Inside a Phishing Network

March 14, 2016     1 Comment on Inside a Phishing Network     , ,      admin

Credential Phishing is an effective way to snatch someone’s confidential information.  Hacker’s create a look-a-like login page matching a global brand’s login (Google, Yahoo, Microsoft) and send a phishing email containing a link to the fake page. When a victim clicks on the phishing link, the fake page (which exactly resembles the brand’s login page) is displayed for the victim. If the victim doesn’t pay close attention to the URL or security certificate, he/she would enter confidential information onto the fake page – resulting in real time transfer of the user’s login credentials to attackers.

Last week, one of SlashNext customer was attacked by a phishing email containing a link pointing to a fake Google Drive login page. The system was able to able to detect and stop this phishing attempt so no damage was done.

fake_page

The phishing link was:

hxxp://amarilogear[.]com/dic/source

What was particularly interesting about this attack is that the attackers did not secure their C&C infrastructure very well. There were multiple web directories located on the C&C server with ‘Directory Listing’ allowed. Some directories were hosting fake Paypal and Apple iCloud login pages as well. Under one directory we found multiple types of malicious java scripts as well the code being used to create these phishing pages.

Picture7

A quick review of the source code posted by the hackers revealed that all the information entered on these pages is sent to: ‘rich****gure@gmail.com’, presumably controlled by the attacker.

Looking at the main program flow:

The main phishing page is a simple copy/paste of the original google drive login page. The only change was inside the main web form where the action for the ‘Signin’ button was changed to submit the data to an internal php file called ‘validate.php.

Picture1

The logic inside validate.php is quite simple.  The first step captures the victim’s username, password and telephone through submitted parameters that load that into local variables.

Picture3

The next step uses the IP address to Geo locate the victim’s Country, State and City.

Picture4

After hijacking this information, an email is sent to the attacker’s email using following code:

Picture5

During the analysis of the code we also found a fake OWA (Outlook Web Access) login page targeting a US law firm. Clearly the attackers were planning to target specific businesses as well.  The boundaries between simple Crimeware and targeted attacks has become very thin.

Credential Phishing attacks are particularly troublesome because they are so difficult to detect.  Because no objects are used, and no exploit is contained within the page, sandboxes will not trap this type of attack.  Likewise signature based systems are equally incapable of detecting this type of attack.

If you are wondering how our system was able to detect this phishing attack without any prior knowledge please visit our Technology section.

One thought on “Inside a Phishing Network

  1. Would you you like to share the malicious pages? Sent you an email with my contact info. It’s just for the research purpose…

Leave a Reply

Your email address will not be published. Required fields are marked *