Cisco Umbrella

Enterprise network security

Research

Behind the Scenes of a Phishing Campaign

By Brad Antoniewicz

Even though the Phishing campaigns we observe in the wild vary widely in sophistication, there is always something to learn from each of them.  We continually come across this one campaign and thought it might be nice to finally dive in and share what we’re seeing. We also came across a few server side artifacts that give deeper insight into the campaign.

The Boring Phish

To most security professionals, the landing page in the image to your right is the equivalent to a dark alley in a bad neighborhood. The lack of branding, obscurity of the request, and conspicuous disregard for subtlely makes this a classic phishing attempt.
In some ways, it is hard to believe anyone would fall for a page like this. However, campaigns using similar landing pages have been occurring for over a year, which implies there must be some return on the attacker’s investment that makes these campaigns worthwhile.

URIs and Redirections

There is a very clear structure here: the URIs commonly contain an index.php with an email parameter. Upon submission, a POST request is made to post.php which in turn will redirect the user to a thankyou.php. Note though, that the redirect is not always present.
 

The complete path of these PHP files vary from infected site and there have been a few cases in which the index.php and post.php are on different systems.

  • /user/index.php?email=email@email.com
  • /smg/mailbox/domain/index.php?email=email@email.com
  • /images/themes/mail/mail/index.php?email=email@email.com
  • /sean/index.php?email=email@email.com

Server Side Code

post.php is responsible for receiving the email address and user-provided password from the HTML form with index.php and passing it to the attacker. A simple email is used here to deliver the harvested credentials to the attacker’s email box.
Let’s check out the code:

There are a few interesting lines here, that we’ll dive into in the upcoming sections.

GeoLocation

The first lines retrieve the visitor’s IP address then use an IP GeoLocation service to determine its city. This code clearly looks under development as the url variable is redefined, with the first definition setting the URL of country endpoint and its redefinition changing to the city endpoint. It’s also worthwhile to note that API key is bound by the provider to a specific email address and server IP, as shown in the screenshot from the service provider’s website to the right. This suggests the attacker is customizing these landing pages per campaign.

Subject Line

This campaign may have targeted Chinese users given the subject of the email which is sent to the attacker. There is also what looks to be a version string containing a date. If it is a date, it is much further in the past than when the attack was active.

Recipients

Three email addresses are listed as recipients of harvested credentials. This could be for redundancy purposes or perhaps there are three individuals involved in the collection of these domains.

Multiple Campaigns

These phishing landing pages often live on servers with an out of date CRM like WordPress or Joomla. Since so many people are scanning the internet for vulnerable sites like these, it’s not uncommon to see evidence of multiple campaigns. In this instance, we counted three different campaigns on just one server.
A secondary site mimicked the original with one small change:

In this instance, the attacker is redirecting to another site, bhp[.]pt, instead of the post.php located on the server. These are so common that a quick search for “confirm your account to upgrade your mailbox” will return in a handful of instances.

The DHL Phish


On the same server, a slightly more sophisticated campaign was targeting DHL users. The entire page, images and all, were part of a single HTML file that redirected users to a secondary server.

In addition to this redirection, there is also evidence that suggests the two sites may be working together on other campaigns. The same directory structure, leading to the same phishing page were found:

  • original_site/sys/upgrade page/Aldomain/mailbox/domain/index.php
  • skbizcorp[.]com/4/upgrade page/Aldomain/mailbox/domain/index.php

The Collector

Another, much more professionally written form collector was also found but not directly exposed through any of the other pages, indicating that the corresponding form that POSTs to it was hosted on another system. You can see here that the attacker opted against an IP Geolocation service that required registration, and had generally neater coding style. The author credited in the collector is ‘Techroins’.

Web Shells and Utilities!

As common with vulnerable CRMs, you’ll find a few different web shells in various directories. Some are password protected while others wide open. One of the more basic but not so common ones allows for arbitrary file upload, which surely comes in handy when uploading phishing pages:

A PHP Mailer also helps here, giving the attackers the ability to spam out more attacks.

This one writes its content to a text file before sending out, so it may also be possible to see the last phish the attacker sent:

 
We’ll continue to watch out for these bad guys so you don’t have to! Enjoy!