Recently, an attack called ‘Royal Ripper Multi-Stage Phishing Attack’ targeting financial institutions and their customers by acting as a government agency or telecom has been on the agenda. The attack is named after the hacker called Royal Ripper, who is responsible for the attack. The hacker starts by capturing the personal information and bank code of the target person. After obtaining the bank code, it uses this information to redirect its target to a second phishing site that appears to be the bank’s site. In this way, he gets the personal information his target uses on the online banking site.
How Did the Royal Ripper Multi-Stage Phishing Attack Happen?
- The attack began when the hacker named Royal Ripper tried to deceive his target by pretending to be a government agency, telecommunications company, or online payment service. For example, the hacker sent a tax return notice to its target in the first step of the attack.
- In the message, he wrote his targets that they had to pay money. And that they could complete the transaction by clicking the link in the message.
- The link opened a phishing page, and he asked his targets to enter their full name and postal code to log in.
- He asked his targets to enter their credit card information and bank sort code (or routing number) on the second page. With this information, the hacker identified the target’s bank and directed the target to another phishing page that looked exactly like the bank’s site.
- Finally, on this site, he asked his targets to enter their account number and password.
How did the Hacker Store the Information from the Royal Ripper Multi-Stage Phishing Attack?
There was a separate directory listing for each phishing link. There were separate sorting codes for each bank. The hacker stored them in .txt files located in the /codes/ directory. He stored the credentials he steals from the targets in the /assets/logs/ directory. Banks.txt file was used to store the bank information obtained from a phishing attack, while in the fullz.txt file, he stored the personal information obtained from previous stages. The hacker also logged the IP addresses of everyone who accessed the site and any blocked visit attempts.
While the bank itself is often imitated in banking-related attacks, the hacker used a multi-stage system in this attack. With a multi-stage system, Royal Ripper was able to capture credentials in a single attack without drawing too much attention. This less suspicious Royal Ripper multi-stage phishing attack seems to have plagued many companies.
How to Avoid Attacks Similar to the Royal Ripper Multi-Stage Phishing Attack?
1. Minimize the risks using incident response tools.
In this dangerous environment, you should be able to detect the users affected by malicious email attacks. This way, you can take preventive steps. Our Incident Response tool enables users to report malicious emails immediately. The tool sends us the email, and then we review the template, text, and dangerous links. Emails you sent to us using our Incident Response tool are analyzed carefully. Next, with advanced anti-phishing tools, we test the template for unusual identification with a known site. And we check for fraudulent behavior. Then, we test the body with ai technology to see if the URL is credible. We check if there is any malicious content in the email and examine its structure. We use virus protection tools, anti-malware sandbox technology, and anti-exploit technology to provide you full protection.
2. Raise awareness by using cyber threat intelligence tools.
Our Cyber Threat Intelligence Tool searches the internet, looking for signs and information that can indicate a violation of your personal security and a danger to your company. The level of control given to you by our Cyber Threat Intelligence tool shortens the time from probable cyber attack to protective steps, minimizing the risk of malicious behavior. The tool constantly examines popular ransomware attacks and dangerous sites to find any personal documents, bank account numbers, private information, addresses, passcodes, IP addresses, and data directly linked to your property rights. We track and inform you the second we detect information about recent attacks, reports, spam links, ransomware, or phishing attempts. This way, we make you informed about crime patterns and techniques.
Protect yourself using our anti-phishing solutions against these common attacks.
“This post is originally published at www.phishing.org.uk”

Teknoloji Haberleri
- Plastiğin doğada parçalanması ne kadar sürüyor? İşte korkunç cevap!Elimizle yarattığımız çevre felaketini anlamak için, plastiğin doğada çözünme süresini bilmek yeterli olacaktır. İşte farklı plastik ürünlerin doğada parçalanma süreleri...
- Artçı deprem nedir? Öncü deprem nedir? İşte anlamlarıSon olarak İstanbul'da meydana gelen 6.2 büyüklüğündeki sarsıntı, deprem gerçeğini bir kez daha gündeme taşıdı. Deprem terimleri çok merak edilenler arasında. Bu makalede ise öncü deprem nedir, artçı deprem nedir sorularının yanıtlarına bakıyoruz.
- Deprem anında ne yapmalıyız: Evde en güvenli yer neresi, ilk ne yapılır?Özellikle İstanbul'da yaşanan 6.2 büyüklüğündeki deprem sonrası deprem anında ne yapmalıyız sorusu internette çok arananlar arasında. Bu sorunun yanıtlarına farklı kaynaklardan bakıyoruz...
- JAECOO'dan Elektrikli Kompakt SUV Hamlesi: Fuarın dikkat çeken aracı J5 EV Sahneye Çıktı!Çinli otomotiv üreticisi JAECOO, Şanghay Uluslararası Otomobil Endüstrisi Fuarı'nda tüm dikkatleri üzerine çeken, tamamen elektrikli ilk SUV modeli J5 EV'in örtüsünü kaldırdı.
- iPhone 17 ile birlikte, iPhone'larda 12 GB RAM dönemi başlıyorApple, iPhone 17 serisinde RAM kapasitesini artırmayı planlıyor. iPhone 17 Air, iPhone 17 Pro ve Pro Max modellerinde 12 GB RAM ile çoklu görev performansı ve Apple Intelligence’ın etkinliği üst seviyelere çıkarılabilir.