Mr-Brain: Stealing Phish from Fraudsters

A recurrent group of Moroccan fraudsters calling themselves Mr-Brain has launched a website dedicated to offering easy-to-use phishing site code, email templates and other hacking tools. The website offers phishing kits for many of the most common targets, such as Bank of America, eBay, PayPal and HSBC.

The tools and code provided by Mr-Brain are designed to make it extremely easy for other fraudsters to deploy realistic phishing sites. Only a very basic knowledge of programming is required to configure the PHP scripts to send victims' details to the fraudsters' chosen electronic mail address. Deploying one of these fully working kits can be done in as little as one minute – another factor that adds to their appeal.

Tricking the Fraudsters

Mr-Brain's intentions are to encourage as many people as possible to use their phishing kits, for all is not what it seems at first glance. Careful inspection of the configuration script reveals deceptive code that hides the true set of electronic mail addresses that are contacted by the kit – every fraudster who uses these kits will unwittingly send a copy of each victim's details back to the Mr-Brain group.

scam-pages.png

The configuration script exploits the case-sensitivity in PHP variable names to disguise Mr-Brain’s electronic mail address as an unrelated but seemingly essential part of the script, encouraging fraudsters not to alter it. The injected electronic mail address is actually contained in a completely separate PHP file, where it is encrypted in a hidden input field named "niarB", or "Brain" backwards. Yet another PHP script reads the value from this input field and decrypts it before supplying it to the configuration script. Most fraudsters are unlikely to notice this level of obfuscation and will assume the script is working normally, as they will also receive a copy of any emails produced by the script.

When Netcraft decrypted the contents, the hidden input field revealed one of Mr-Brain's Gmail addresses, which is used to covertly capture details from all of the phishing kits that have been deployed on their behalf by other fraudsters. A comment at the top of one of the scripts aims to deter these fraudsters from examining the script that decrypts the hidden field:

scam-pages3.png

Earlier this month, Netcraft also exposed a similar phishing scam targeting Bank of America. This, too, was authored by Mr-Brain and was configured to covertly send harvested credentials to a different Gmail address.

scam-pages2.png

Each phishing kit listed on their website is accompanied by a description, showing what kind of information it steals from victims. One page on their website lists a selection of Social Security numbers, credit card numbers and PINs under the heading "Free and Freash [sic] Credit Card".

Mr-Brain claims that all of the scam pages offered on its site are undetected by Mozilla, Opera and Internet Explorer. Netcraft blocks these sites when they are detected by the Netcraft Toolbar community, and propagates the block to all companies which licence the Netcraft Phishing Site Feed.

Italian Bank’s XSS Opportunity Seized by Fraudsters

An extremely convincing phishing attack is using a cross-site scripting vulnerability on an Italian Bank's own website to attempt to steal customers' bank account details. Fraudsters are currently sending phishing mails which use a specially-crafted URL to inject a modified login form onto the bank's login page.

The vulnerable page is served over SSL with a bona fide SSL certificate issued to Banca Fideuram S.p.A. in Italy. Nonetheless, the fraudsters have been able to inject an IFRAME onto the login page which loads a modified login form from a web server hosted in Taiwan.

fideura.png
The fraudsters' login form presented inside the bank's SSL page.

This attack highlights the seriousness of cross-site scripting vulnerabilities on banking websites. It shows that security cannot be guaranteed just by the presence of "https" at the start of a URL, or checking that the browser address bar contains the correct domain name.

Cross-site scripting vulnerabilities on SSL sites also undermine the purpose of SSL certificates - while the attack detailed here injects external content via an IFRAME, it is important to note that a malicious payload could also be delivered solely via the vulnerable GET parameter. In the latter case, any SSL certificate associated with the site - included Extended Validation certificates - would display a padlock icon and apparently assure the user that the injected login form is genuine.

This particular attack is made all the more convincing by the vector used by the fraudsters: the URL employed by the attack injects a series of numbers directly into a JavaScript function call that already exists on the bank's LoginServlet page. This makes it difficult even for an experienced user to identify this as a cross-site scripting attack, as the URL does not look readily suspicious, with the injected content consisting only of numbers and commas.

fideura2.png
The vulnerable page, decoding arbitrary GET parameters.

In a possible attempt to bypass automated security filters, the injected content from Taiwan also contains encoded JavaScript which is used to display the text "Inserisci i tuoi codici personali" ("Insert your personal codes") and "per accedere alle aree riservate" ("To access all reserved areas"). When the modified form is submitted, the contents are transmitted to the Taiwanese server before the user is redirected to the bank's genuine, unaltered homepage.

Netcraft has contacted the bank affected by this attack and blocked the phishing site for all users of the Netcraft Toolbar, and propagated the block to the companies which licence the Netcraft PhishFeed.

Swishmail and iWeb are the Most Reliable Hosting Companies in December 2007

Ranking by Failed Requests and Connection time,
December 1st - 31st 2007

performance_december2007.png

Swishmail and iWeb are the most reliable hosting company sites for December 2007, closely followed by DataPipe, 3FN and Go Daddy.

Swishmail's US-hosted website is powered by FreeBSD, Apache and PHP and they offer a variety of professional and enterprise web hosting plans in addition to email hosting. iWeb's site is hosted in Canada, offering dedicated, shared and colocation hosting as well as domain registration services.

DataPipe appears in third place in December, marking its 11th appearance in the top ten during 2007 - an impressive feat. November was the only month where DataPipe did not reach the top ten. 3FN makes a forth place appearance in December, falling from 3rd place in November, while Go Daddy appears in 5th place.

Only two of December's top ten hosters run Linux, including iWeb, while four run FreeBSD. Two of the hosters run Windows Server 2003, while another uses Windows 2000.

Continue reading

Phishing kits take advantage of novice fraudsters

A phishing kit targeting the Bank of America contains an interesting insight into the intellectual hierarchy involved in Internet fraud. At first glance, the phishing kit looks attractive to any fraudster – it is straightforward to deploy on any web server that supports PHP, and a single configuration file makes it easy to specify an electronic mail address to receive captured financial details. In addition to requesting the credit card numbers and bank account details, a second form on the phishing site asks for the victim's SiteKey challenge questions and answers, which can help a fraudster gain access to the victim's Internet banking facilities.

bofa-config.png
The email address configured in the phishing kit.

However, while the phishing kit is easy to use, an encrypted component within the kit is used to send a copy of the captured details to an additional gmail address, which belongs to the author. This will not be obvious to most fraudsters using the kit, as the relevant code is detached from the configuration file and is heavily obfuscated, requiring some effort to decode.

bofa-obfuscated.png
The obfuscated code which sends a copy of the financial details to the author.

Such deception is a useful tactic for any fraudster who wishes to maximize the number of successful attacks, as the work of deploying the phishing sites and sending the mails is then carried out free of charge by novice fraudsters on behalf of the author. This relieves the author of the burden of having to carry out the more time consuming aspects of phishing – finding bulletproof web hosting, hacking into host web sites, and sending millions of phishing mails – whilst benefiting by receiving mails from each and every deployment of their own phishing kit.

bofa-screenshot.png
The phishing kit in action.