Categories
Analysis Information Security Phishing

Phishing authors can be lazy or inexperienced too

The other day I received a blatantly obvious phishing email and I decided to analyze it and look through the website. There were a few things that really surprised me.

The phishing email

It was Saturday afternoon and I was a little bit bored, so I decided to check the trends on phishing in my email inbox. I came across this “masterpiece” of a phishing email:

Phishing email

So I had my first laugh with that as it seems that the author did not invest ANY time in making of this “masterpiece”. For those not versed in spotting phishing emails there are numerous signs in this email that can tip you of, some of them are:

  • There does not seem to be any text, just a button.
  • There are mistakes in the few words that are present (“Accounte” in the Subject, or the poorly written Czech text on the button).
  • The sender is named Root User (what? why?).
  • The sender’s email is from Russian domain that does not even remotely look like PayPal’s domain (Really? This is just lazy…).
Dr. Evil Meme - Masterpiece

Okay, so now we know this is a phishing email. What can we do with it? Normally I would just delete it and moved on but as I was bored, I decided to look at it some more.

Firstly I noticed there was a text after all:

Phishing Email with the text highlighted

Great, so it seems that the author used some sort of bad translator for the text. Next I hovered over the link to see what website will I be taken to after clicking (this is also a good way to spot phishing emails).

The link would take me to “hxxps://www[.]counterfeitmoneyuk[.]com/Update/sign-in” (the protocol was https, but I invalidated it here for obvious reasons) and on the first glance as you can see that this is not a PayPal domain. Shocker!

Website

After that I clicked the link and visited the website (in a safe environment of course!) and was greeted with … 404 page not found error. Well, great… So the phishing would not work even if someone would fall for it.

Well I navigated to the root of the website and I found out there was indexing turned on:

Index of /

As the link in the email was pointing to something in the Update directory, I navigated to it.

Index of /Update

And here we can see a Login directory, which should contain the actual phishing webpage and it does contain a login page that looks like a login page from PayPal. As in most of the phishing web pages you will come across, none of the buttons and links actually work except for the Next (or Login) button. Thus you can, most of the time, find out this is a phishing also in that way.

Phishing login page for PayPal

So we now know this is a phishing and that it was poorly made, so we could end here and call it a day. But in the previous images you can see some files, which could be interesting. So… let’s have a look.

/Update/uni.php

First I started with the file uni.php in the Update directory and after visiting it, this message was shown:

uni.php - first glance

So this PHP script is used for unzipping a local archive file, which at first glance does not seem that interesting or useful. But nonetheless I tried to supply the script with a parameter “file” with the name of this script and this happened:

uni.php - file parameter passed

Alright, so we can seemingly unzip any file on the system. But what can we do with it? Probably nothing, let’s move on to another file.

/mrben.php

So this file is another PHP script and it must be interesting, right? Right? Well as it turns out there was not much to it other than an input box for a password and a submit button…

mrben.php - Login form

Well… I thought it would be interesting to look at those files but it was not… But there was another file, which by its name was not interesting but for the sake of completeness I will take a look at it.

/404.php

As I expected this script (and probably you too) from its name to be a “404 Not Found” page, I was surprised to be greeted with the following page:

404.php - Anonymous Shell Login form

Wow, okay, this is getting interesting. But first let’s recapitulate. The phishing author does not seem that sophisticated as he/she/they did not put much effort in crafting the phishing email. So I assumed that this would be publicly available PHP web-shell. Probably on GitHub?

After hours and hours of searching through hundreds of pages with search results on Google, DuckDuckGo, Bing and going through shady forums on the Dark Web… Okay, after a few seconds of “searching” on google (the search term “anonymous shell github” worked) I have found that the web-shell is available at https://github.com/iamhex/Anonymous-Shell-v2. And if you read through the Readme, you can find:

Password: hacker0882

Now you might be thinking: “No, this is not the real password. Surely the phishing author has changed the password!”. Well as it turns out the opposite is true. The password was left at the default value and I was greeted with a shell access to the server!

404.php - Web Shell successfully accessed!

So now we have access to the server. We have now entered a gray zone of law and there have been many discussions about the actions you can and cannot take. But as I don’t want to break the law (even in the slightest), I did not modify or delete anything nor did I do anything but read the source code of the files we analyzed previously (which might still be a gray zone?).

Source code

Phishing page

So first I looked at the phishing page files, which were the basic copies of Paypal login page, but also a few PHP scripts, which I call “firewall” scripts, because they do not allow anyone from predefined IP addresses (which were hardcoded in the scripts) to access the phishing login page and it would just show them blank page.

The login page itself is divided to 4 steps.

  1. In the first step it harvested login credentials (email and password) and IP address of the victim.
  2. The second step harvested payment card information and billing address of the victim.
  3. The third step wanted an ID card from the victim.
  4. And the fourth step wanted a user to upload a selfie of themselves.

The harvested information was saved to a file and emailed to the attacker’s email address at the end of each step. So even if the user stopped at the second step, the attacker already had the login credentials. So, even if I were to delete the harvested info from the server, the attacker already had it.

/mrben.php

After that I looked at the file mrben.php, which wanted a password from us. It turns out that it is a PHP mailer, more specifically: TeamCC NinjaMailer. The password, needed to log in and send an email, was hardcoded in the script and this time, it was changed from the default value.

/Upload/uni.php

And the last file I investigated was the uni.php. As I have found out it unzipps an archive on the local disk to the current directory. If the files were already present, they would be overwritten.

The interesting thing about this script is this line:

system('unzip -o ' . $_GET['file']);

If you know a little PHP (even if you don’t) you may see the problem that this line represents.

If you are familiar with basic concepts of web application vulnerabilities, you can see that the author of this script did not invest a lot of time to hardened the security of it.

However if you are not familiar with those concepts, the code introduces a vulnerability to the web application, which is called Command Injection vulnerability. So because the author passes anything we submit to the parameter “file” to the PHP function “system()” (which executes it as an OS command), we can submit our own commands.

Thus if we send a request with “uni.php; id” in the file parameter, the command “id” will be executed and in this case, it will even output the result to the web page.

uni.php - Command Injection

The commands are run as the user under which the web server service is running and thus we could execute commands only with the privileges of this user.

Disclosure

After I found the phishing webpage I have immediately reported the website at google safe browsing (https://safebrowsing.google.com/safebrowsing/report_phish/). And it did not take even a day to see it blocked in all major browsers.

Google Safe Browsing stops a visit to the phishing website.

I also reported it to the owner of the IP address (email found through whois database). Only after that I began to look for more information from which this article came from. After I found more information (through the web-shell) I also reported it to the cloud provider, just in case.

Conclusion

So this basic phishing lead us to discovering a publicly accessible web-shell with default credentials (see, even attackers forget to change them!) and we saw the whole process of gathering victim’s credentials.

As you can see phishing emails can sometimes be a source of fun but only if you are careful!

Another great source of fun can sometimes be to reply to phishing and spam emails. As evidence of a fun story, I recommend you to read this old but gold article about a scammer who got scammed by his victim aka the story of the Church of The Order of The Red Breast. There are many more stories to be found on the internet (even on YouTube) so you can look for those if you want to.

If you decide to try any of these I must warn you that you must always be very careful when doing so. And I recommend replying to the spam/phishing from dummy email address (e.g. not your main or even secondary email address) as the attackers (usually) don’t care if the reply is from an email address they did not send the phishing/spam email to.