09:10 AM

Phishers Recruit Home PCs

Residential broadband machines spotted hosting phishing attacks.

For attackers, hide-and-seek is a daily exercise -- and a wave of phishing attacks may be have found the perfect hiding spot.

According to PhishLabs, the attacks involve phishing sites installed and hosted on the personal computers of residential broadband customers. The attackers are able to do this by exploiting the home computers of residential ISP customers who have the Remote Desktop Protocol (RDP) service enabled on Microsoft Windows and who use easily guessable passwords.

The tactic is significant because phishing sites hosted on compromised home PCs typically have a longer lifespan than those in hosting environments. This is because hosting providers are quicker to take action to shut down malicious sites, because they have direct control over the servers, and the terms of service prohibit that kind of activity, Don Jackson, PhishLabs director of threat intelligence, explains in a blog post. This is not the case with phishing sites hosted on home PCs, where ISPs have little control over the customer-owned home computers connected to their residential broadband networks, he writes.

The attackers start by scanning residential service IP address space for open RDP ports and brute-forcing weak and default passwords. Once the attackers have access to the system, they install web server software and upload various phishing pages, the links to which are blasted out in spam messages. The RDP server listens on port 3389/tcp by default, but is turned off by default on Windows desktops.

Still, Jackson tells Dark Reading that it would be a mistake to underestimate the prevalence of the attacks.

"The short answer is between 1 to 2 percent" of users have RDP turned on, says Jackson. "We looked only for the default RDP port 3389/tcp used by Terminal Services/Remote Desktop, but although there's a very small chance that some other service was running on that port, we did not verify if the port was actually being used for remote desktop connections."

PhishLabs surveyed large parts of Class B network blocks used by residential customers in primarily English-speaking markets and looked at three major broadband IPSs from which the company identified the most phishing sites.

"That means," Jackson says, "we were looking at hot spots of activity where access to the default RDP port was not blocked and had already likely or positively been scanned by the phishing crews. Of about 180,000 hosts we examined, approximately 1.5 percent of them had the Remote Desktop port open to the Internet.

"Given the number of actual phishing sites set up on these networks, we know that the phishers have been scanning at least 1.5 million computers on the affected networks each month."

After brute-forcing RDP passwords, the attackers install the PHP Triad software. Once PHP Triad is set up and running on the default port, the phishers install anywhere from a handful to several dozen phishing pages targeting various North American financial institutions and payment services.

"We have not been able to link the spam sent out with any of the big spambot networks," Jackson says. "They appear to be sent using an automated method such as a script, using a list of compromised email addresses and passwords via whitelisted mail servers that require authentication for sending email."

Jerome Segura, senior security researcher for Malwarebytes, says the strategy is "absolutely a smart tactic" for phishers.

"Typically most phishing pages are hosted on compromised web servers, which don't always have a long lifespan because they can be shut down by the hosting provider or the site owners themselves," says Segura. "The same cannot be said about Internet service providers, which don't have direct access to their customers' machines. Short of threatening their customers to suspend their account if they don't clean their PC, there isn't a whole lot they can do."

In addition, the use of legitimate systems tends to help obfuscate criminal activities, notes Trend Micro's Jon Clay. Also, criminals -- like any other business -- are always looking for ways to save money, he says.

So far, the crew behind the attacks seems to only be interested in phishing, and there hasn't been any evidence of any malware or tinkering with security settings. However, the default configuration and security vulnerabilities identified in the versions of the software components installed by PHP Triad increase the opportunity for further intrusions on compromised hosts -- either by this crew or other crews, Jackson says.

Outside not having RDP enabled, Jackson advises disabling built-in administrator and guest accounts. In addition, users should focus on their password practices.

"This is a case of hackers taking advantage of weak, common, or default username and password combinations," he says, adding that complex passwords of more than 14 characters are ideal for when no other stronger method of authentication is available.

"People should be aware that user names or IDs are half of the puzzle that these brute-force attackers must solve," says Jackson.

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/21/2014 | 3:47:56 PM
Long passwords -- not ideal
It's hard for me to imagine that users who already have difficulty managing strong passwords be more vigilant with even longer, more complex passwords.... 
Robert McDougal
Robert McDougal,
User Rank: Ninja
4/21/2014 | 12:34:09 PM
Re: RDP is a problem
I don't believe changing the RDP port would be beneficial or feasible. 

If you have a hacker who is worth his salt, simply changing the RDP port will not prevent him from discovering it.  Secondly, most home users that enable RDP do not have the technical expertise to understand what a port number is much less changing it.
User Rank: Apprentice
4/20/2014 | 8:35:57 PM
RDP is a problem
At first I thought.. Are these people using anti virus?  But that wouldn't help in this case.

Would changing the port that RDP uses help at all?
Robert McDougal
Robert McDougal,
User Rank: Ninja
4/18/2014 | 5:19:30 PM
Re: Broadband provider's responsibility?
I imagine it would be almost impossible for the ISP's to track down these compromised hosts.  The ports and traffic generated by the compromised machines is not overly odd when compared to the traffic of legitimate home use.  Many users enable RDP or run web services out of their homes.

I would propose that the ISP's should monitor for RDP traffic originating in foreign countries destined for user's within their IP block and then alert the user's.
David F. Carr
David F. Carr,
User Rank: Strategist
4/18/2014 | 4:04:17 PM
Broadband provider's responsibility?
Do the cable Internet and DSL providers do anything to detect home networks that have become spambot nodes? I'd think they'd have some responsibility, as well as potentially a concern related to wasted bandwidth.
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Cracking 2FA: How It's Done and How to Stay Safe
Kelly Sheridan, Staff Editor, Dark Reading,  5/17/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "The one you have not seen, won't be remembered".
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-05-23
ILIAS before 5.1.26, 5.2.x before 5.2.15, and 5.3.x before 5.3.4, due to inconsistencies in parameter handling, is vulnerable to various instances of reflected cross-site-scripting.
PUBLISHED: 2018-05-23
Cross-Site Scripting (XSS) in Micro Focus Universal CMDB, version 10.20, 10.21, 10.22, 10.30, 10.31, 10.32, 10.33, 11.0, CMS, version 4.10, 4.11, 4.12, 4.13, 4.14, 4.15.1 and Micro Focus UCMDB Browser, version 4.10, 4.11, 4.12, 4.13, 4.14, 4.15.1. This vulnerability could be remotely exploited to al...
PUBLISHED: 2018-05-23
There is an XML External Entity (XXE) Processing Vulnerability in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3.
PUBLISHED: 2018-05-23
There is a Hazelcast Library Java Deserialization Vulnerability in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3.
PUBLISHED: 2018-05-23
There are Unauthenticated File Upload Vulnerabilities in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3.