Akamai Diversity

Akamai Security Intelligence
& Threat Research

An Examination of a Phishing Kit Dubbed Luis

There have been plenty of articles describing the structure of phishing emails, and how to spot them. However, less explored, are phishing websites - what they are, how they are used, and how users can protect themselves. We'll take a deep dive into a particular phishing website and the methods used in the author's attempt to avoid detection. While reading through my Twitter feed, I noticed a tweet from @WifiRumHam discussing a zip file of phishing kits he discovered that is hosted on a compromised web server. He pointed me to a 66 MB file named luis-debug.zip.  The zip file has five directories that are each unique to the target site being phished. I checked the source code in the first directory. It has code that targets a bank popular in the southern and midwestern states. I've blurred the images, as this is an ongoing investigation.

$ ls -l
total 20
drwxr-xr-x 3 www-data www-data 4096 Sep 13 10:39 55450bcff5cf109349f7a22507e8cfed
-rw-r--r-- 1 www-data www-data 2644 Dec  3 2014 blocker.php
drwxr-xr-x 3 www-data www-data 4096 Sep 22  2015 home
-rw-r--r-- 1 www-data www-data  718 Aug 20 16:18 index.php
-rw-r--r-- 1 www-data www-data  234 Sep 13 10:39 vu.txt
Figure 1.  A listing of the bank malware phishing directory.

The code in index.php includes the code in the file blocker.php that checks that the victim connecting to it does not match certain criteria. The criteria are that the victim isn't a bot, or security company that might report the phishing site.  Instead, blocker.php uses a blacklist to block out domains and IP addresses for Internet security companies, like Phishtank and Cyveillance. The antibots.php file in the below file listing implements this same bot thwarting functionality for the /home and md5sum directories. They do this by matching the connecting client's hostname or IP address with a blacklist of IP addresses, domains, and user-agent strings to those of popular web crawlers and security companies.   The code snippet below is a list of strings that will be matched against the connecting client's domain. A match against any indicators in the blacklist returns a 404 page.

$blocked_words = array("above","google","softlayer","amazonaws","cyveillance","phishtank","dreamhost","netpilot","calyxinstitute","tor-exit",);

The code in index.php then generates a md5sum of the current time which then is used to create a unique directory that copies into a "home" directory.  The last step is a redirect to this new unique directory after the code in index.php logs the victims IP address in the file vu.txt. The new unique md5sum directory then has a copy of the contents in the home directory.

$ ls -l 55450bcff5cf109349f7a22507e8cfed
total 72
-rw-r--r-- 1 www-data www-data  1536 Dec 22 2017 action.php
-rw-r--r-- 1 www-data www-data  9791 Jun 26 2015 anon.js
-rw-r--r-- 1 www-data www-data  2124 Jan 9 2015 antibots.php
-rw-r--r-- 1 www-data www-data 17859 Nov 18  2015 confirm.php
-rw-r--r-- 1 www-data www-data 10013 Nov  5 2015 encriptar.php
-rw-r--r-- 1 www-data www-data   296 Sep 20 2015 Finish.php
drwxr-xr-x 2 www-data www-data  4096 Sep 22 2015 images
-rw-r--r-- 1 www-data www-data  6502 Nov 18 2015 index.php
-rw-r--r-- 1 www-data www-data  2180 Dec 22 2017 mailer.php
Figure 2.  A listing of the bank malware md5sum directory.

You see encriptar.php and anon.js files in the file listing.  The author, Anonisma, went a step further and incorporated AES encryption into this phishing kit in both these files. In another step to avoid detection, the phishing kit page contents are then encrypted into a JavaScript string and then decrypted by the client browser to into HTML. The decrypted HTML is then rendered inside of the browser's Document Object Model (DOM).  This avoids transmitting the suspicious web page in clear text over unencrypted connections, thereby avoiding detection by security applications. Viewing the source of the phishing web pages will show the JavaScript decryption routine, instead of the real HTML.


Figure 3. Javascript used to decrypt the webpage.

The victim is directed to the phishing site in their browser, shown in figure 4, instead of the legitimate site.


Figure 4.  The webpage decrypted by the browser.

The code used to implement the AES encryption appears to have been copied, using these pages as these original sources:

https://www.movable-type.co.uk/scripts/aes.html https://www.movable-type.co.uk/scripts/aes-php.html

This kit is also designed to steal more of the victim's information associated with the account, by adding another account information confirmation form.  This confirmation form is also AES encrypted by confirm.php and sent via JavaScript to the browser to decrypt.



Figure 5.  The second form collecting more of the victim's information.

The victim is then redirected to the legitimate banking site, as if no nefarious actions have happened. The victim's credentials and personal information captured by the phishing site are then emailed out by mailer.php to the attacker's gmail.com account.  


I believe that with the continued success of these phishing campaigns, the software being used will become more streamlined and sophisticated. Phishing attacks will be more difficult to detect by enterprise security applications as cybercriminals find new ways to obfuscate their activities. I expect that highly customizable software kits that will allow even the most novice cybercriminals to launch their own campaigns will become more prevalent.  With the combination of homoglyphs, tricking the eye, and the obfuscation methods bypassing network monitoring that I have described above, phishing emails are getting harder and harder to detect by individuals and enterprise security systems alike.