• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Research

Behind the Scenes of a Phishing Campaign

Author avatar of Brad AntoniewiczBrad Antoniewicz
Updated — May 2, 2022 • 4 minute read
View blog >

Even though the Phishing campaigns we observe in the wild vary widely in sophistication, there is always something to learn from each of them.  We continually come across this one campaign and thought it might be nice to finally dive in and share what we’re seeing. We also came across a few server side artifacts that give deeper insight into the campaign.

The Boring Phish

Example of a "Confirm your account" phishing attempt

To most security professionals, the landing page in the image to your right is the equivalent to a dark alley in a bad neighborhood. The lack of branding, obscurity of the request, and conspicuous disregard for subtlely makes this a classic phishing attempt.
In some ways, it is hard to believe anyone would fall for a page like this. However, campaigns using similar landing pages have been occurring for over a year, which implies there must be some return on the attacker’s investment that makes these campaigns worthwhile.

URIs and Redirections

There is a very clear structure here: the URIs commonly contain an index.php with an email parameter. Upon submission, a POST request is made to post.php which in turn will redirect the user to a thankyou.php. Note though, that the redirect is not always present.
 
URIs and Redirections involved in a Phish
The complete path of these PHP files vary from infected site and there have been a few cases in which the index.php and post.php are on different systems.

  • /user/index.php?email=email@email.com
  • /smg/mailbox/domain/index.php?email=email@email.com
  • /images/themes/mail/mail/index.php?email=email@email.com
  • /sean/index.php?email=email@email.com

Server Side Code

post.php is responsible for receiving the email address and user-provided password from the HTML form with index.php and passing it to the attacker. A simple email is used here to deliver the harvested credentials to the attacker’s email box.
Let’s check out the code:

There are a few interesting lines here, that we’ll dive into in the upcoming sections.

GeoLocationUsing GeoLocation as a clue to a phishing campaign

The first lines retrieve the visitor’s IP address then use an IP GeoLocation service to determine its city. This code clearly looks under development as the url variable is redefined, with the first definition setting the URL of country endpoint and its redefinition changing to the city endpoint. It’s also worthwhile to note that API key is bound by the provider to a specific email address and server IP, as shown in the screenshot from the service provider’s website to the right. This suggests the attacker is customizing these landing pages per campaign.

Subject Line

This campaign may have targeted Chinese users given the subject of the email which is sent to the attacker. There is also what looks to be a version string containing a date. If it is a date, it is much further in the past than when the attack was active.


Phishing - subject line example

Recipients

Three email addresses are listed as recipients of harvested credentials. This could be for redundancy purposes or perhaps there are three individuals involved in the collection of these domains.


Phishing - recipients example

 

Multiple Campaigns

These phishing landing pages often live on servers with an out-of-date CRM like WordPress or Joomla. Since so many people are scanning the internet for vulnerable sites like these, it’s not uncommon to see evidence of multiple campaigns. In this instance, we counted three different campaigns on just one server.
A secondary site mimicked the original with one small change:

Multiple Phishing campaigns using one site
In this instance, the attacker is redirecting to another site, bhp[.]pt, instead of the post.php located on the server. These are so common that a quick search for “confirm your account to upgrade your mailbox” will return in a handful of instances.

The DHL Phish

Screen capture of the DNL Phish
On the same server, a slightly more sophisticated campaign was targeting DHL users. The entire page, images and all, were part of a single HTML file that redirected users to a secondary server.

redirected users to a secondary server
In addition to this redirection, there is also evidence that suggests the two sites may be working together on other campaigns. The same directory structure, leading to the same phishing page were found:

  • original_site/sys/upgrade page/Aldomain/mailbox/domain/index.php
  • skbizcorp[.]com/4/upgrade page/Aldomain/mailbox/domain/index.php

The Collector

Another, much more professionally written form collector was also found but not directly exposed through any of the other pages, indicating that the corresponding form that POSTs to it was hosted on another system. You can see here that the attacker opted against an IP Geolocation service that required registration, and had generally neater coding style. The author credited in the collector is ‘Techroins’.

Web Shells and Utilities

As common with vulnerable CRMs, you’ll find a few different web shells in various directories. Some are password protected while others wide open. One of the more basic but not so common ones allows for arbitrary file upload, which surely comes in handy when uploading phishing pages:

Webshell example
A PHP Mailer also helps here, giving the attackers the ability to spam out more attacks.

PHP mailer example
This one writes its content to a text file before sending out, so it may also be possible to see the last phish the attacker sent:

Text file example
 
We’ll continue to watch out for these bad guys so you don’t have to!

Get simple, streamlined cloud security with an SWG

Cisco Umbrella’s integrated secure web gateway (SWG) is a full proxy that logs and inspects your organization’s web traffic to deliver full visibility, URL and application-level controls, and advanced threat protection.

Diagram: The functional components of a Secure web gateway

Suggested Blogs

  • Cloud Application Security – Risks, Questions, Insights, and Solutions July 1, 2021 3 minute read
  • Cisco Umbrella discovers evolving, complex cyberthreats in first half of 2020 August 18, 2020 6 minute read
  • New research shows consumers want cybersecurity from service providers July 7, 2020 4 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella