Phisher Tactics: “True Logins” Phishing Kits

By admin 10 years agoNo Comments
Home  /  Blog  /  Phisher Tactics: “True Logins” Phishing Kits

Over on the Symantec Security Response Online Fraud blog, Antonio Forzieri, follows up to his previous post about reactive phishing defenses.

In his post, Antonio discusses the merits and pitfalls of diluting phishing sites with different types of bogus data. The last case, where phishers automatically validate the data from within the phishing site itself is especially interesting because it can be used against the phishers in a variety of ways.

In the underground, the phishers call these phishing kits ‘true-logins’. Typically, they use ‘curl’ to post the data received from a would-be victim to the legitimate site and verify that it actually works. Here’s a snippet of PHP code from an actual phish kit.

phishkit-curl-example

 

How can we use the phishing kit behavior against the phishers? There are a few ways:

  • Check for the User-Agent in web server logs to identify phishing sites

In this example, the User-Agent is set to “Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4″. That may be a perfectly legitimate User-Agent that is seen often, but there shouldn’t be multiple users from the same IP address with the same User-Agent attempting to login within a short period of each other.

  • Check for correct progression of web requests

Ok. This is hard, but it does represent an opportunity to spot and find phishing sites as well as bogus transactions. In the particular phishing kit with the above sample, the PHP code progresses through the following list of URLs:

https://www.bank.com/index.jsp
https://sitekey.bank.com/sas/signon.do
https://sitekey.bank.com/sas/signon.do?&detect=0
https://sitekey.bank.com/sas/challengeQandA.do
https://sitekey.bank.com/sas/verifyImage.do

Though the code isn’t shown for space reasons, looking through it, there are some obvious things that are wrong. The phish kit doesn’t fetch images like a browser does, it doesn’t run javascript, in some cases it doesn’t send a Referer: header. These are all big red flags that something is phishy!

The bottom line is that by performing some detailed analysis of your legitimate site’s web server logs, you can leverage the behavior of true-logins kits against the phishers to rapidly find their sites and fraudulent transactions. You can also find out more about phish kit distribution sites here.

If you’re a security researcher or bank and want some ‘true logins’ kits to take a look at, drop me a line and I’ll send some your way.

-John

Category:
  Blog

Leave a Reply

Your email address will not be published.

})(jQuery);