Guest Post: Threat Actor Profile/Phish Kit Analysis By Fortra
SpartanWarriorz
Threat Background & History
Fortra is tracking activity from a scam kit authoring group known as SpartanWarriorz. These authors have been selling kits targeting over 300 global brands as far back as September 2022. They have targeted industries including financial institutions in North America and Europe, retail, delivery services, and social media platforms. Using the messaging service Telegram, they have been observed giving away a plethora of free phishing kits to increase their reputation within the phishing community.
Operations experienced some service disruption recently when the SpartanWarriorz Telegram channel was shut down on November 21st. The group created a new channel on the same day and has attempted to inform their past subscribers.
Profile picture for SpartanWarriorz on Telegram.
Service Breakdown
SpartanWarriorz primarily has used the platform Telegram to advertise their phishing kits. Their Telegram channel currently has over 5,300 subscribers, managed by two moderators. Across their platform they have offered services including:
Phishing Kits and Pages
Access to Compromised Websites
Published Phishing Lures
Email Spamming Services
Example phishing kit advertised by SpartanWarriorz on Telegram.
Customary advertising file within a SpartanWarriorz phish kit.
SpartanWarriorz has advertised over 300 kits on Telegram that are available for sale or have been given away. In addition to the kits offered, SpartanWarriorz advertises mailer tools that allow threat actors to send out phishing campaigns using pre-authored lure emails available from the seller. The group also offers access to web server shells through their Telegram platform. These shells have been installed on compromised servers and can be used to carry out phishing attacks.
A Telegram post advertising a plethora of SpartanWarriorz phish kits.
SpartanWarriorz kits allow users to input a Telegram API token and chat ID to exfiltrate stolen credentials, including OTP codes. Additionally, kits include extensive antibot lists that block specific IP addresses and ranges, user agents, and known web crawlers from accessing the phishing pages within the kit. This code sends all blocked visitors to Google.com or a fake 404 error page. Other configuration settings frequently seen include options to require victims to sign in twice or complete a CAPTCHA.
This entry was posted on December 13, 2024 at 9:14 am and is filed under Commentary with tags Fortra. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Guest Post: Threat Actor Profile/Phish Kit Analysis By Fortra
SpartanWarriorz
Threat Background & History
Fortra is tracking activity from a scam kit authoring group known as SpartanWarriorz. These authors have been selling kits targeting over 300 global brands as far back as September 2022. They have targeted industries including financial institutions in North America and Europe, retail, delivery services, and social media platforms. Using the messaging service Telegram, they have been observed giving away a plethora of free phishing kits to increase their reputation within the phishing community.
Operations experienced some service disruption recently when the SpartanWarriorz Telegram channel was shut down on November 21st. The group created a new channel on the same day and has attempted to inform their past subscribers.
Profile picture for SpartanWarriorz on Telegram.
Service Breakdown
SpartanWarriorz primarily has used the platform Telegram to advertise their phishing kits. Their Telegram channel currently has over 5,300 subscribers, managed by two moderators. Across their platform they have offered services including:
Example phishing kit advertised by SpartanWarriorz on Telegram.
Customary advertising file within a SpartanWarriorz phish kit.
SpartanWarriorz has advertised over 300 kits on Telegram that are available for sale or have been given away. In addition to the kits offered, SpartanWarriorz advertises mailer tools that allow threat actors to send out phishing campaigns using pre-authored lure emails available from the seller. The group also offers access to web server shells through their Telegram platform. These shells have been installed on compromised servers and can be used to carry out phishing attacks.
A Telegram post advertising a plethora of SpartanWarriorz phish kits.
SpartanWarriorz kits allow users to input a Telegram API token and chat ID to exfiltrate stolen credentials, including OTP codes. Additionally, kits include extensive antibot lists that block specific IP addresses and ranges, user agents, and known web crawlers from accessing the phishing pages within the kit. This code sends all blocked visitors to Google.com or a fake 404 error page. Other configuration settings frequently seen include options to require victims to sign in twice or complete a CAPTCHA.
Share this:
Like this:
Related
This entry was posted on December 13, 2024 at 9:14 am and is filed under Commentary with tags Fortra. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.