Attackers are now using server-side phishing to target employee and member login portals, making it harder to detect and analyze their tactics.
Phishing Tactics Are Evolving
Recent investigations reveal a shift in phishing techniques—from traditional client-side redirects to more advanced server-side checks that validate stolen credentials. This change makes phishing attacks harder to detect and investigate.
Researchers first noticed this shift during an analysis of a Google Ads malvertising campaign targeting Lowe’s employees. By expanding their search, they uncovered several other phishing sites using the same tactic.
Using tools like HuntSQL, they were able to identify pages displaying this new server-side behavior within a larger dataset.
One standout example is myinfoaramapay[.]com, a fake site designed to look like Aramark’s employee portal. While it closely resembles the real thing, it omits features like the virtual assistant—subtle changes that help avoid suspicion.
Phishing Sites Use Server-Side Tricks to Hide Activity
Researchers found that fake login pages now use JavaScript to capture credentials and send them to a backend script (xxx.php). Instead of checking credentials on the spot, the script contacts a server-side endpoint (check.php) to validate them.
If the credentials are correct, users are redirected to the real login page. If not, they see an alert or a page refresh. Sometimes, the site silently waits for a server response. This makes the attack harder to spot and analyze.
The phishing infrastructure is hosted by Chang Way Technologies Co. Limited in Russia. Several fake domains on IP 80.64.30[.]101 were linked to companies like AT&T and AFLAC.
Researchers also found a fake “Technology Pharmacy CVS” site on the same IP—likely used to throw off investigations or appear legitimate.
Security teams should watch for suspicious POST requests to scripts like xxx.php and check.php, especially from sites that look like real company login pages.
Watch for traffic with certain parameters that may signal server-side credential checks or second-factor attempts—these can help detect phishing early.
Indicators of Compromise (IOCs)
| IP Address | Domain | Hosting | Location |
|---|---|---|---|
| 80.64.30.100 | ipafranchest.com | Cloudflare | Russia, US |
| 80.64.30.101 | lawpaymentpw.live | Chang Way Technologies Co. Limited | Russia, US |
| 104.21.32.181 | (Refer to full report) | Cloudflare | Russia, US |
| 172.67.153.52 | (Refer to full report) | Chang Way Technologies Co. Limited | Russia, US |
| 104.21.20.29 | (Refer to full report) | Cloudflare | Russia, US |
| 172.67.191.1 | (Refer to full report) | Chang Way Technologies Co. Limited | Russia, US |
Leave A Comment