Popular global brands like Yahoo, Gmail, Microsoft, and DropBox are commonly used for Credential Phishing attacks. Typically the attacker creates a replica of the brand’s Sign-in or Password recovery page and attempts to lure victims into entering their confidential information into the fake page.
Today, at a large customer site, we witnessed a new twist to this old scheme. The Slashnext cloud intercepted a Phishing attack where, as usual, attackers created a fake web page, but this time targeting multiple brands simultaneously.
The multi-stage attack involves two different command & control (C&C) domains.
recoverfloridahomelisting [.] com and thirdfloridahomelisting [.] com
As of this writing both domains are un-detected by all vendors listed on VirusTotal.
The most up-to-date VT reports can be found here:
Likewise both Safari and Chrome Phishing filters fail to identify these sites as malicious.
Step by Step Attack Analysis
The initial phishing URL is recoverfloridahomelisting [.] com/Drive.php. Drive.php is a redirector for the main Phishing page hosted at: thirdfloridahomelisting [.] com
<meta http-equiv=”refresh” content=”0; URL=hxxp://thirdfloridahomelisting [.] com/8hfKmgl/8hfKmgl/12hjdUldk.html”>
Browsing to the first url lands the user on a custom Phishing page that masquerades as a dropbox sign-in page asking the user to login using one of the listed email providers.
hxxp://thirdfloridahomelisting [.] com/8hfKmgl/8hfKmgl/12hjdUldk.htm
Clicking on any of the icons opens a pop-up asking the user to enter his email ID and password.
If the user enters his credentials, the web form will submit the stolen information to a php file named ‘results.php’ hosted on the same server.
where ’email’ is a variable that contains the user’s email and ‘addresszip’ holds the password string.
One would think that the attacker has achieved his objective of stealing the user’s email credentials, but there’s more.
Once the username and password are posted, the user is immediately re-directed to another Phishing page asking for his telephone number and recovery email address.
After entering either his phone or recovery email, the user is redirected to a flashy popup asking him to wait while his documents are being prepared.
This flashy popup lasts only a few seconds while the user’s phone and recovery email are posted to another php page named ‘verification.php’
Finally, at the end of ‘verification.php’ the user is redirected to a realtor.com page displaying home listings in Miami Florida.
These types of Phishing attacks exploit a key characteristic of the human brain that naturally gives a higher weight to visuals and the familiar language on a web page than to the page’s identification and origin (URLs, Certificate information etc).
Visual and text queues allow humans instantly understand the purpose of a particular web page – especially if they have seen it before, but this natural human characteristic plays to an attacker’s advantage when the attacker creates a phishing web page that is visually similar to a familiar page. The brain’s long term positive memory kicks in and humans (naturally) assume that the attacker’s page is authentic. They are easily duped into giving away their confidential information.
In addition to deploying advanced Phishing detection, such as the SlashNext Internet Access Protection System™, it’s important to educate users and hold regular refresher courses to overcome the brain’s natural tendencies and keep this kind of attack profile in the forefront of their thoughts.