• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Free Trial
  • Contact us
  • Blog
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Products
    • Product
      • Cisco Umbrella Cloud Security Service
      • Cisco Umbrella Investigate
      • Product Packages
      • Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Interactive Intelligence
      • Cloud-Delivered Firewall
    •  
    • Webinar signup
  • Solutions
    • By Need
      • Protect Mobile Users
      • Fast Incident Response
      • Web Content Filtering
      • Shadow IT Discovery & App Blocking
      • Unified Threat Enforcement
      • Reduce Security Infections
      • Secure Direct Internet Access
      • Securing Remote and Roaming Users
    • By Network
      • Protect Guest Wi-Fi
      • SD-WAN Security
      • Off-Network Endpoint Security
    • By Industry
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
      • Our Customers
      • Customer Stories
    • Ransomware Defense for Dummies book
  • Why Us
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Cloud Network Activity
      • Recursive DNS Services
      • Top Reasons to Trial
      • Getting Started
    • Unmatched Intelligence
      • Cyber Attack Prevention
      • Interactive Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco SD-WAN
    • Navigation-dropdown-promo-SASE-madness_021721
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Analyst Reports
      • Case Studies
      • Customer Videos
      • Datasheets
      • eBooks
      • Infographics
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Cisco Umbrella Blog
      • Latest Posts
      • Security Posts
      • Research Posts
      • Threats Posts
      • Product Posts
      • Spotlight
    • For Customers
      • Support
      • Customer Success Hub
      • Umbrella Deployment Hub
      • Customer Success Webinars
      • What’s New
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
      • Secure Access Service Edge (SASE)
    • Security Threats
      • Ransomware
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
    •  
    • Navigation-dropdown-promo-threat-report_020521
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Become a partner
  • Free Trial Signup
  • Umbrella Login
  • Cloudlock Login
  • Contact Us
Research

Behind the Scenes of a Phishing Campaign

By Brad Antoniewicz
Posted on November 20, 2017
Updated on March 3, 2020

Share

Facebook0Tweet0LinkedIn0

Even though the Phishing campaigns we observe in the wild vary widely in sophistication, there is always something to learn from each of them.  We continually come across this one campaign and thought it might be nice to finally dive in and share what we’re seeing. We also came across a few server side artifacts that give deeper insight into the campaign.

The Boring Phish

To most security professionals, the landing page in the image to your right is the equivalent to a dark alley in a bad neighborhood. The lack of branding, obscurity of the request, and conspicuous disregard for subtlely makes this a classic phishing attempt.
In some ways, it is hard to believe anyone would fall for a page like this. However, campaigns using similar landing pages have been occurring for over a year, which implies there must be some return on the attacker’s investment that makes these campaigns worthwhile.

URIs and Redirections

There is a very clear structure here: the URIs commonly contain an index.php with an email parameter. Upon submission, a POST request is made to post.php which in turn will redirect the user to a thankyou.php. Note though, that the redirect is not always present.
 

The complete path of these PHP files vary from infected site and there have been a few cases in which the index.php and post.php are on different systems.

  • /user/index.php?email=email@email.com
  • /smg/mailbox/domain/index.php?email=email@email.com
  • /images/themes/mail/mail/index.php?email=email@email.com
  • /sean/index.php?email=email@email.com

Server Side Code

post.php is responsible for receiving the email address and user-provided password from the HTML form with index.php and passing it to the attacker. A simple email is used here to deliver the harvested credentials to the attacker’s email box.
Let’s check out the code:

There are a few interesting lines here, that we’ll dive into in the upcoming sections.

GeoLocation

The first lines retrieve the visitor’s IP address then use an IP GeoLocation service to determine its city. This code clearly looks under development as the url variable is redefined, with the first definition setting the URL of country endpoint and its redefinition changing to the city endpoint. It’s also worthwhile to note that API key is bound by the provider to a specific email address and server IP, as shown in the screenshot from the service provider’s website to the right. This suggests the attacker is customizing these landing pages per campaign.

Subject Line

This campaign may have targeted Chinese users given the subject of the email which is sent to the attacker. There is also what looks to be a version string containing a date. If it is a date, it is much further in the past than when the attack was active.

Recipients

Three email addresses are listed as recipients of harvested credentials. This could be for redundancy purposes or perhaps there are three individuals involved in the collection of these domains.

Multiple Campaigns

These phishing landing pages often live on servers with an out of date CRM like WordPress or Joomla. Since so many people are scanning the internet for vulnerable sites like these, it’s not uncommon to see evidence of multiple campaigns. In this instance, we counted three different campaigns on just one server.
A secondary site mimicked the original with one small change:

In this instance, the attacker is redirecting to another site, bhp[.]pt, instead of the post.php located on the server. These are so common that a quick search for “confirm your account to upgrade your mailbox” will return in a handful of instances.

The DHL Phish


On the same server, a slightly more sophisticated campaign was targeting DHL users. The entire page, images and all, were part of a single HTML file that redirected users to a secondary server.

In addition to this redirection, there is also evidence that suggests the two sites may be working together on other campaigns. The same directory structure, leading to the same phishing page were found:

  • original_site/sys/upgrade page/Aldomain/mailbox/domain/index.php
  • skbizcorp[.]com/4/upgrade page/Aldomain/mailbox/domain/index.php

The Collector

Another, much more professionally written form collector was also found but not directly exposed through any of the other pages, indicating that the corresponding form that POSTs to it was hosted on another system. You can see here that the attacker opted against an IP Geolocation service that required registration, and had generally neater coding style. The author credited in the collector is ‘Techroins’.

Web Shells and Utilities!

As common with vulnerable CRMs, you’ll find a few different web shells in various directories. Some are password protected while others wide open. One of the more basic but not so common ones allows for arbitrary file upload, which surely comes in handy when uploading phishing pages:

A PHP Mailer also helps here, giving the attackers the ability to spam out more attacks.

This one writes its content to a text file before sending out, so it may also be possible to see the last phish the attacker sent:

 
We’ll continue to watch out for these bad guys so you don’t have to! Enjoy!
 

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2021 Cisco Umbrella