Cybersecurity researcher analyzing phishing websites mimicking an official military exchange store.A cybersecurity researcher investigates phishing sites imitating an official military exchange store, capturing user credentials.

Short and simple

This discusses how I found some AAFES (Army Air Force Exchange Service) themed phishing sites.

Before continuing

THE CONTENT, VIEWS, AND OPINIONS EXPRESSED ON THIS DOCUMENT ARE MY OWN AND DO NOT REFLECT THOSE OF MY EMPLOYER OR ANY AFFILIATED ORGANIZATIONS. ALL RESEARCH, ANALYSIS, AND WRITING ARE CONDUCTED ON MY PERSONAL TIME AND USING MY OWN PERSONALLY-ACQUIRED RESOURCES. ANY REFERENCES, TOOLS, OR SOFTWARE MENTIONED HERE ARE LIKEWISE USED INDEPENDENTLY AND ARE NOT ASSOCIATED WITH, ENDORSED, OR FUNDED BY MY EMPLOYER.

Background

I was researching some threat actor infrastructure and I was reviewing domains hosted in ASN 215789. I found one AAFES phishing site, and pivoted off of that to find the others.

Searching based on page title

The figure below is a snip from Silent Push. The red arrows in the second column show the part of the domain that is spelled wrong. The arrows pointing to the last column point to the website title. The base search is htmltitle = “*Exchange | Military Discount*”.

shopmyexchenge

The shopmyexchenge[.]com domain is no longer resolving to an IP, and I couldn’t find a previous urlscan result to analyze.

shopmyxehange

The shopmyxehange[.]com domain is also no longer resolving to an IP, and I could not find a previous urlscan result to analyze.

shopmyexchanqe

The shopmyexchanqe[.]com domain was still resolving to an IP, and I scanned it on 12 OCT 24. The snip below is from the urlscan task here: https://urlscan.io/result/ef2bedc8-2d05-4966-87d6-08f54b1a78ae/. It shows how it is clearly masquerading as an AAFES exchange page.

The snip below was taken from the DOM tab here: https://urlscan.io/result/ef2bedc8-2d05-4966-87d6-08f54b1a78ae/dom/. I’ve annotated the parts of the code that is used to send the user’s IP, user agent (web browser), the username, and the password. I’ve also marked the part of the code that is used to send the victim to the real AAFES Exchange site after submitting their username and password.

shopmyexchanger

The shopmyexchanger[.]com domain was no longer resolving to an IP, but there was a urlscan result from (19 SEP 24). The snip below is from the urlscan task here: https://urlscan.io/result/cc13cb89-cda2-4a16-bc27-eea55c05e405/. It shows how it is clearly masquerading as an AAFES exchange page.

When I view the DOM, it shows the same code as shopmyexchanqe[.]com to post the user’s credentials. The snip below was taken from the DOM tab here: https://urlscan.io/result/cc13cb89-cda2-4a16-bc27-eea55c05e405/dom/. I’ve annotated the parts of the code that is used to send the user’s IP, user agent (web browser), the username, and the password. I’ve also marked the part of the code that is used to send the victim to the real AAFES Exchange site after submitting their username and password.

highmilecarsupply

The highmilecarsupply[.]com domain was still resolving to an IP, and I was able to scan it in urlscan on 12 OCT 24. The snip below was taken from here: https://urlscan.io/result/2658cf3e-7670-435b-bbc3-7f8c4a4711bd/.

This one is a bit different – the login modal is displayed when you access the site. This site is also different in the way that it transmits the phished credentials. In the previous examples, they were configured to use JavaScript, but this site just uses a simple HTML form to submit via a POST to the send.php endpoint.

The DOM snip below is from here: https://urlscan.io/result/2658cf3e-7670-435b-bbc3-7f8c4a4711bd/dom/. I’ve annotated the line showing the form will be sent via a POST request to the send.php endpoint.

Notable entries via Silent Push’s Domain Impersonation

I used Silent Push’s Domain Impersonation search to find the domains listed below. I thought I didn’t have access to this search before, but I do now, and it is awesome! Unfortunately, my timing is a little late, and the domains listed below appear to be down.

shopmyexcchange[.]com (Parked)

shopmyexchange[.]cm (Parked)

wwwshopmyexchange[.]com (Parked)

www[.]shopmyexchangee.za.com (Appears to be down)

www[.]shopmyexcchange.za.com (Appears to be down)

www[.]shopmyyexchange.sa.com (Appears to be down)

www[.]shopmyeexchange.sa.com (Appears to be down)

www[.]shopmyexcchange.sa.com (Appears to be down)

www[.]shoppmyexchange.sa.com (Appears to be down)

www[.]shopmyexchange.za.com (Appears to be down, but there’s a urlscan result from when it was up)

The page for the www[.]shopmyexchange.za.com appears to masquerade with some kind of template. I suspect the domain renders a different result than what the specific URLs that would’ve been sent in the phishing attempts. Without access to look into it more, I cannot be certain.

To get the domains listed above, I just plugged in the real AAFES domain in the search on the main page, and then clicked the Domain Impersonation button.

After that you can set any configs to exclude any legitimate results. I didn’t exclude the legitimate domains because I wanted to see the ASN that the legitimate domain used. This helps me to skim quickly because I can just skim the ASNs. I did set the First Seen value from the default to 30 days.

The snip below shows what the output looks like. I scrolled down a bit because the first bunch were domains that are legitimate (that I didn’t exclude).

The real AAFES page

The snip below shows the real shopmyexchange.com page I accessed on 12 OCT 24.

The navigation sections of the pages look identical. The web parts that are different on the phishing sites match the website’s look, making it differentiate between the real site and the phishing site.

Strange activity

While reviewing urlscan results for the real AAFES page, I found a suspicious domain – sabounitex[.]com as seen in the result here: https://urlscan.io/result/672e203e-bbbc-4058-b7b7-6ee7f958e625/. The referral chain is sabounitex[.]com/track.php ==> shopmyexchange.com. It is strange because track.php does not take any parameters. If it did, it would indicate that it tracks many referrals. It automatically redirects to shopmyexchange.com, so it indicates that sabounitex[.]com is used specifically to track requests that are forwarded to shopmyexchange.com. In addition to that, sabounitex[.]com returns a generic template as seen in the Live Scan snip below from here: https://explore.silentpush.com/enrichment/domain/sabounitex.com

Summary

Found some AAFES phishing domains while I was researching something else. The phishing pages are very convincing. The main search techniques were using Silent Push’s Web Scanner based on the page title, and using Silent Push’s Domain Impersonation search.

IOCs

shopmyexchenge[.]com

shopmyxehange[.]com

shopmyexchanqe[.]com

shopmyexchanger[.]com

highmilecarsupply[.]com

shopmyexcchange[.]com

shopmyexchange[.]cm

wwwshopmyexchange[.]com

www[.]shopmyexchangee.za.com

www[.]shopmyexcchange.za.com

www[.]shopmyyexchange.sa.com

www[.]shopmyeexchange.sa.com

www[.]shopmyexcchange.sa.com

www[.]shoppmyexchange.sa.com

www[.]shopmyexchange.za.com