Skip to content →

Phishing Attack #2 – TIM – WIND phishing attack analysis

Phishing attacks are becoming more and more accurate and well-done thanks to the huge numbers of website that accept payments via CC (Credit Card). Telco operators are one of the favorites target of cybercriminal because of the amount of financial data required to activate a plan, top up your credit or buy a new phone online. Italian Telco operators TIM and WIND are not new of these attacks. Below a brief analysis of the clone-kit (ready to use kit uploaded by criminals to easily create a phishing website in a few seconds).

The email received by the target is showed below

Screen Shot 2016-05-14 at 7.53.56 PM

Clicking on the link the websites shows the form to fill to recharge your phone and have 50 euros for free.

Screen Shot 2016-05-14 at 7.54.06 PM

Going deeper, and analyzing the URL it’s possible to retrieve more informations and see that the server presents several holes to hack into it. Found! The clone-kit is still there.Let’s have a look on it.


Screen Shot 2016-05-14 at 8.02.37 PM


The kit is composed by many files,but the logic is inside the .php files:

  • best.php
  • secure.php
  • done.php


best.php is the first one who is responsible to generate the random URL viewed by the user.

Screen Shot 2016-05-14 at 8.06.28 PM

secure.php is responsible to save the collected informations like:

  • phone number
  • CC number
  • CCV
  • Expiration date

And to show the Verified by Visa PIN request to authorize the payments.
Screen Shot 2016-05-14 at 8.09.35 PM

The informations are still inside the page, ready to be sent to the last file “done.php”
Screen Shot 2016-05-14 at 8.12.15 PM

The code shows that the PIN is acquired and sent to the next page done.php, responsible to save/send the leaked data. As we can see from the code below the data are stored inside an HTML file on the hacked server and sent by email to the “phisher”.


Screen Shot 2016-05-14 at 8.13.32 PM

Reading the file on the web server is possible to retrieve all the victims’ CC data.

The first raw is an example triggered by the attacker to check if everything works fine.

Screen Shot 2016-05-14 at 8.15.08 PMScreen Shot 2016-05-14 at 8.15.08 PM


Be careful. Phishing is the most simple but the must effective attack.








Published in News >>


Leave a Reply

Your email address will not be published. Required fields are marked *