Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:10 AM

Phishers Recruit Home PCs

Residential broadband machines spotted hosting phishing attacks.

For attackers, hide-and-seek is a daily exercise -- and a wave of phishing attacks may be have found the perfect hiding spot.

According to PhishLabs, the attacks involve phishing sites installed and hosted on the personal computers of residential broadband customers. The attackers are able to do this by exploiting the home computers of residential ISP customers who have the Remote Desktop Protocol (RDP) service enabled on Microsoft Windows and who use easily guessable passwords.

The tactic is significant because phishing sites hosted on compromised home PCs typically have a longer lifespan than those in hosting environments. This is because hosting providers are quicker to take action to shut down malicious sites, because they have direct control over the servers, and the terms of service prohibit that kind of activity, Don Jackson, PhishLabs director of threat intelligence, explains in a blog post. This is not the case with phishing sites hosted on home PCs, where ISPs have little control over the customer-owned home computers connected to their residential broadband networks, he writes.

The attackers start by scanning residential service IP address space for open RDP ports and brute-forcing weak and default passwords. Once the attackers have access to the system, they install web server software and upload various phishing pages, the links to which are blasted out in spam messages. The RDP server listens on port 3389/tcp by default, but is turned off by default on Windows desktops.

Still, Jackson tells Dark Reading that it would be a mistake to underestimate the prevalence of the attacks.

"The short answer is between 1 to 2 percent" of users have RDP turned on, says Jackson. "We looked only for the default RDP port 3389/tcp used by Terminal Services/Remote Desktop, but although there's a very small chance that some other service was running on that port, we did not verify if the port was actually being used for remote desktop connections."

PhishLabs surveyed large parts of Class B network blocks used by residential customers in primarily English-speaking markets and looked at three major broadband IPSs from which the company identified the most phishing sites.

"That means," Jackson says, "we were looking at hot spots of activity where access to the default RDP port was not blocked and had already likely or positively been scanned by the phishing crews. Of about 180,000 hosts we examined, approximately 1.5 percent of them had the Remote Desktop port open to the Internet.

"Given the number of actual phishing sites set up on these networks, we know that the phishers have been scanning at least 1.5 million computers on the affected networks each month."

After brute-forcing RDP passwords, the attackers install the PHP Triad software. Once PHP Triad is set up and running on the default port, the phishers install anywhere from a handful to several dozen phishing pages targeting various North American financial institutions and payment services.

"We have not been able to link the spam sent out with any of the big spambot networks," Jackson says. "They appear to be sent using an automated method such as a script, using a list of compromised email addresses and passwords via whitelisted mail servers that require authentication for sending email."

Jerome Segura, senior security researcher for Malwarebytes, says the strategy is "absolutely a smart tactic" for phishers.

"Typically most phishing pages are hosted on compromised web servers, which don't always have a long lifespan because they can be shut down by the hosting provider or the site owners themselves," says Segura. "The same cannot be said about Internet service providers, which don't have direct access to their customers' machines. Short of threatening their customers to suspend their account if they don't clean their PC, there isn't a whole lot they can do."

In addition, the use of legitimate systems tends to help obfuscate criminal activities, notes Trend Micro's Jon Clay. Also, criminals -- like any other business -- are always looking for ways to save money, he says.

So far, the crew behind the attacks seems to only be interested in phishing, and there hasn't been any evidence of any malware or tinkering with security settings. However, the default configuration and security vulnerabilities identified in the versions of the software components installed by PHP Triad increase the opportunity for further intrusions on compromised hosts -- either by this crew or other crews, Jackson says.

Outside not having RDP enabled, Jackson advises disabling built-in administrator and guest accounts. In addition, users should focus on their password practices.

"This is a case of hackers taking advantage of weak, common, or default username and password combinations," he says, adding that complex passwords of more than 14 characters are ideal for when no other stronger method of authentication is available.

"People should be aware that user names or IDs are half of the puzzle that these brute-force attackers must solve," says Jackson.

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/21/2014 | 3:47:56 PM
Long passwords -- not ideal
It's hard for me to imagine that users who already have difficulty managing strong passwords be more vigilant with even longer, more complex passwords.... 
Robert McDougal
Robert McDougal,
User Rank: Ninja
4/21/2014 | 12:34:09 PM
Re: RDP is a problem
I don't believe changing the RDP port would be beneficial or feasible. 

If you have a hacker who is worth his salt, simply changing the RDP port will not prevent him from discovering it.  Secondly, most home users that enable RDP do not have the technical expertise to understand what a port number is much less changing it.
User Rank: Apprentice
4/20/2014 | 8:35:57 PM
RDP is a problem
At first I thought.. Are these people using anti virus?  But that wouldn't help in this case.

Would changing the port that RDP uses help at all?
Robert McDougal
Robert McDougal,
User Rank: Ninja
4/18/2014 | 5:19:30 PM
Re: Broadband provider's responsibility?
I imagine it would be almost impossible for the ISP's to track down these compromised hosts.  The ports and traffic generated by the compromised machines is not overly odd when compared to the traffic of legitimate home use.  Many users enable RDP or run web services out of their homes.

I would propose that the ISP's should monitor for RDP traffic originating in foreign countries destined for user's within their IP block and then alert the user's.
David F. Carr
David F. Carr,
User Rank: Strategist
4/18/2014 | 4:04:17 PM
Broadband provider's responsibility?
Do the cable Internet and DSL providers do anything to detect home networks that have become spambot nodes? I'd think they'd have some responsibility, as well as potentially a concern related to wasted bandwidth.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.