Some very fresh phishing for facebook in the polish language.

Initial phish comes from an already compromised user they send you a DM along the lines of "{victim} this is probably you here... {phishing_website} take it down because it is a shame".

So I decided to investigate

Phishing URL: hxxps://smieszne-pl.eu
SSL from @letsencrypt issued on the 7th September at 5:23pm, serial number is 0420a48f9224c934cfc5a950665992b7c15c.

Domain appears to be clean on VT, so does the server's IP
91.212.150.51 () appears to sub-rented servers from NForce B.V.

Under the name of "Private Internet Hosting LTD" according to @BgpView the company in question is based in Belize by Alexx Person.

When you visit the URL you get sent to a facebook-like login page (very poorly made and looks like the old version). Posts the form data to /new.php

After putting their credentials in the victim gets redirected to hxxps://o2-online.pl/?miasta=biedy hosted on the same server. SSL issued by @letsencrypt on 5th of August at 8:51pm, with the serial number 047b19837f1dfd85792a97804f4f196192b8. This is where it gets interesting

Using @urlscanio to scan this URL shows us that there is an outbound link to hxxps://whos.amung.us/stats/mr5cvu849y/, turns out its the statistics for the website's clicks , note scammer don't include the stats url in plaintext in your src code for the site.

You can bypass the login "verification" bypass entering an invalid login and then entering random email & password.
Looking at the stats page it appears this scam has been up for a couple of days, around 100 clicks at the peaks

And uses scripts from hxxp://waust.at/d.js for click monetization and audience discovery, and pings information back to whos[.]amung[.]us
Domain: waust[.]at
Registrar: GoDaddy

Domain: o2-online[.]pl
Registrar: AZ[.]pl Sp. z.o.o.

Domain: smieszne-pl[.]eu
Registrar: AZ[.]pl Sp. z.o.o.

Looking further into the server hosting this phishing
scam [91.212.150.51], 14 phishing domains hosted on this server seen via @securitytrails