Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Adaptive Phishing Kit InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Adaptive Phishing Kit

Published: 2018-02-01
Last Updated: 2018-02-01 07:26:51 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Phishing kits are everywhere! If your server is compromised today, they are chances that it will be used to mine cryptocurrency, to deliver malware payloads or to host a phishing kit. Phishing remains a common attack scenario to collect valid credentials and impersonate the user account or, in larger attacks, it is one of the first steps to compromise the final target. Phishing kits are usually mimicking well-known big Internet players (eBay, Paypal, Amazon, Google, Apple, Microsoft…[add your preferred one here]). I found an interesting phishing kit which adapts itself to the victim. Well, more precisely, it adapts to the victim email address.

The mail received is a warning about a mailbox that reached its storage quota:

From: EMAIL ADMIN
Subject: NOTIFICATION - Storage Full
To: victim@domain.com

Dear victim@domain.com,
Your email has used up the storage limit of 99.9 gigabytes as defined by your Administrator. You will be blocked from sending and receiving messages if not re- validated within 48hrs.
Kindly click on your email below for quick re-validation and additional storage will be updated automatically

victim@domain.com

Regards,
E-mail Support 2018.

This is a classic approach: to make the victim fear that he/she will lose access to a service. The email address in the mail body is a link that points to:

http://www.[redacted].com/sec/domainz/domainz/domainz/%40%26%25%40%25*%40()!%26?email=victim@domain.com

The URL is not publicly available because the compromised website is quite sensitive. We contacted the owner to request a cleanup.

You can see the string “Domain” added to the login page title, as well as a small icon and a favicon. In fact, this is the favicon grabbed from the victim’s email address domain:

Let’s try with another email address from the ISC:

Based on my tests, the phishing kit extracts the first word of the email address (before the first ‘dot’) and capitalize the word:

@isc.sans.edu returns "Isc"
@gmail.com returns "Gmail"

function getDomainFromEmail($email)
{
  // Get the data after the @ sign
  $domain = substr(strrchr($email, "@"), 1);
  return $domain;
}

It grabs the favicon from the email address domain and re-uses it on the fake webpage. This is a simple but cool way to make the webpage more attractive.

The attack has 3 steps:

  1. Collect email / password
  2. Collect the phone number
  3. Redirect to the original website (based on the email address)

This is not a brand new kit. I found some references back to 2016. Based on the files, I also found other compromised websites. But it remains very simple and the fact to display the domain & logo (the favicon) to the victim might increase chances of success (from the attacker’s perspective). Stay safe!

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Keywords: phishing spam
0 comment(s)
Diary Archives