Monday, April 21, 2008

Phishing Tactics Evolving

Malware authors, phishers and spammers have been actively consolidating for the past couple of years, and until they figure out to to vertically integrate and limit the participation of other parties in their activities, this development will continue to remain so. Malware infected hosts are not getting used as stepping stones these days, for OSINT or cyber espionage purposes, but also, for sending and hosting phishing pages, a tactic in which I'm seeing an increased interest as of recently. Here are some example of recently spammed phishing campaigns hosting the phishing pages on end user's PCs :

- pool-71-116-244-232.lsanca.dsl-w.verizon.net
- user-142o3ds.cable.mindspring.com/online.lloydstsb.co.uk/customer.ibc/logon.html
- user-142o3ds.cable.mindspring.com/onlineid/cgi-bin/onlineid.bankofamerica/sso.login.controller
- user-142o3ds.cable.mindspring.com/halifax-online.co.uk/_mem_bin/halifax_LogIn/formslogin.aspsource=halifaxcouk
- stolnick-8marta-8b-r1-c1-45.ekb.unitline.ru/halifax-online.co.uk/_mem_bin
- zux006-052-125.adsl.green.ch/onlineid/cgi-bin/onlineid.bankofamerica/sso.login.controller
- rrcs-74-218-5-6.central.biz.rr.com/webview/files//onlineid/cgi-bin/onlineid.bankofamerica/sso.login.controller
- user-0c93qog.cable.mindspring.com/onlineid/cgi-bin/onlineid.bankofamerica/sso.login.controller

The second tactic that I've been researching for a while is that of remotely SQL injecting or remotely file including phishing pages on vulnerable sites, as for instance, someone's actively abusing vulnerable sites, which are apparently noticing this malicious activities and taking care of their web application vulnerabilities. Some recent examples include :

- kclmc.org/components/www.halifax.co.uk/_mem_bin/FormsLogin.aspsource=halifaxcouk/Index.PHP
- citrusfsc.org/templates_c/www.halifax-online.co.uk/_mem_bin/halifax_LogIn/formslogin.aspsource=halifaxcouk/index.html
- agentur-schneckenreither.com/administrator/components/com_joomfish/help/www.halifax.co.uk/_mem_bin/formslogin.asp/index.php
- dziswesele.pl/media/www.halifax.co.uk/_mem_bin/formslogin.asp/

In November, 2007, I started making the connecting between a Turkish defacement group that wasn't just defacing the web sites it was coming across, but was also hosting malware on the vulnerable sites :

"It gets even more interesting, as it appears that a Turkish defacer like the ones I blogged about yesterday is somehow connected with the group behind the recent Possibility Media's Attack, and the Syrian Embassy Hack as some of his IFRAMES are using the exact urls in the previous attacks."

As of recently, I'm starting to see more such activity, with various defacing groups realizing that monetizing their defacements can indeed improve their revenue streams. For instance, findaswap.co.uk/administrator/components/com_extplorer/www.Halifax.co.uk/_mem_bin/formslogin.asp/was serving a phishing page, and was also recently hacked by a Turkish defacement group. Moreover, equidi.com which is currently defaced is also hosting the following phishing pages within its directory structure, namely, equidi.com/New2008/Orange; equidi.com/New2008/www.bankofamerica.com; equidi.com/New2008/www.halifax.co.uk

Why are all of these tactics so smart? Mainly because they forward the responsibility to the infected party, and I can reasonably argue that a phishing page hosted at a .biz or .info tld will get shut down faster than the one hosted at a home user's PC. As for the SQL injections, the RFI, and the consolidation between defacers and phishers if it's not defacers actually phishing for themselves, what we might witness anytime now is a vulnerable financial institutions web sites' hosting phishing page, or its web application vulnerabilities used against itself in a social engineering attempt.