Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Adaptive Phishing Kit - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Adaptive Phishing Kit

Phishing kits are everywhere! If your server is compromised today, they are chances that it will be used to mine cryptocurrency, to deliver malware payloads or to host a phishing kit. Phishing remains a common attack scenario to collect valid credentials and impersonate the user account or, in larger attacks, it is one of the first steps to compromise the final target. Phishing kits are usually mimicking well-known big Internet players (eBay, Paypal, Amazon, Google, Apple, Microsoft…[add your preferred one here]). I found an interesting phishing kit which adapts itself to the victim. Well, more precisely, it adapts to the victim email address.

The mail received is a warning about a mailbox that reached its storage quota:

From: EMAIL ADMIN
Subject: NOTIFICATION - Storage Full
To: victim@domain.com

Dear victim@domain.com,
Your email has used up the storage limit of 99.9 gigabytes as defined by your Administrator. You will be blocked from sending and receiving messages if not re- validated within 48hrs.
Kindly click on your email below for quick re-validation and additional storage will be updated automatically

victim@domain.com

Regards,
E-mail Support 2018.

This is a classic approach: to make the victim fear that he/she will lose access to a service. The email address in the mail body is a link that points to:

http://www.[redacted].com/sec/domainz/domainz/domainz/%40%26%25%40%25*%40()!%26?email=victim@domain.com

The URL is not publicly available because the compromised website is quite sensitive. We contacted the owner to request a cleanup.

You can see the string “Domain” added to the login page title, as well as a small icon and a favicon. In fact, this is the favicon grabbed from the victim’s email address domain:

Let’s try with another email address from the ISC:

Based on my tests, the phishing kit extracts the first word of the email address (before the first ‘dot’) and capitalize the word:

@isc.sans.edu returns "Isc"
@gmail.com returns "Gmail"

function getDomainFromEmail($email)
{
  // Get the data after the @ sign
  $domain = substr(strrchr($email, "@"), 1);
  return $domain;
}

It grabs the favicon from the email address domain and re-uses it on the fake webpage. This is a simple but cool way to make the webpage more attractive.

The attack has 3 steps:

  1. Collect email / password
  2. Collect the phone number
  3. Redirect to the original website (based on the email address)

This is not a brand new kit. I found some references back to 2016. Based on the files, I also found other compromised websites. But it remains very simple and the fact to display the domain & logo (the favicon) to the victim might increase chances of success (from the attacker’s perspective). Stay safe!

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Xme

385 Posts
ISC Handler
i recognized a similiar mail yesterday https://www.*********.co.th/process/dhl%20file/u.php?l=DHl-dTracking_=_JeHFUq_VJOXK0QWHtoGYDw=_JeHFUq_VJOXK0QWHtoGYDw=_JeHFUq_VJOXK0QWHto=
L4rs

11 Posts Posts
edit:

$(script); function script(){ $("#email_field").watermark("Email"); $("#password_field").watermark("Password"); $("#download").live('click',click_to_download); $('#email_field').live('keyup',function(e) { if(e.keyCode == 13) { click_to_download(); }
}); $("#download2").live('click',now_download); $('#password_field').live('keyup',function(e) { if(e.keyCode == 13) { now_download(); } }); } function click_to_download(){ var emailfield = $.trim($("#email_field").val().toLowerCase()); var emailReg = /^([\w-\.]+@([\w-]+\.)+[\w-]{2,4})?$/; if(emailfield == ""){ jQuery.facebox("<div class='pop_up_class'>You have a blank email field</div>"); }
else{ if(!emailReg.test(emailfield)){ jQuery.facebox("<div class='pop_up_class'>Wrong Email Format</div>"); }else{ if(emailfield.indexOf("yahoo.com") != -1){ var the_image = "<img src='img/yahoo.jpg' width='130' />"; var the_server = "Yahoo"; }
else if(emailfield.indexOf("gmail.com") != -1){ var the_server = "Gmail"; var the_image = "<img src='img/gmail.jpg' width='130' />"; }
else if(emailfield.indexOf("hotmail.com") != -1){ var the_server = "Hotmail"; var the_image = "<img src='img/hotmail.jpg' width='130' />"; }
L4rs

11 Posts Posts
Can you share the URL privately?
Xme

385 Posts Posts
ISC Handler
Quoting Xme:Can you share the URL privately?


yes, I can. PM on isc isn't possbile, is it?
L4rs

11 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!