They are plenty of phishing kits in the wild that try to lure victims to provide their credentials. Services like Paypal arenice targets and we can find new fake pages almost daily. Sometimes, the web server isnt properly configured and the source code is publicly available.A few days ago, I was lucky to find a ZIP archive width:715px” />
The next steps ask width:800px” />
Graphically, the different pages are very clean and use components from the Paypal websiteto reproduce a look and feel very close to the official pages. Lets have a look at the code now.
First the timezone is set to Tokyo with the date_default_timezone_set() PHP function. Some comments in the code reveal that the attacker is speaking Indonesian (example: masuk means sign in). The victim padding:5px 10px”>
RewriteCond %{HTTP_USER_AGENT} ^googlebot [OR]
RewriteCond %{HTTP_USER_AGENT} ^TweetmemeBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download Demon [OR]
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
order allow,deny
deny from x.123.119.163
deny from x.163.233.200
deny from x.169.29.56
deny from x.65.136.19
deny from x.2o7.com
deny from x.56.163.46
deny from x.56.163.64
deny from x.20.57.227
There is also a second check of the IP address included in the PHP code. If a valid IP address or User-Agent is detected, an HTTP error 404 (page not found) is returned. Geolocation of the victim is performed via www.geoplugin.net. padding:5px 10px”>
else if ($negara==US) { echo
p class=field ank Name :
select id=bank name=bnknameus style=
option value=Select ank/options
option value=Ally FinancialAlly Financial/options
option value=American Express CompanyAmerican Express Company/options
option value=BBTBBT/options
option value=Bank of AmericaBank of America/options
option value=Bank of New York MellonBank of New York Mellon/options
option value=Charles Schwab CorporationCharles Schwab Corporation/options
option value=Capital OneCapital One/options
option value=Citizens Financial GroupCitizens Financial Group/options
option value=CitigroupCitigroup/options
option value=Fifth Third BankFifth Third Bank/options
option value=Goldman SachsGoldman Sachs/options
option value=HSBC Bank USAHSBC Bank USA/options
option value=JPMorgan ChaseJPMorgan Chase/options
option value=Morgan StanleyMorgan Stanley/options
option value=PNC Financial ServicesPNC Financial Services/options
option value=SunTrust BanksSunTrust Banks/options
option value=State Street CorporationState Street Corporation/options
option value=TD BankTD Bank, N.A./options
option value=US BancorpU.S. Bancorp/options
option value=Wells FargoWells Fargo/options
option value=otherusOther/options
/select
At the end of the verification process, an email is sent to the attacker with all the victim padding:5px 10px”>
++—–[ $$ [-]Cikampek-T34m[-] $$ ]—–++
.++=====[ Tukang Credit ]=====++.
Cardholder Name : Test Test
Card Number : 4111 1111 1111 1111
Expiration Date : 05 / 2019
Cvv2 : 111
BIN/IIN Info : – – –
Sort Code : – –
Account number :
BSB – OSID : –
Credit Limit :
Mother Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
.++=========[ End ]=========++.
++—–[ $$ [N]e[V]e[R] [GIVE UP] $$ ]—–++
If most phishing kits remain simple and can be easily spotted by the victims, some of them are really well developed and harder to catch, especially if the URL used is nicely chosen and distributed via HTTPS. This kit was huge with more than 300 files in a 1.8MB ZIP file. Take care!
Xavier Mertens (@xme)
ISC Handler – Freelance Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.