216.73.216.170

Server-Side Phishing: How Credential Theft Campaigns Are Hiding in Plain Sight

· Published 15/04/2025 20:46 · Modified 16/04/2025 14:21

Export JSON

Essential information

Published
15/04/2025 20:46
Modified
16/04/2025 14:21
Tags
2025-04-15 server-side phishing
Related entities
3 techniques (mitre), 7 others

Description

This analysis explores an ongoing phishing campaign targeting employee and member portals using a PHP-based phishing kit. The campaign has evolved from using client-side redirects to server-side credential validation, making detection more challenging. Multiple domains impersonating corporate login portals were identified, hosted on infrastructure linked to Chang Way Technologies Co. Limited. The phishing pages employ sophisticated tactics, including two-factor authentication bypasses and decoy content. The campaign's infrastructure and techniques suggest a persistent, possibly state-linked threat actor adapting their methods to evade detection and maintain access to enterprise environments.

External references