For attackers, hide-and-seek is a daily exercise -- and a wave of phishing attacks may be have found the perfect hiding spot.
According to PhishLabs, the attacks involve phishing sites installed and hosted on the personal computers of residential broadband customers. The attackers are able to do this by exploiting the home computers of residential ISP customers who have the Remote Desktop Protocol (RDP) service enabled on Microsoft Windows and who use easily guessable passwords.
The tactic is significant because phishing sites hosted on compromised home PCs typically have a longer lifespan than those in hosting environments. This is because hosting providers are quicker to take action to shut down malicious sites, because they have direct control over the servers, and the terms of service prohibit that kind of activity, Don Jackson, PhishLabs director of threat intelligence, explains in a blog post. This is not the case with phishing sites hosted on home PCs, where ISPs have little control over the customer-owned home computers connected to their residential broadband networks, he writes.
The attackers start by scanning residential service IP address space for open RDP ports and brute-forcing weak and default passwords. Once the attackers have access to the system, they install web server software and upload various phishing pages, the links to which are blasted out in spam messages. The RDP server listens on port 3389/tcp by default, but is turned off by default on Windows desktops.
Still, Jackson tells Dark Reading that it would be a mistake to underestimate the prevalence of the attacks.
"The short answer is between 1 to 2 percent" of users have RDP turned on, says Jackson. "We looked only for the default RDP port 3389/tcp used by Terminal Services/Remote Desktop, but although there's a very small chance that some other service was running on that port, we did not verify if the port was actually being used for remote desktop connections."
PhishLabs surveyed large parts of Class B network blocks used by residential customers in primarily English-speaking markets and looked at three major broadband IPSs from which the company identified the most phishing sites.
"That means," Jackson says, "we were looking at hot spots of activity where access to the default RDP port was not blocked and had already likely or positively been scanned by the phishing crews. Of about 180,000 hosts we examined, approximately 1.5 percent of them had the Remote Desktop port open to the Internet.
"Given the number of actual phishing sites set up on these networks, we know that the phishers have been scanning at least 1.5 million computers on the affected networks each month."
After brute-forcing RDP passwords, the attackers install the PHP Triad software. Once PHP Triad is set up and running on the default port, the phishers install anywhere from a handful to several dozen phishing pages targeting various North American financial institutions and payment services.
"We have not been able to link the spam sent out with any of the big spambot networks," Jackson says. "They appear to be sent using an automated method such as a script, using a list of compromised email addresses and passwords via whitelisted mail servers that require authentication for sending email."
Jerome Segura, senior security researcher for Malwarebytes, says the strategy is "absolutely a smart tactic" for phishers.
"Typically most phishing pages are hosted on compromised web servers, which don't always have a long lifespan because they can be shut down by the hosting provider or the site owners themselves," says Segura. "The same cannot be said about Internet service providers, which don't have direct access to their customers' machines. Short of threatening their customers to suspend their account if they don't clean their PC, there isn't a whole lot they can do."
In addition, the use of legitimate systems tends to help obfuscate criminal activities, notes Trend Micro's Jon Clay. Also, criminals -- like any other business -- are always looking for ways to save money, he says.
So far, the crew behind the attacks seems to only be interested in phishing, and there hasn't been any evidence of any malware or tinkering with security settings. However, the default configuration and security vulnerabilities identified in the versions of the software components installed by PHP Triad increase the opportunity for further intrusions on compromised hosts -- either by this crew or other crews, Jackson says.
Outside not having RDP enabled, Jackson advises disabling built-in administrator and guest accounts. In addition, users should focus on their password practices.
"This is a case of hackers taking advantage of weak, common, or default username and password combinations," he says, adding that complex passwords of more than 14 characters are ideal for when no other stronger method of authentication is available.
"People should be aware that user names or IDs are half of the puzzle that these brute-force attackers must solve," says Jackson.