While speaking to a colleague of mine regarding recent work on Akamai's Enterprise Threat Protector (ETP) Research Team, related to phishing detection and mitigation, we discussed a recent phishing campaign targeting Microsoft users that leveraged free HTML hosting services and how easy it has become to build and deliver phishing website.
The HTML hosting service, HTML Pasta, is a free service that allows the public to host HTML code and share links to it across the web. The code posted to HTML Pasta, once saved, generates a sub-domain with a string of random letters and numbers containing the body of the code, but content in the HEAD tag is stripped out.
NOTE: To be clear, this service is being abused by criminals, and it isn't responsible for content we discovered in the ERT.
There are several phishing tutorials online that recommend using services such as this that instruct readers to develop phishing kits by copying the target's source code and pasting it for use. Kits developed this way only need a slight modification, so the username and password fields are processed by a PHP script hosted externally in order to collect credentials.
The image below, with the domain removed, is a phishing attack leveraging this method. The process used to develop this fast-attack phishing kit mirrored one outlined by one of the discovered tutorials.
We call this a fast-attack because phishing domains can be propped-up within minutes, with little to no effort on the part of the attacker. The life of the phishing website might be short, as they're usually removed quickly once reported, but the barrier to entry is so low, just one or two victims is all an attacker needs to make such attacks worth their while.
The random domains generated by this service present a problem for feed-based phishing solutions, since an attacker can create as many subdomains as they want. The trust-level of the domain also poses a challenge, because many reputation filters will not flag HTML Pasta outright, because it isn't malicious.
To be clear, fast-attacks like this exist on the low end of the phishing attack spectrum. However, abusing legitimate services such as this are actions criminals favor, because it requires little investment on their end (with regard to resources and time), and they can take advantage of positive reputations as an evasion technique.
However, the downside to the criminal, and the huge win for enterprise defenders, is that service abuse like this is easily spotted and can quickly be added to awareness training campaigns or internal messaging. Moreover, enterprise defenses can be trained to block such services directly if there is no legitimate business need for them.
But as long as such services continue to exist, they're a prime target for criminals looking to abuse them and turn something good into something bad.