Zero-Hour Multi Brand Phish

April 16, 2016     No Comments on Zero-Hour Multi Brand Phish     ,      admin

Popular global brands like Yahoo, Gmail, Microsoft, and DropBox are commonly used for Credential Phishing attacks. Typically the attacker creates a replica of the brand’s Sign-in or Password recovery page and attempts to lure victims into entering their confidential information into the fake page.

Today, at a large customer site, we witnessed a new twist to this old scheme. The Slashnext cloud intercepted a Phishing attack where, as usual, attackers created a fake web page, but this time targeting multiple brands simultaneously.

popup

The multi-stage attack involves two different command & control (C&C) domains.

recoverfloridahomelisting [.] com  and  thirdfloridahomelisting [.] com

As of this writing both domains are un-detected by all vendors listed on VirusTotal.

vt_1

vt_2

The most up-to-date VT reports can be found here:

https://www.virustotal.com/en/url/2a1998732c74bd442c8621a15ae0539fe6ea6eb0f83e2816c8d41e5e7f7ea21d/analysis/

https://www.virustotal.com/en/url/35492d949519f0f1ca40630781a926735fd3217317e66e9d4864aa6db5478ccf/analysis/

Likewise both Safari and Chrome Phishing filters fail to identify these sites as malicious.

Step by Step Attack Analysis

Stage 1:

The initial phishing URL is recoverfloridahomelisting [.] com/Drive.php.  Drive.php is a redirector for the main Phishing page hosted at:  thirdfloridahomelisting [.] com

<meta http-equiv=”refresh” content=”0; URL=hxxp://thirdfloridahomelisting [.] com/8hfKmgl/8hfKmgl/12hjdUldk.html”>

Stage 2:

Browsing to the first url lands the user on a custom Phishing page that masquerades as a dropbox sign-in page asking the user to login using one of the listed email providers.

second_stage

hxxp://thirdfloridahomelisting [.] com/8hfKmgl/8hfKmgl/12hjdUldk.htm

Stage 3:

Clicking on any of the icons opens a pop-up asking the user to enter his email ID and password.

third_stage

If the user enters his credentials, the web form will submit the stolen information to a php file named ‘results.php’ hosted on the same server.

pcap_1

where ’email’ is a variable that contains the user’s email and ‘addresszip’ holds the password string.

One would think that the attacker has achieved his objective of stealing the user’s email credentials, but there’s more.

Stage 4:

Once the username and password are posted, the user is immediately re-directed to another Phishing page asking for his telephone number and recovery email address.

fourth_stage

Stage 5:

After entering either his phone or recovery email, the user is redirected to a flashy popup asking him to wait while his documents are being prepared.

fifith_stage

This flashy popup lasts only a few seconds while the user’s phone and recovery email are posted to another php page named ‘verification.php’

pcap_2

Stage 6:

Finally, at the end of ‘verification.php’ the user is redirected to a realtor.com page displaying  home listings in Miami Florida.

sixth_stage

 

These types of Phishing attacks exploit a key characteristic of the human brain that naturally gives a higher weight to visuals and the familiar language on a web page than to the page’s identification and origin (URLs, Certificate information etc).

Visual and text queues allow humans instantly understand the purpose of a particular web page – especially if they have seen it before, but this natural human characteristic plays to an attacker’s advantage when the attacker creates a phishing web page that is visually similar to a familiar page. The brain’s long term positive memory kicks in and humans (naturally) assume that the attacker’s page is authentic.  They are easily duped into giving away their confidential information.

In addition to deploying advanced Phishing detection, such as the SlashNext Active Cyber Defense System, it’s important to educate users and hold regular refresher courses to overcome the brain’s natural tendencies and keep this kind of attack profile in the forefront of their thoughts.

 

Leave a Reply

Your email address will not be published. Required fields are marked *