Hidden Email Addresses in Phishing Kits
16th January, 2023
Ready-to-go phishing kits make it quick and easy for novice criminals to deploy new phishing sites and receive stolen credentials.
Phishing kits are typically ZIP files containing web pages, PHP scripts and images that convincingly impersonate genuine websites. Coupled with simple configuration files that make it easy to choose where stolen credentials are sent, criminals can upload and install a phishing site with relatively little technical knowledge. In most cases, the credentials stolen by these phishing sites are automatically emailed directly to the criminals who deploy the kits.
However, the criminals who originally authored these kits often include extra code that surreptitiously emails a copy of the stolen credentials to them. This allows a kit’s author to receive huge amounts of stolen credentials while other criminals are effectively deploying the kit on their behalf. This undesirable functionality is often hidden by obfuscating the kit’s source code, or by cleverly disguising the nefarious code to look benign. Some kits even hide code inside image files, where it is very unlikely to be noticed by any of the criminals who deploy the kits.
Netcraft has analysed thousands of phishing kits in detail and identified the most common techniques phishing kit authors use to ensure that they also receive a copy of any stolen credentials via email.
The Motivation Behind Creating Deceptive Phishing Kits
When a phishing kit is deployed, the resultant phishing site will convincingly impersonate a financial institution or other target in order to coax victims into submitting passwords, credit card numbers, addresses, or other credentials. These details will occasionally be logged on the server, but more often than not, are emailed directly to the criminals who install these phishing kits.
Directory structure of an Amazon phishing kit contained in a ZIP file archive.
Funny and malicious server banners
31st January, 2022
Netcraft’s most recent Web Server Survey includes nearly 1.2 billion websites. Most of these sites return a server banner that shows which web server software they use, thus allowing us to determine the market shares of each server vendor since 1995.
Many of these server banners are simply short strings like “Apache”, while others may include additional details that reveal which other software – and which versions – are installed on the server. One such example is “Apache/2.2.32 (Unix) mod_ssl/2.2.32 OpenSSL/1.0.2k-fips DAV/2 PHP/5.5.38”.
Chrome’s Network Inspector showing the HTTP response headers for wordpress.com, which uses the nginx web server. It does not reveal a version number.
A web server reveals its server banner via the Server HTTP response header. This string is not ordinarily exposed to users, but most browsers allow it to be viewed in the Network Inspector panel.
Custom banners
Web server software usually allows its server banner to be modified. A common reason for changing the default value is to reduce the amount of information that would be revealed to an attacker.
For example, if a web server advertises itself as running a vulnerable version of Apache, such as “Apache/2.4.49” it could be more likely to come under attack than a server that reveals only “Apache”.
Our Web Server Survey includes a few websites that return the following Server header, which takes a deliberate swipe at the effectiveness of hiding this sort of information:
Server: REMOVED FOR PCI SCAN COMPLIANCE - SECURITY THROUGH OBSCURITY WORKS, RIGHT? - https://bit.ly/2nzfRrt
Of course, with this amount of flexibility, a cheeky or malicious administrator can configure a web server to pretend to be anything they want. Sometimes this is done in a deliberate attempt to cloak the truth or to mislead, while in others it may simply be done as a joke waiting to be found by anyone curious enough to look for the banner.
Unlikely server banners
Amongst the 1.2 billion websites, there are plenty of examples of unlikely server banners.
Increasing Number of Bank-Themed Survey Scams
12th January, 2022
Examples of bank-themed survey scams seen by Netcraft
Netcraft has seen a large increase in survey scams impersonating well-known banks as a lure. These are often run under the guise of a prize in celebration of the bank’s anniversary, though in some cases a reward is promised just for participating.
These scams first came to Netcraft’s attention around 16 months ago, when businesses that were particularly useful during lockdown such as supermarkets, mobile phone networks, and delivery companies were targeted. The expansion of these attacks to use banks as a lure started in October 2021. To date we have seen over 75 distinct banks used as lures for these survey scams, with a global spread including banks from US, UK, Asia, and the Middle East.
Bangladesh, South African and Iraqi Government sites have been found to be hosting web shells
3rd December, 2021
Netcraft recently confirmed that a Bangladesh Army site was hosting an Outlook Web Access (OWA) web shell. Additionally, an OWA web shell was found on the Department of Arts and Culture site for the South-African Kwazulu-Natal province and an Iraqi government site was found to be hosting a PHP shell. Web shells are a common tool used by attackers to maintain control of a compromised web server, providing a web interface from which arbitrary commands can be executed on the server hosting the shell. OWA provides remote access to Microsoft Exchange mailboxes; since the disclosure of the ProxyLogon vulnerabilities in March, Microsoft Exchange has become a popular target for cyberattacks.
The other victims of FluBot: How cybercriminals exploit WordPress to distribute malware
29th November, 2021
Netcraft has to date identified nearly 10,000 websites used in the distribution of the FluBot family of Android malware. As detailed in our previous articles on FluBot, these sites are unwittingly hosting a PHP script that acts as a proxy to a further backend server, allowing otherwise legitimate sites to deliver Android malware to victims. When visited by the intended victim, a “lure” is displayed that implores them to download and install the FluBot malware.
The most common lure themes are parcel delivery and voicemail messages, where the user is told to install the malicious app to track a parcel or listen to a voicemail message. One particularly interesting lure took advantage of FluBot’s infamy, by offering a fake “Android security update” that claimed to protect against the malware family. Users installing this “security update” would instead be infected with FluBot.
Most sites distributing FluBot malware also host legitimate content, suggesting they were compromised by the operators of this malware distribution network, without the knowledge of the site operator. While the use of unrelated domains makes the lures less convincing, as compared to domains specifically registered for fraud, it allows the malware distribution network to operate at a much larger scale.
These affected sites all have one factor in common: they run self-hosted WordPress instances. Netcraft believes the operators of this malware distribution network are actively exploiting well-known vulnerabilities in WordPress plugins and themes to upload malicious content onto insecure sites, joining a growing list of threat actors doing the same.
A collection of lures used by the FluBot distribution network
Eswatini Government's gov.sz website is running a cryptojacker
22nd October, 2021
The Government of Eswatini’s website, www.gov.sz, is running a
cryptojacker. Cryptojackers
use website visitors' CPU power to mine cryptocurrency, most often without their knowledge or permission.
Data from archive.org suggests the JavaScript snippet was added to the site’s HTML source between
28th September and
6th October.
WebMinePool cryptojacker injection on www.gov[.]sz.
While sites that are kept open for long periods of time are often the most lucrative – the longer the victim’s browser tab is open, the more cryptocurrency can be mined — criminals are typically not fussy when deploying cryptojackers. Criminals can target large swathes of sites at once, including those using vulnerable or out-of-date software, compromised third-party JavaScript, or with easily guessable administrator credentials.