Credential Phishing is an effective way to snatch someone’s confidential information. Hacker’s create a look-a-like login page matching a global brand’s login (Google, Yahoo, Microsoft) and send a phishing email containing a link to the fake page. When a victim clicks on the phishing link, the fake page (which exactly resembles the brand’s login page) is displayed for the victim. If the victim doesn’t pay close attention to the URL or security certificate, he/she would enter confidential information onto the fake page – resulting in real time transfer of the user’s login credentials to attackers.
Last week, one of SlashNext customer was attacked by a phishing email containing a link pointing to a fake Google Drive login page. The system was able to able to detect and stop this phishing attempt so no damage was done.
The phishing link was:
What was particularly interesting about this attack is that the attackers did not secure their C&C infrastructure very well. There were multiple web directories located on the C&C server with ‘Directory Listing’ allowed. Some directories were hosting fake Paypal and Apple iCloud login pages as well. Under one directory we found multiple types of malicious java scripts as well the code being used to create these phishing pages.
A quick review of the source code posted by the hackers revealed that all the information entered on these pages is sent to: ‘email@example.com’, presumably controlled by the attacker.
Looking at the main program flow:
The main phishing page is a simple copy/paste of the original google drive login page. The only change was inside the main web form where the action for the ‘Signin’ button was changed to submit the data to an internal php file called ‘validate.php.
The logic inside validate.php is quite simple. The first step captures the victim’s username, password and telephone through submitted parameters that load that into local variables.
The next step uses the IP address to Geo locate the victim’s Country, State and City.
After hijacking this information, an email is sent to the attacker’s email using following code:
During the analysis of the code we also found a fake OWA (Outlook Web Access) login page targeting a US law firm. Clearly the attackers were planning to target specific businesses as well. The boundaries between simple Crimeware and targeted attacks has become very thin.
Credential Phishing attacks are particularly troublesome because they are so difficult to detect. Because no objects are used, and no exploit is contained within the page, sandboxes will not trap this type of attack. Likewise signature based systems are equally incapable of detecting this type of attack.
If you are wondering how our system was able to detect this phishing attack without any prior knowledge please visit our Technology section.