In the June 2007 edition of RSA Security Phishing Newsreleased on July 5th, RSA’s Anti-Fraud Command Center uncovered a newtype of phishing kit, which is “actually a single file which creates anentire phishing site on a compromised server when double-clicked on,similar to .exe installation files.” According to the report,traditional phishing kits include all of the relevant files which mustbe installed one by one in the appropriate directories on the serverthat is controlled by the phisher. The new kit instead, “saves thephishers time and effort, by automating the site installation process.”
This news received quite a bit of press coverage, but does it reallychange the rules of the game? Our feeling is that it doesn’t: mostphishing sites are currently hosted on compromised Web servers, wherephishers have been able to upload files using one of the (many)unpatched vulnerabilities lying in the Web application code. Phishingkit configuration is usually done on a phisher’s local machine and thefiles are then uploaded exploiting the vulnerability. In other cases,when phishers got some sort of shell access to the server, a tar. gz orzip file containing the already-configured kit is uploaded and thenunpacked on the compromised server, creating in a “single click” theneeded directory structure. Actually, the single-file phishing kit doesnot have to do much to configure itself: kits are rather simple scriptsthat are mostly not sensitive to where they are installed; theirconfiguration usually consists in deciding where the stolen credentialsshould be sent to (e.g., a remote email address or a local text file).
On the forensic side, a single file to upload doesn’t help either.When files are uploaded using Web application vulnerabilities, phishersalready have simple solutions – like TOR– to hide their IP, whereas when a shell access is needed and they wantto hide themselves, they usually keep jumping on different compromisedmachines, mostly trojanized PCs, in order to obtain the neededanonymity.
Actually, in the past, when we had the chance of analyzing the HTTPlog files of some compromised servers hosting a phishing attack, it hadbeen quite easy to recognize a small number of IPs located in Romaniaor Russia common to a number of attacks, which could possibly bedirectly tracked back to the real fraudster. This had been done usingsimple statistical analysis. Connections coming from, say, the AOLnetwork were easily recognized as “middle” machines instead, using thesame methodology. This led us to conclude that phishers still feelquite safe and don’t bother trying to hide themselves so much.
With the help of ISPs, free email and Web hosting providers, manythings can be done to mitigate single-file phishing kits. Log fileanalysis and cross-attack correlations can provide valuable data to lawenforcement agencies and egress filtering on the backbone can be usedto protect consumers, etc…. but these ideas are worth a full blog poston their own. :)