First part of analyzing phishing pages was more in technical nature. This part will be more diverse, with screenshots taken during researching and comments explaining some findings.
First screenshots show how some phish scripts are very basic, without proper validation of data; you can put anything in them to see the next step and get the idea of file structure.
Not all scripts are like this, some of them are better coded and actually connect to real website to check for valid data, is it login correct, etc. Some phishers are lazy, I guess.
Screenshot below shows how phisher with only one script want to accept any email or site that he could find logo on Google Image search, in hope that logo of well known site would give enough authority to pull the phish successfully.
I have found similar setup on another server, this one was without index file and with allowed directory listing, so we can find evidence of some of his activities.
Leaving directory listing open is a big mistake and security risk, anyone who have website or any kind of files uploaded to web server should think about the privacy, security, information disclosure.
On this screenshots we can see that the phisher uploaded same phish page in each folder on the hacked server, probably to have more link variations in spam emailing and prolong the life of his campaign (if one link is reported and blocked, similar link continue to work)
Here we can see the basic mailer script, uploaded on hacked server.
Very often you can find phisher’s scripts and phish pages packed in .zip files, waiting on the server for security researchers to take them and analyze the content, extract phisher emails, logged details of the phished victims, etc. Here is an Gmail fake login page.
This Remax phish page is actually modified from another phish script, they just used Remax logo.
Removing last part of the link ( …/job/Ramex/ ) gives me directory listing, to collect their uploaded file.
Simple removing a folder or two from the end of the link (or removing file name from the end) can reveal the directories. Few more examples:
Listing of random generated folders with phish page, each visit to the page generate new folder:
With simple guessing of file names researcher can find phish packs even if directory listing is disabled. Few examples:
In Wells Fargo and USAA examples you can see “404 – Page not found” error because I was randomly guessing the file names and previous guesses were incorrect, but in general it never took more than 3 or 4 guesses to get the file. Sometimes file name is the name of the first added folder, simple adding extension .zip to it is doing the trick. Sometimes phished company is the name of the file, like apple.zip, wellsfargo.zip, etc.
Fast check of default log file name from the phishing page can give me insights about phished victims:
If .zip file is not on server, we still can find some evidence. With simple file name guessing we can discover phishing logs. In harder cases, DirBuster and similar applications are useful. With them you can test much more file names and bruteforce your way to log files. For example:
Sometimes server is seriously disconfigured (usually after hacker attack), most of “hackers” are just a script-kiddies not capable to figure out how to do something more stealthy, leaving mess all around. Favorite lazy “security kill-switch” is with php.ini,
often combined with .htaccess modification to server read .php files as .txt files ( AddType text/plain .php ) which gives us pages like this:
or even configurations of botnet panels, password stealers (like Pony here) and other cyber shit:
Sometimes hacker backdoors and php shells are still there, with their default passwords…
Other typical mis-configurations and signs that script-kiddie does not have a clue how to anything except to upload files (and even that fails sometimes) :
and my “favorite” moments are when I find scripts made 12+ years ago, with tips for clients to use internet explorer 6 and above, or best visible with resolution 1024 x 768, etc
Not all of the phishers are ignorant and careless about security of their scripts.This guy is redirecting visitors through a few websites in hope to hide the trace to real location (or to serve some exploit pack magic to the visitors, who knows)
Some of them are trying to trick scanners making the phish page to be an big image and placing form fields over the image using .css file. Sometimes images are very compressed and bad quality, a big sign that something is wrong:
sometimes page looks almost real (this one I had to compress because of the size)
and sometimes page is set to load many smaller image pieces and slices that forms a big image and looks very real and legit. Here is an example where I have managed to catch the screenshot before page was fully loaded:
not sure how much this image trick helps them to avoid google bots and scanners, though.
Many people recognize phish pages and write random insults and bad words pointed to phisher. On next image is one attempt of filtering those bad entries from phish logs. This code is rarely seen in regular phish pages. Code recognizes specific words from array and redirect users to crappy google search.
Next example of obfuscation and hiding is not usual, but exist. Phisher is loading phish page through a looong url, full source code of phish page is packed in base64 code. Phished data is send to some obscured website so, basically, phisher even does not need website to host phish page, he simply can send email with this long link and page is created directly. Size is probably a problem in this scheme. It is too big to post it here, you can check it on my pastebin >> http://pastebin.com/56aFqupZ
Much practical and “lighter” implementation of same trick is to use iframed page. URL link with source code is just an iframe code, which contains another base64 code
decoded base64 string gives us redirect to iframed phish page
<meta http-equiv="refresh" content="0; http://www.focusinsuranceatlanta.com/mail45435345345g00giedrivesess45353534534/index.html">
Some of them use url shortener services to mask the real url. That gives us some insights in their activities, number of visits and potential victims, targeted countries, etc.
In this example phisher use bit.ly service. As you already know, any bit.ly shortened link will reveal statistics if you add sign plus (+) at the end of the link. You need to make an free account to see the daily stats.
Sometimes phisher use same account for many phish campaigns so it’s easy to correlate activities. Sometimes phisher is focused on one company only.
This guy is using same domain for multi-campaigns, just re-packing phish page to another folder. Apparently he is struggling to receive enough visits to the page.
Domain sup-auth-orange.net is registered to probably fake name, but email has to be functional for registration purposes
Registrant Name: Stefphanie TOUCOUR Registrant Organization: WSALNI Registrant Street: 765 avenue de la montpelier Registrant City: PARIS Registrant State/Province: ILE DE FRANCE Registrant Postal Code: 75019 Registrant Country: France Registrant Phone: +33.665390211 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: email@example.com
searching for firstname.lastname@example.org does not yield any results (yet) but many times people use same name with another domain; looking for sendnewhot2 with google search another email is found, email@example.com , used to register domain name email-online-ameli.com on 08/12/2015, most probably for scamming outlook/hotmail users.
Apparently that domain is already dormant.
Here is last screenshot for today, another phisher with better organized campaign tracked over bit.ly url shortener