Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:10 AM

Phishers Recruit Home PCs

Residential broadband machines spotted hosting phishing attacks.

For attackers, hide-and-seek is a daily exercise -- and a wave of phishing attacks may be have found the perfect hiding spot.

According to PhishLabs, the attacks involve phishing sites installed and hosted on the personal computers of residential broadband customers. The attackers are able to do this by exploiting the home computers of residential ISP customers who have the Remote Desktop Protocol (RDP) service enabled on Microsoft Windows and who use easily guessable passwords.

The tactic is significant because phishing sites hosted on compromised home PCs typically have a longer lifespan than those in hosting environments. This is because hosting providers are quicker to take action to shut down malicious sites, because they have direct control over the servers, and the terms of service prohibit that kind of activity, Don Jackson, PhishLabs director of threat intelligence, explains in a blog post. This is not the case with phishing sites hosted on home PCs, where ISPs have little control over the customer-owned home computers connected to their residential broadband networks, he writes.

The attackers start by scanning residential service IP address space for open RDP ports and brute-forcing weak and default passwords. Once the attackers have access to the system, they install web server software and upload various phishing pages, the links to which are blasted out in spam messages. The RDP server listens on port 3389/tcp by default, but is turned off by default on Windows desktops.

Still, Jackson tells Dark Reading that it would be a mistake to underestimate the prevalence of the attacks.

"The short answer is between 1 to 2 percent" of users have RDP turned on, says Jackson. "We looked only for the default RDP port 3389/tcp used by Terminal Services/Remote Desktop, but although there's a very small chance that some other service was running on that port, we did not verify if the port was actually being used for remote desktop connections."

PhishLabs surveyed large parts of Class B network blocks used by residential customers in primarily English-speaking markets and looked at three major broadband IPSs from which the company identified the most phishing sites.

"That means," Jackson says, "we were looking at hot spots of activity where access to the default RDP port was not blocked and had already likely or positively been scanned by the phishing crews. Of about 180,000 hosts we examined, approximately 1.5 percent of them had the Remote Desktop port open to the Internet.

"Given the number of actual phishing sites set up on these networks, we know that the phishers have been scanning at least 1.5 million computers on the affected networks each month."

After brute-forcing RDP passwords, the attackers install the PHP Triad software. Once PHP Triad is set up and running on the default port, the phishers install anywhere from a handful to several dozen phishing pages targeting various North American financial institutions and payment services.

"We have not been able to link the spam sent out with any of the big spambot networks," Jackson says. "They appear to be sent using an automated method such as a script, using a list of compromised email addresses and passwords via whitelisted mail servers that require authentication for sending email."

Jerome Segura, senior security researcher for Malwarebytes, says the strategy is "absolutely a smart tactic" for phishers.

"Typically most phishing pages are hosted on compromised web servers, which don't always have a long lifespan because they can be shut down by the hosting provider or the site owners themselves," says Segura. "The same cannot be said about Internet service providers, which don't have direct access to their customers' machines. Short of threatening their customers to suspend their account if they don't clean their PC, there isn't a whole lot they can do."

In addition, the use of legitimate systems tends to help obfuscate criminal activities, notes Trend Micro's Jon Clay. Also, criminals -- like any other business -- are always looking for ways to save money, he says.

So far, the crew behind the attacks seems to only be interested in phishing, and there hasn't been any evidence of any malware or tinkering with security settings. However, the default configuration and security vulnerabilities identified in the versions of the software components installed by PHP Triad increase the opportunity for further intrusions on compromised hosts -- either by this crew or other crews, Jackson says.

Outside not having RDP enabled, Jackson advises disabling built-in administrator and guest accounts. In addition, users should focus on their password practices.

"This is a case of hackers taking advantage of weak, common, or default username and password combinations," he says, adding that complex passwords of more than 14 characters are ideal for when no other stronger method of authentication is available.

"People should be aware that user names or IDs are half of the puzzle that these brute-force attackers must solve," says Jackson.

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/21/2014 | 3:47:56 PM
Long passwords -- not ideal
It's hard for me to imagine that users who already have difficulty managing strong passwords be more vigilant with even longer, more complex passwords.... 
Robert McDougal
Robert McDougal,
User Rank: Ninja
4/21/2014 | 12:34:09 PM
Re: RDP is a problem
I don't believe changing the RDP port would be beneficial or feasible. 

If you have a hacker who is worth his salt, simply changing the RDP port will not prevent him from discovering it.  Secondly, most home users that enable RDP do not have the technical expertise to understand what a port number is much less changing it.
User Rank: Apprentice
4/20/2014 | 8:35:57 PM
RDP is a problem
At first I thought.. Are these people using anti virus?  But that wouldn't help in this case.

Would changing the port that RDP uses help at all?
Robert McDougal
Robert McDougal,
User Rank: Ninja
4/18/2014 | 5:19:30 PM
Re: Broadband provider's responsibility?
I imagine it would be almost impossible for the ISP's to track down these compromised hosts.  The ports and traffic generated by the compromised machines is not overly odd when compared to the traffic of legitimate home use.  Many users enable RDP or run web services out of their homes.

I would propose that the ISP's should monitor for RDP traffic originating in foreign countries destined for user's within their IP block and then alert the user's.
David F. Carr
David F. Carr,
User Rank: Strategist
4/18/2014 | 4:04:17 PM
Broadband provider's responsibility?
Do the cable Internet and DSL providers do anything to detect home networks that have become spambot nodes? I'd think they'd have some responsibility, as well as potentially a concern related to wasted bandwidth.
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-04-09
Heap buffer overflow in TabStrip in Google Chrome on Windows prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-04-09
Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.