Using phishing tools against the phishers— and uncovering a massive Binance phishing campaign – by Harry Denley

Jeremiah O’Connor (security researcher at Cisco) forwarded me a domain that has been phishing for Binance logins —

This domain has a different phishing kit to previous ones we’ve seen, as it changes the user sign-in journey to collect personal information to eventually use in social engineering methods — this server does not communicate with the Binance domain.

The usual login screen.

The user is then directed to a screen to collect personal information.

They are then asked for the 2FA code.

The user is then shown a loading GIF to give the “illusion” of something working. After some time, they are redirected back to the previous 2FA view.


I decided to check the root domain, com12754825, and to my surprise, it was open.

DirectoryIndex for


Most of these are email scripts — with default text and tools to send out mass PayPal phishing emails.

A sample of what’s exposed (filename: xmailer.php). The inputs of the Sender Name and Sender Email are customized to make the email look like it’s from PayPal.


All these tools communicate with/reference a third-party domain — provip[dot]cc.

The homepage for provip[dot]cc — the third-party domain that these tools reference/use. The Bitcoin address is 19L4d7EuQ6ug4rM3mBXqqbnNCJQarAFCLL.


What is most interesting is the script called unzipper.php that lets anyone zip any directory on the server, then unzip it in the web directory — I abused this…

A screenshot of unzipper.php file showing functionality.

So, what did I find?

After zipping /home/ and unzipping into the web directory, I found the user’s name is “strooutz.” Navigating through the exposed /home/ directory, we can see the user has some phishing kits targeting Binance and Gmail.

The exposed home directory for /home/strooutz/


After inspection, we found out most of them use PHP as a backend. So let’s expose /tmp to see how many users have been potentially affected by exposing the session files (for $_SESSIONdata that the kits use — we are assuming garbage-collection hasn’t run in a while).

The exposed /tmp/ directory — 26 sessions.


But one of the most important things we found out is the fact that there are the three other kits run by the same person/group. We discovered this when we exposed the /home directory earlier:


Let’s view the /home/ directory code

So, I downloaded the generated zip for /home/ and inspected the kits.

There are 2 files.

  • hacces.php
  • 136244725/index.html

The haccess.php file contents — notice it allows arbitrary commands via ?ev=xxx query string with the use of eval()

The 136244725/index.html contents.

This is an entire application (it still has the samehaccess.php script).

The DirectoryIndex of


Let’s hunt for some secrets! The files are too large to share here, but DM me on Twitter if you are a researcher and need a copy of the kits.

This is the script (step1.php) that sends the bad actor some info — their email is in ./includes/config.php — [email protected]


Interestingly enough, this phishing script ties in with the Binance phishing kit. After the bad actor has phished the Gmail account, it redirects back to the Binance phishing kit.

This script (step2.php) sends the bad actor the Gmail details, then redirects the user back to the Binance phishing kit.

This email is in ./includes/config.php file.


Within includes/ directory, the .htaccess file has a lot of rules — many of them deny from rules (too large to show here).

A snippet of includes/.htaccess (31 out of 10,428 lines)


They also have a script called BOTS/antibots5.php that will show the default 404 Not Found message when viewed from a select group of IPs or if your user agent contains specific words — including phishtank

A snippet from BOTS/antibots5.php.

Let’s see the other domain —

So this is on the same server — but it’s what the other domain redirects users to — and as we have learned from the code above, we can execute arbitrary code by passing a base64 encoded PHP script into the ev query params. I navigated to and exploited the ev query params.

I created a PHP file to execute phpinfo() to see what we are playing with…

A snippet of the created phpinfo() page on domain.

Now that we know what version of PHP are we using and where we are on the server, let’s zip everything up in the home directory (specifically /home/strooutz ) — we can’t do this with PHP easily, so let’s execute exec("zip -r /home/strooutz/")

Here’s a snippet of the output — amazing. Now let’s inspect the phishing kit code for more secrets!

Holy fuck. There’s a phishing kit for everything… There’s about 25 kits here ranging from Binance to Yahoo.

A snippet of /home/strooutz/ — you can see Binance is the main kit.

I’m not going to go through all of them, but since I have the entire /home/strooutz/ directory, let’s see if we can find anything useful.

The contents of /home/strooutz/.contactemail

The contents of /home/strooutz/.lastlogin

Examining a kit that attempts to phish 2FA for Binance, we can see what the attacker gets from a successful phish.

The source for

After that, they are directed to the 2FA phishing view and an email is sent in the backend.

The source for

All the bad actor cares about is:

  • Your full name
  • Your phone number
  • Your email
  • The 2FA code
  • Your IP (incl. geo location from your IP)
  • The browser you use

All that’s needed then is for the bad actor to try their hand at socially engineering the support team to lift your 2FA (i.e., “I broke my phone and I can’t log in because of 2FA — here’s my details”) and then log into your exchange account (if successful).

The email associated with all the kits has some relevancy (identical name) to a “carding” individual.

SENNOUR4X might be linked to a carder.

With each kit, an admin email is put in xxxx/includes/config.php — on this server, there are 2 admin emails variations, which lead to some more Binance phishing domains that we discovered with a reverse WHOIS lookup.

[email protected] (yahoo[dot]com763271231[dot]gq)
[email protected] (inbox-binance[dot]com12786312634[dot]space)
[email protected] (hotmail[dot]com12754825[dot]ml)
[email protected] (gmail[dot]com12754825[dot]ml)
[email protected] (gmail[dot]com1865236[dot]ga)
[email protected] (binance[dot]com12786312634[dot]space)
[email protected] (binance[dot]com763271231[dot]gq)
[email protected] (binance[dot]com12754825[dot]ml)
[email protected] (binance[dot]com1865236[dot]ga)

Reverse Whois results for [email protected]==============

There are 6 domains that matched this search query.
These are listed below:

Domain Name                Creation Date      Registrar           2018-08-13         PDR LTD. D/B/A 
PUBLICDOMAINREGISTRY.COM      2018-09-03         PDR LTD. D/B/A 
PUBLICDOMAINREGISTRY.COM         2018-09-11         PDR LTD. D/B/A 
PUBLICDOMAINREGISTRY.COM        2018-09-02         PDR LTD. D/B/A 

Reverse Whois results for eriklicoke55@gasim202000-gmail-com

There are 1 domains that matched this search query.
These are listed below:

Domain Name                Creation Date      Registrar   2018-07-30         NAMECHEAP, INC.

Script signatures look the same — so most likely the same Binance phishing kits — though this server doesn’t hold the haccess.php script that allows for arbitrary code injection, unfortunately.

Looking at the email logs

Since we have the entire home directory of the bad actor, let’s see what emails have been sent out…

This server does have exposed scripts that will send emails out to whoever, but we can do a grep on the directory to find the ones relevant to Binance.

Let’s search for the term “Binance” in the /home/strooutz/mail directory.

$ grep -Rn -m 1 "Binance" . | wc -l gives an output of 139. Below is an example of an email that is sent out.

An example email sent out on September 14, 2018.

We can grep this directory to see what kind of Binance emails are being sent out also;

Example of another phishing email being sent out to at least 562 email addresses. (sent via promailerv2.php) Message ID: [email protected]

Example of another phishing email being sent out to at least 1130 emails addresses (sent via smailmax.php) Message ID: [email protected]

Example of another phishing email being sent out to at least 277 emails. (sent via promailerv2.php) Message ID: [email protected]

A screenshot of the promailerv2.php script.

A screenshot of smailmax.php

But wait… there’s more

Now let’s look at /home/strooutz/mail and see all the email accounts;

[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

Looking at the .Sent/cur box of [email protected] we can see they sent 3 test emails to the following accounts using RoundCube WebMail/1.3.3;

to: [email protected]: [email protected]
Subject: hello bro

to: [email protected]
bcc: mahmutilorik6@gasim202000-gmail-com
Subject: hello brojk

to: [email protected]
Subject: gahsg ash

Looking at .cpanel/email_accounts.json , we can see which domains were set up on the user account:

Looking at the certificates

We also have downloaded the /home/strooutz/ssl/ssl.db file which gives us information on each certificate for each domain on the server.

There are 20 certificates in here, 8 of which are self-signed. The rest are issued by Let's Encrypt Authority X3 . We can see that the earliest certificate was created at timestamp 1538426177 (October 1, 2018) for the domain .

How can I stay safe?

  • Keep up-to-date with our working directory of known phishing and scam domains at
  • If your user journey changes logging into a service, be skeptical.
  • Use bookmarks to websites that you created yourself.
  • Double check the domain you’re on before you enter any data.
  • Install EtherAddressLookup or MetaMask browser extension to get alerted of known phishing domains.

Signing off

We have the entire server data to investigate — the above is a summary of a six-hour investigation.

If you are a security researcher and want to take a look at the data, ping me on Twitter.

Originally posted:

February 21, 2019

Leave a Reply

1 Comment threads
0 Thread replies
Most reacted comment
Hottest comment thread
0 Comment authors
Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

newest oldest most voted
Notify of

[…] put up workplace Use phishers phishing instruments – and uncover a large phishing marketing campaign by Binance… appeared first on Hakin9 – IT Safety […]

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013