In his post, Antonio discusses the merits and pitfalls of diluting phishing sites with different types of bogus data. The last case, where phishers automatically validate the data from within the phishing site itself is especially interesting because it can be used against the phishers in a variety of ways.
In the underground, the phishers call these phishing kits ‘true-logins’. Typically, they use ‘curl’ to post the data received from a would-be victim to the legitimate site and verify that it actually works. Here’s a snippet of PHP code from an actual phish kit.
How can we use the phishing kit behavior against the phishers? There are a few ways:
- Check for the User-Agent in web server logs to identify phishing sites
In this example, the User-Agent is set to “Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:184.108.40.206) Gecko/20070515 Firefox/220.127.116.11″. That may be a perfectly legitimate User-Agent that is seen often, but there shouldn’t be multiple users from the same IP address with the same User-Agent attempting to login within a short period of each other.
- Check for correct progression of web requests
Ok. This is hard, but it does represent an opportunity to spot and find phishing sites as well as bogus transactions. In the particular phishing kit with the above sample, the PHP code progresses through the following list of URLs:
The bottom line is that by performing some detailed analysis of your legitimate site’s web server logs, you can leverage the behavior of true-logins kits against the phishers to rapidly find their sites and fraudulent transactions. You can also find out more about phish kit distribution sites here.
If you’re a security researcher or bank and want some ‘true logins’ kits to take a look at, drop me a line and I’ll send some your way.