Even though the Phishing campaigns we observe in the wild vary widely in sophistication, there is always something to learn from each of them. We continually come across this one campaign and thought it might be nice to finally dive in and share what we’re seeing. We also came across a few server side artifacts that give deeper insight into the campaign.
The Boring Phish
To most security professionals, the landing page in the image to your right is the equivalent to a dark alley in a bad neighborhood. The lack of branding, obscurity of the request, and conspicuous disregard for subtlely makes this a classic phishing attempt.
In some ways, it is hard to believe anyone would fall for a page like this. However, campaigns using similar landing pages have been occurring for over a year, which implies there must be some return on the attacker’s investment that makes these campaigns worthwhile.
URIs and Redirections
There is a very clear structure here: the URIs commonly contain an index.php with an email parameter. Upon submission, a POST request is made to post.php which in turn will redirect the user to a thankyou.php. Note though, that the redirect is not always present.
The complete path of these PHP files vary from infected site and there have been a few cases in which the index.php and post.php are on different systems.
- /user/index.php?email=email@email.com
- /smg/mailbox/domain/index.php?email=email@email.com
- /images/themes/mail/mail/index.php?email=email@email.com
- /sean/index.php?email=email@email.com
Server Side Code
post.php is responsible for receiving the email address and user-provided password from the HTML form with index.php and passing it to the attacker. A simple email is used here to deliver the harvested credentials to the attacker’s email box.
Let’s check out the code:
There are a few interesting lines here, that we’ll dive into in the upcoming sections.
GeoLocation
The first lines retrieve the visitor’s IP address then use an IP GeoLocation service to determine its city. This code clearly looks under development as the url variable is redefined, with the first definition setting the URL of country endpoint and its redefinition changing to the city endpoint. It’s also worthwhile to note that API key is bound by the provider to a specific email address and server IP, as shown in the screenshot from the service provider’s website to the right. This suggests the attacker is customizing these landing pages per campaign.
Subject Line
This campaign may have targeted Chinese users given the subject of the email which is sent to the attacker. There is also what looks to be a version string containing a date. If it is a date, it is much further in the past than when the attack was active.
Recipients
Three email addresses are listed as recipients of harvested credentials. This could be for redundancy purposes or perhaps there are three individuals involved in the collection of these domains.
Multiple Campaigns
These phishing landing pages often live on servers with an out-of-date CRM like WordPress or Joomla. Since so many people are scanning the internet for vulnerable sites like these, it’s not uncommon to see evidence of multiple campaigns. In this instance, we counted three different campaigns on just one server.
A secondary site mimicked the original with one small change:
In this instance, the attacker is redirecting to another site, bhp[.]pt, instead of the post.php located on the server. These are so common that a quick search for “confirm your account to upgrade your mailbox” will return in a handful of instances.
The DHL Phish
On the same server, a slightly more sophisticated campaign was targeting DHL users. The entire page, images and all, were part of a single HTML file that redirected users to a secondary server.
redirected users to a secondary server
In addition to this redirection, there is also evidence that suggests the two sites may be working together on other campaigns. The same directory structure, leading to the same phishing page were found:
- original_site/sys/upgrade page/Aldomain/mailbox/domain/index.php
- skbizcorp[.]com/4/upgrade page/Aldomain/mailbox/domain/index.php
The Collector
Another, much more professionally written form collector was also found but not directly exposed through any of the other pages, indicating that the corresponding form that POSTs to it was hosted on another system. You can see here that the attacker opted against an IP Geolocation service that required registration, and had generally neater coding style. The author credited in the collector is ‘Techroins’.
Web Shells and Utilities
As common with vulnerable CRMs, you’ll find a few different web shells in various directories. Some are password protected while others wide open. One of the more basic but not so common ones allows for arbitrary file upload, which surely comes in handy when uploading phishing pages:
A PHP Mailer also helps here, giving the attackers the ability to spam out more attacks.
This one writes its content to a text file before sending out, so it may also be possible to see the last phish the attacker sent:
We’ll continue to watch out for these bad guys so you don’t have to!
Get simple, streamlined cloud security with an SWG
Cisco Umbrella’s integrated secure web gateway (SWG) is a full proxy that logs and inspects your organization’s web traffic to deliver full visibility, URL and application-level controls, and advanced threat protection.
