Impact

Phishing! Don’t get hooked.

By Steve Loftus

Cybercrimes come in all different types and sizes. Learn the anatomy of the phishing scam and what to do if you suspect you’ve been phished!

Phishing is one method by which attackers attempt to electronically steal users’ personal information, like social security and credit card numbers. Fraudulent emails claiming to be from reputable companies is one form of a phishing attack. In this article, UNCOMN’s senior engineer, Steve Loftus, walks us through a typical phishing scenario.

Have you ever received a typical spam email like this?

It’s clear this phish wants you to click the link. KALI, a Linux distribution designed for digital forensics and penetration testing, can assist in getting a better understanding of what the phish is actually doing. Fire up KALI, go to the link (https://paradise111.com/discover/disco-v2/Validation) and you’ll discover that your browser (in this case Firefox) will not like this:

But go ahead and ignore the safety warning:

The site won’t work. How do you figure out what happened?

Take note of the URL:

Checking the main site (https://paradise.111.com), you can see that this phish is running more than one scam off this web server:

Next, looking at the directory content of the Amazon folder, “amazon.com_ssn.zip” you can deduce that this is a payload.  This phish apparently extracted it to the amazon.com folder but forgot to delete the original upload!

What happens when the zip is downloaded?

Inside the zip is some interesting stuff.  The interesting parts begin with ‘boot.php.’

It looks like the author has a list of IP ranges that, when matched, are served with 404’s.  The user-agent strings are also being filtered and presented with 404’s.  Interesting stuff.

But what was the scam trying to do?

Digging deeper in the Amazon folder and ‘index.php’ to see what it does, it’s fairly straightforward:

 

It steals the username and password and then formats a pretty email.  This page looks to be sending to odumbob77@gmail.com.  But it isn’t done there, afterwards it takes you to wallet.php.’  Let’s see where that path takes us.

Looks like a straightforward “update your payment” scam.  It wants your credit card info and will send that on over to ‘amaz.php.’  This looks like:

And generates another pretty email with Name, Card Number, CVV, Month, and Year.  It kicks that off, again, to odumbob77@gmail.com.  Then it sends you on over to ‘billing.php’:

This page collects data from the user’s submission, but it isn’t clear how it is presenting it to the user.

Look at the ‘amazo/am.png’ that is being included:

This makes more sense.  The ‘billing.php’ page is just laying text boxes over an image file.  That is a handy trick!  In any event, let’s look back at the ‘billing.php’ and see what the output looks like when it posts to ‘amazo.php’:

This follows the same pattern as the other two steps – taking all your personal info and kicking it over to odumbob77@gmail.com.  But it looks like we’re about done, because we’re going to ‘success.php’:

The ‘sa.png’ was the interesting part of the page being loaded:

Congrats on updating your account!  Login again to continue!

Now go back and look at the ‘htaccess’ file that was also found and see what’s inside.  Per the boot.php, this phish is blocking IPs and user agents, but maybe it’s doing some other work in the ‘htaccess’ file:

This file is HILARIOUS.  A bunch of IP addresses from locations that have apparently hit this site or others written by the same author.  But a lot of the blocks are commented and indicate why they’re being blocked.

It’s a fun read to see the act of phishing from the view of the malicious site maker.

That concludes the anatomy of the Amazon Phish, but let’s take another look at that Discover phish.  While the page itself wasn’t working, the directory was listed.

Next, the Discover Card Phish Anatomy

It starts much of the same way as the Amazon page – luckily the attacker appears to have left the payload in place again!  Let’s open that up and see what we find.

Starting with ‘index.php’ – Looks like it just copies the contents of “Validation” into a randomly generated folder.  That evidently didn’t work – so let’s see what is in the “Validation” folder, starting with ‘index.php’:

That’s boring. It just loads ‘login.php’ – so let’s look at what ‘login.php’ was supposed to do:

This page is actually really big and looks like a scraping of discover.com.  But I’m interested in what happens when a user logs in. It looks like it takes you to ‘result.php’ when you click on log in.  Look there:

Similar results as before – it records who starts the login process on the site and kicks that off.  This one is going to goutakinjo@gmail.com.

But did you see that last part?  Pop the output into account.txt?

We only have the template and the site is broken – but how broken is it?  Let’s find out!

Looks like it was working at some point in time.  Potentially valid credentials have been removed.

After collecting shipping off that info, it sends you to ‘verify.php,’ so we’re going there next. Interesting parts have been highlighted below:

The next stop is ‘results2.php,’ but this page is going to ask for a bunch of text fields.  ‘09.png’ and ‘100.png’ are the juicy parts and are going to reveal what those fields are asking for:

Discover Card Account Number, Discover Card Expiration Data, CCV, Primary Card Member Information, Date of Birth of Primary Card Member, Primary Card Number and Social Security Number of Primary Card Member.

Well – no big deal, just everything you need to totally steal an identity in the United States.  Awesome.  Let’s move along to ‘results2.php’ and see where this is going.

This is pretty straight forward – send all that collected info over to the same email address.  But also save it to a text file – lets check if it is still alive even though the site is broken:

Oh no – while there is a bunch of junk data, it looks like at least one person fell for the scam.  The local sheriff was contacted in this instance.  Next the phish kicks us to ‘billing.php’ next, so let’s look there:

More of the same type of data mining.  So let’s skip the image collection and just see where we wind up when we follow it to ‘result1.php’:

Same action, different data. This looks to be collecting the rest of what you’d need to steal an identity.  It also stored the output in Billing.txt before sending it on, so let’s see what’s going on there:

Again – the authorities were contact. But it appears to have worked on someone.

After this page is done it looks to send you to ‘Finish.php’ and wraps up by redirecting you to www.discovercard.com.

 

Now that you know the signs of phishing you can prevent attackers from stealing your personal information. To read more of Loftus’ stories on phishing, visit Fun with Phishing.