Wednesday, September 20, 2006

Watching a phishing attack live

Yesterday a phishing mail for a community bank in a US east coast state (throughout this blog post I have obscured many details including names, domains and IP addresses) slipped through GMail's spam/phish filter and then right through POPFile. Only Thunderbird bothered to warn me that it might be a scam.

The message itself was sent from an ADSL connected machine in China.

Of course, since I don't have an account with this bank it was an obvious phish, but I was curious about it so I followed the link in the message.

The link appeared to go to https://*****bank.com/Common/SignOn/Start.asp but actually went to http://***.***.164.158:82/*****bank.com/Common/SignOn/Start.html. Clearly a phish running on a compromised host.

A reverse DNS lookup on the IP address of the host revealed that the phish was being handled by a web server installed in a school in a small central Californian town. The machine appeared to be running IIS, but the phishing server identified itself (on port 82) as Apache/2.0.55 (Win32) Server.

The Start.html page was identical to the actual sign on page used by the bank. In fact taking a screen shot of the real page and doing a screen shot of the phishing page revealed that they were identical. Even the MD5 checksum of the images was the same. Naturally, not everything was the same in the HTML.

Although almost all the HTML was identical (with the phishing site even pulling its images off the real bank's site), the name of the script that handled validation of the user name and password had been changed from SignOn.asp (the actual bank uses ASP) to verify.php (the phisher used PHP).

The only significant diff between the phisher site and the real site is:

272c272
< <form action="verify.php" method="post" id="form1" name="form1">
---
> <form action="SignOn.asp" method="post" id="form1" name="form1">

Once a username and password was entered the phishee was taken to a page asking for name, email address, credit card number, CVV2 number and PIN (with the PIN asked for a second time for validation). After that the user was thanked for verifying their details.

The user name, password, credit card number, CVV2 number and PINs were saved to a file called red.txt in the same directory as the HTML and PHP files used to make the phishing site. How do I know that? Simple, by popping up one level in the phishing URL to http://***.***.164.158:82/*****bank.com/Common/SignOn/ I was able to get a directory listing. In the directory there were three HTML files, two PHP scripts and red.txt. Clicking on that file gave me access to the phished details as they came in.

I quickly informed the bank and US CERT of the phishing site. I tried to figure out how to contact the school, but it was 0500 in California.

Here's a sample entry from the actual log file.

###################################
Tue Sep 19, 2006 5:33 am
Username: youare
Password: stuipd
***.***.118.70
###################################
Tue Sep 19, 2006 5:34 am
cc: 4111111111111111
expm: 10
expy: 2006
cvv: 321
pin: 1122
pin2: 1122
***.***.118.70
###################################

The time is local to California and you can see the details that the person entered. Here clearly a vigilante has decided to mess with the phisher by entering bogus details. In fact, the last time I was able to access the site (before it was pulled down) there were 33 entries in the log file. Of these 32 contained nothing, or offensive user names and passwords.

But one seemed to contain legitimate information.

The log file had a first entry at 0454 California time from a machine owned by MessageLabs (I assume that they are doing some automated testing of phishing sites), the last entry was as 1226 California time.

The one legitimate entry contained a valid Visa card number (valid in the sense that the number validated against the standard Luhn check digit algorithm). Also the user name and password looked legitimate and a quick Google search revealed that the username was also used as part of the email address of a small business in the same town as one of this small bank's branches. It looked very likely that this entry was legitimate and the person had given away their real card number and PIN.

US CERT quickly responded with an auto-response assigning me an incident number and I received an email from the bank's IT Ops Manager Jack. Jack told me that he was already aware of the site and that this was the third time this little bank had been phished from machines in California and Germany. I gave Jack the name of the school in California, and he said he'd get in contact with them (he'd already called the FBI). I also told Jack about the one card number that looked totally legitimate; he told me he was in charge of all card operations at the bank and had the power to deal with it.

Some hours after that the site went offline.

Labels:

12 Comments:

Blogger chphilli said...

Did you try to get ahold of the person that used the valid credit card? It seems like it would be prudent to warn them of what you saw.

4:54 PM  
Blogger TheWriteJerry said...

Excellent work!

It's great to see somebody with the tech know-how taking it to these thieves.

5:40 PM  
Blogger Jason said...

And with a nice little python script they already had figured out which of the 33 where good and were off and running.

It's just too sad that people are willing to enter their information blindly like that. education is the answer.

6:24 PM  
Blogger Democles said...

Thats the thing... did the thief even get a slapped wrist? Probably not.

6:51 PM  
Blogger Michael Cameron Delaney said...

kutos on the phish-net!

6:54 PM  
Blogger Rowdy Racoon said...

How were you able to access the site log though? Did the school let you in, and if they did, why would they let a third person access their machines?

its a interesting article in any case, good work. :)

7:15 PM  
Blogger Loren Bluebear said...

>> How were you able to access the site log though? Did the school let you in, and if they did, why would they let a third person access their machines?

It's a Windows box, silly.

10:06 PM  
Blogger PlanetUber said...

@jason...
"It's just too sad that people are willing to enter their information blindly like that. education is the answer."

Your reply is kind of funny considering it was being hosted at a school.

;p

5:10 AM  
Blogger Gerald Oskoboiny said...

What amazed me when I checked a couple similar phishing attempts is that the bank web sites happily serve their corporate logos to be embedded in these phishing pages.

All they need to do is check the referring URI and if it isn't one of theirs, return a "hey! you are being phished!" image instead of their usual icons. They could also log the IP address of the referring site and arrange to have it shut down.

It wouldn't take long for the phishers to start copying the graphics onto their own sites when this happens, but still... you'd think banks would be doing everything in their power to combat these attacks.

9:07 AM  
Blogger PSPFreak said...

Spam those url with 1000000000000000's of mails.. let them screw their inbox without space..

Thats wat i do.

11:46 AM  
Blogger Vijay said...

Huh? Another naive phishing attempt? BTW, it was a nice analysis.

4:56 PM  
Blogger Sriram Gellu said...

Hai......plz help me........I have a blog whenever i open it in IE7 Kasperky antivirus in my PC pop ups a message dat this blog is used for phishing attack for stealing passwords etc....I can't understand this,is my blog is in any danger......Plz help me I will be greatful to you.my blog is http://a2zstuffbytes.blogspot.com ... waiting eagerly for ur reply...My mail id marsri_527@yahoo.com

10:57 PM  

Post a Comment

Links to this post:

Create a Link

<< Home