Reverse Engineering Phishing Site

phiI assume my friend's instagram was taken over probably due to poor account security.

The reason I know is because he sent me this:

Heyy Andre

Thanks for being a follower of mine. Look at what i just did with your pics lmao, I hope you dont get mad.

[Link Redacted]

Also we don't use first names in the military so that's weird

Biggest giveaway is the url on top. Not actually from instagram.

Tried putting the link in my pc. Nothing shows up

I’m assuming it only shows in android’s webview

It fails to even load the favicon.ico. From that I know the web server is based on nginx/1.14.0 (Ubuntu)

Unfortunately the real server if hiding behind cloudflare’s proxy servers.

Seems they have a lot of traffic

(found out they were using user agent filtering)

Mozilla/5.0 (Linux; Android 5.0.1; LG-H342 Build/LRX21Y; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/65.0.3325.109 Mobile Safari/537.36 Instagram Android (21/5.0.1; 240dpi; 480x786; LGE/lge; LG-H342; c50ds; c50ds; pt_BR; 102221277)

Now time to see what’s under the hood.

All credentials are posted to login.php and that probably stores the passwords.

I decided to reverse engineer the site to use it as an example phishing site to educate those it is very easy to make one and fall victim to one. Make sure to double check the links you visit.