Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Security Response

Reactive Phishing Defenses – Part 1

Created: 30 Sep 2008 17:49:01 GMT • Updated: 23 Jan 2014 18:39:47 GMT
Antonio Forzieri's picture
0 0 Votes
Login to vote

A "phishing kit" is small piece of software usually written in PHP, HTML, and JavaScript that mimics legitimate portals (for example, financial institution websites) in order to acquire sensitive information such as usernames, passwords, and credit card details. The phishing kits of the first generation were quite simple; the fraudster would build a login page to collect stolen information on local files, saved on the compromised web servers. As shown in the picture below, after the credentials have been saved, users are redirected to the legitimate website.

 

This approach has an obvious drawback: if the directory-listing feature is enabled on the web server, other Internet users (including the compromised financial institutions) would be able to read those files. The countermeasure that was adopted by the fraudsters was the usage of "drop-boxes" as shown below:

 

As highlighted by Andrea Del Miglio in this blog article, this way of collecting credentials is much more effective. The second generation of phishing kits I want to focus on introduced new and interesting features in order to guarantee a longer life for the attacks. Some of the features included preventing security companies from accessing the websites, which made the analysis of the deployed code much more difficult.

Because online fraud service providers usually adopt automated techniques in order to validate phishing attacks, often a fake HTTP 404 "Page Not Found" is returned in case the connection is coming from one of these security companies, as shown in the example given below. The fraudster is then notified via email when such an event occurs, allowing him or her to immediately collect all of the credentials and move the attack to a new compromised web server.

 

Slowing down phishing kit analysis is another objective fraudsters are trying to achieve. The sample provided in the picture below performs several iterations using the following functions in order to obfuscate the PHP source code:

 

eval(gzinflate(str_rot13(base64_decode(‘[CODE_HERE]'))))
eval(gzinflate(base64_decode(‘[CODE_HERE]')))

 

 

 

This is a similar technique that we have already noticed in web-based attacks like Neosploit, Mpack, and the recent Mebroot, where the JavaScript code is obfuscated or, in some cases, even encrypted. Phishing kit evolution does not end here. New features are constantly being developed, tested, and deployed on newly compromised web servers. Attackers are constantly proving to be fairly smart and this next generation of phishing kits is expected to spread in the wild very soon. End users who want to take extra care to protect themselves from such attacks should not trust messages coming from unknown sources and avoid visiting advertised web sites unless their origin is certain and legitimate.

Message Edited by SR Blog Moderator on 11-20-2008 02:37 PM