020-11-19

What did you do for the holidays?  If you're a cybercrime geek you probably took advantage of some of the extra time on your hands to investigate some new phishing sites, right?
Jone Fredrick is the type of Facebook user who is quite open about his criminal activity.  He boasts about his phishing skills by having a Facebook profile picture of someone taking a selfie showing their government issued ID and their credit card!  He claims to live in Blida, Algeria, and probably does.  Over the holidays Jone update his YouTube channel, "mr azert" with a new Chase Bank phishing kit.  (Phishers don't call this phishing.  They call it "bank scams" or "scam pages." In the past two weeks, Jone, who uses the alias "Mr Azert", has uploaded several videos about his new scam pages to his YouTube channel.  Chase, Spotify, Dropbox, Alibaba, and Paypal all have new scam pages courtesy of Mr Azert.  How generous that he just gives them away for free!
After listening to so much bad gangster/scammer rap music, it was nice to hear some Algerian rap while I did my investigation.  Mr Azert confirms this is him by replying to "Tutor Arena421" giving him his email address (foley.victoria998@gmail.com) and Facebook address ( jone.fredrick.79).
Of course, we report the offending content to YouTube.  If you ever encounter the same, please use the "Report" function.  The correct flow is to click the "Three Dots" ... then "Report".  Then choose  "Spam or misleading" and then the subcategory "Scams / fraud"
In this case, the reason Mr Azert is giving away these phishing kits is that he has backdoored all of the kits.  We'll look at the Chase one first.   There are five separate PHP files that send the various stolen information back to the person using the kit.  
When we look at the actual "Send" command, we notice that the email command says "for each $send" ... but the instructions for the kit have told the kit downloader that they should include their own email address in a certain place, which is "import"ed into this code.  What other address is being used here?
If we scroll up about we see that $send is receiving a variable called "token" from the form post that called this PHP code, and then converting it into ASCII with "hex2bin".
The calling code in this case is "myaccount.php" which seems to do some "input validation" but in reality, is also loading the "token" value:
That hex string at the bottom starting with "6665" is decoded in the "hex2bin" call into a pair of email addresses:  
  fenction@gmail.com  and fenction@yahoo.com
So, anyone who downloads Mr Azert's kit is going to either create or hack a website, upload and unpack the kit, spam out links to that URL, and then have all of their stolen data go back to Mr Azert in Algeria, who is likely to be better at cashing out the information than someone too lame to make their own phishing kit.
We're of course reporting all of this to YouTube, Gmail, Yahoo, and Facebook ... 
So how did you spend YOUR holiday?  
Happy New Year everyone!