Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

2/20/2019
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

The Anatomy of a Lazy Phish

A security engineer breaks down how easy it is for unskilled attackers to trick an unsuspecting user to submit credentials to a phishing site.

Phishing is one of the most effective ways hackers can compromise a network. Instead of requiring the skills and time to target specific organizations, perform reconnaissance, discover vulnerabilities, and select attack vectors, attackers can indiscriminately blast out phishing emails and wait for users to be tricked into submitting their credentials to a phishing site. I recently came across a phishing page that shows the interworkings of a phish and just how easy it is for unskilled and lazy attackers to host a credential harvesting page.

Like any phish, this starts with an email that appears to be from a reputable source and sends the recipient to a malicious site. In this case, the link directs to a page that is designed to look exactly like Microsoft's online login page, where the user is asked to enter his or her username and password. After all, this is exactly what the attacker wants — the user's credentials.

So far, this is a standard phishing attack. The attacker sends a link in an email to trick the end user into visiting a phishing site that aims to steal the user's credentials. But I didn't stop there. I wanted to see what else could be found on this website, so I navigated to the homepage of the site and discovered the following:

Credential Harvester Directories

Above, we see the directories and contents of the credential harvester left by the attacker on their publicly accessible home page. Drilling into the "new" folder within this directory, I discovered that the attacker left their entire exploit source code in a zip file titled "bless.zip." Fully extracted, this zip file holds various .php files that contain instructions for the login process on the phishing site and for blocking certain clients from accessing the webpage. Further examination of this source code shows exactly how the attacker siphons user information, and who they're trying to prevent from viewing their site.

In the action.php file below, we see what happens when a victim submits credentials to this phishing site.

The .php code records the user's IP address; performs a geolocation lookup on the IP address to determine its country of origin; and records the date and time of access, the user's browser type, and the username (or phone number) and password that the user submits to the phishing page. The $sent variable reveals the email address where the attacker sends credentials, tailored to this specific phishing campaign to hide the attacker's personal identity. The email $headers variable contains the sending email address for this credential harvester: wirez[@]googledocs[.]org. A DuoLabs report that analyzes phishing kits at scale suggests that this sender address appears in more than 115 unique phishing kits.

Examination of the other .php files shows additional information about the exploit kit. In the file block.php, the kit specifically checks for keywords in the hostname of clients visiting the site. Terms such as "phishtank," "google," "trendmicro," and "sucuri.net" in the client hostname will result in the exploit kit sending the client to a 404 Not Found page rather than the impersonated Microsoft login site. This code aims to prevent security-oriented organizations from accessing the exploit page and identifying it as a phishing site, and thwart users visiting from cloud-based services from accessing the site. The file includes 568 IP addresses that are blocked from viewing its login page.

The content of the examined .php files and the fact that they were publicly accessible on the homepage of the phishing site demonstrates that this attacker was either not technically savvy or felt that controlling access to their exploit source code and hiding the email account receiving victim credentials was not worthy of their time. In either case, it's a great example of why phishing is so dangerous: It takes minimal effort and skill on the attacker's end and only one user to fall victim to the attack to effectively compromise an organization.

There's no one technical solution that can prevent all phishing attacks from being successful. What's needed are layers of security structured to prevent the delivery of a phish, detect phishing emails that do make it into an organization, alert security personnel when a phish is delivered, and prevent users from visiting malicious phishing sites.

Most importantly, end users need to be aware of the threat that phishing poses to their organization and empowered with knowledge to determine whether an email is legitimate. When an organization is targeted by an attacker, it will be layers of security and users' knowledge that ultimately determines whether a phishing email leads to a breach, or if the email is simply discarded by technical controls or an informed end user.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jordan Shakhsheer is an information security engineer at Bluestone Analytics. She has extensive experience conducting incident response and digital forensic investigations. Jordan's work includes eradicating threat actors from critical infrastructure, and producing actionable ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
CurtisBrazzell
100%
0%
CurtisBrazzell,
User Rank: Author
2/27/2019 | 5:11:39 PM
Trend of Lazy Phishing
It's interesting that while in some ways, Phishing is becoming more advanced but on the other side of the same coin I continue to see lazy phishing such as this one during Incident Response investigations.  So many of them use frameworks that are meant to be deployed and then destroyed.  While investigating, it's not uncommon to see directory listing and other web service configuration issues that allow the responder to see captured credentials, etc.  Sites such as https://phishapi.com are a great way to quickly spin up a fake looking landing page which alerts when credentials are captured, so there's really no excuse for lazy phishing with today's toolsets.
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
2/25/2019 | 8:11:06 PM
Krebs FTW
> "Terms such as "phishtank," "google," "trendmicro," and "sucuri.net" in the client hostname will result in the exploit kit sending the client to a 404 Not Found page rather than the impersonated Microsoft login site."

I remember reading some time ago of malicious sites that scan for files with certain keywords in them to achieve this same goal.

One of the terms, funnily enough, was "brian krebs".
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19807
PUBLISHED: 2019-12-15
In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for ...
CVE-2014-8650
PUBLISHED: 2019-12-15
python-requests-Kerberos through 0.5 does not handle mutual authentication
CVE-2014-3536
PUBLISHED: 2019-12-15
CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration
CVE-2014-3643
PUBLISHED: 2019-12-15
jersey: XXE via parameter entities not disabled by the jersey SAX parser
CVE-2014-3652
PUBLISHED: 2019-12-15
JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL.