Executive Summary Last summer, we investigated a massive, global phishing campaign impersonating almost 350 legitimate companies. Our continued investigation into this expansive phishing campaign revealed leaked backend source code, shedding light on the infrastructure behind the operation. This leak led us to a scammer team management platform as a service. Through this discovery, we traced the campaign's roots to an individual known as MrEnigman, and uncovered a broader network, operating through a Telegram channel called Haron_rent. In this article, we go into detail about this project and its capabilities in order to provide more understanding of how the actors of this campaign operate behind the scenes. Recap In our previous blog, we delved into a sophisticated phishing campaign designed to mimic the popular Israeli second-hand marketplace, Yad2. A colleague's innocuous attempt to sell a car seat exposed us to this elaborate fraud. After engaging with what seemed like a legitimate buyer, he was directed to a counterfeit payment portal, cleverly disguised with Yad2's familiar branding and aesthetic. Our investigation took a deeper dive by leveraging open-source intelligence, which we used to visualize the network of domains, IPs, and URLs. We revealed thousands of domains and tens of thousands of URLs. Through static and dynamic analysis, we understood the interaction between the scammers’ server and front-end, ultimately exposing more of the operation's deceptive…Read More