This story happened some time ago, but could have happened yesterday as well for this is highly common attack.
My friend and former colleague realized, she has suddenly removed all email messages and contacts in her Gmail account. Since she was relying heavily on this Gmail account with work and private matters, it posed serious problem for her.
So she asked for help being sure she was hacked. Luckily it was possible to restore most of the data as she had offline MS Outlook copies. Next step was to investigate this incident.
So here is how it has happened.
Structure of the attack:
Phishing email was found, with embedded URL leading to a website hosted at 000webhosting account with malicious PHP script.
This site claimed that user had important documents pending and there was also a prompt to login with one of available email accounts.
In scope of the attack were: Gmail, Yahoo, Hotmail, Aol. Etc.
Inside of the source code, it has looked like this:
Once the victim enters the credentials, information is forwarded to a database administered by the hacker and also the legitimate login web page will appear.
Victim usually thinks that the password was not entered correctly so [s]he enters the credentials again and logs in.
On contrary to what was the reason for login – to see the documents mentioned in the phishing email, victim sees only the regular content of his/her mailbox.
This should immediately raise a suspicion but it appears, most of the people just drop this thinking about yet another broken link in email.
What was next:
Once the structure of attack was determined, next step was to analyze the URL from the kit to see, where are all the data going.
Script body was not obfuscated at all.
URL was simple, hard coded, hosted by https://www.000webhost.com/.
Since the access was password – protected, the very same phishing kit was used against its own creators – with success!
So as soon as the hacker fell for the same scam he actually created, it was possible to investigate further.
Whole system had poor security settings which allowed anyone to view the log files. Now it was clear the website was still being visited both by the victims and the hackers!
In order to analyze the scope of this phishing attack, data found in this publicly available storage was used to produce so called Graph.
Findings were analyzed, victims informed. The malicious website itself was reported and blocked.
During the analysis, it was found out that the hackers seemed to be mining specific information’s from the victim’ s emails.
Also they seemed to issue a score for each victim to determine whether the victim’ s account will be used for further spreading of the phishing campaign, or some other purposes.
These “score classes” were found:
- Cheater: wife/husband cheater, to be blackmailed.
- Nude pictures: Usually young ladies who had stored nude pictures in their mailbox. For blackmailing or impersonation on other places in the internet.
- Administrator: Person having in his/her email credentials to administrative account.
- Strong: Person who seemed to have strong position of any kind both at social networks or in the business. To be impersonated, blackmailed, (cyber) attacked in further ways.
- By mailbox content: Should there be service messages from Facebook, LinkedIn, PayPal, e-shop accounts, the attackers attempted to log in using the credentials stolen from user. If succeeded, this was used to propagate the attack on different platforms.
Regarding the latter, attackers tend to move laterally from email to victims LinkedIn in most cases. Once they succeeded, they tried to use victim’ s LinkedIn to mine for the contacts lists and spread the attack further.
Due to LinkedIn anti-spam features, it seems this second stage of attack was not that successful but large amount of LinkedIn stolen connections list was found on hacker’ s server, too.
Description of findings: What could victims do better to minimize the impact of the attack.
1] Misuse of private mail account for business related communication:
Attackers identified a victim, which was using her private email account for managing of company’ s operations.
So they tried to issue an order for payment towards the finance, masking themselves as “office supplies providers”.
Due to lack of the data it is not clear if attackers succeeded or not.
2]Storing of credentials in mailbox:
Attackers identified a victim’ s stored credentials in his/hers mailbox and used them to log in to the accounts. This was very common finding. According to the notes found in the data, attackers hijacked following types of accounts:
– Another emails used by a victim, PayPal, Facebook, LinkedIn [very often], file sharing services, shopping accounts, server and web administration, shared document services.
Both men and women. Should the attacker find a remark of such behavior in victims’ correspondence, it was noted down and in several cases they attempted to blackmail the victims.
4] The Criminal: Human trafficking.
Using stolen nude pictures of a model for the impersonation, attackers appeared to capture the credentials of a person, which turned out to be involved in human trafficking.
This is where they’ve actually helped to solve the crime. As they managed to impersonate a young girl, they lured more information from this Criminal and then they started to blackmail him.
With the information they’ve stole from this person, they revealed he was guilty for forcing young girls to be a prostitutes in several countries in Europe. He lured girls from countries like Bulgaria, Romania, Czech Republic and Slovakia with promised job in modelling in Switzerland.
Instead, they were forced to let anonymous men to take pictures of them and to serve them further.
This particular story has a conclusion – using the information gathered by the attackers, it was possible to start an investigation of this one Criminal which lead to his apprehension.
Real life test
Later on, I have used the same phishing kit and methods used by the original hackers in one of the legitimate projects of mine, requested by a client. It was a company providing IT service to provider of bets and lottery.
They wanted to know, what would be the scope if phishing attack and evaluate the possible impact and remediation plans.
How is it possible, that this attack is so simple, yet so successful?
[ 1- 224 – 54k – 159k]
1 hacked account let the attack spread to all contacts of the victim. 224 people fell for the bait and got hacked. Additionally, attack was amplified by using targeting all of the 224 peoples contacts which was cca 54k of the other people. Some of them overlapped. [As seen on picture below.]
As LinkedIn was used in attack on stage two, in total 159k of individuals were affected by this attack. Number is lesser due to fact that LinkedIn was kind of efficient in blocking of the spam.
All possible thanks to 1 successful attack on the beginning.
On picture below there is final “loot” captured by the attackers.
Graph contains all stolen email accounts, email addresses which could be also affected but there was no proof by the time of the analysis and related contacts from stolen LinkedIn contacts lists [54k->159k] Information obtained by attacking of 54k of accounts which lead to exposing in total 159k of accounts]:
What has happened:
Because of lack of skill of the hacker, it was possible to reveal almost full scope of phishing campaign.
How it was possible to conduct such attack:
Attacker exploited human curiosity – thus sending the note about important document to the victim and also the trust between the people as attackers impersonated various people using victims contacts lists.
How it could have been prevented:
Victims should be aware in general about eventual phishing attacks and its most common forms. This is not valid for enterprise environment but also for private life.
Triggers which should raise the attention:
- Unusual request to read the document.
- Warning about the certificate while browsing to malicious website.
- Request to logging in in non – standard website.
- Fact that nothing has actually happened after entering of the credentials.
- Some of the emails were actually caught by spam filters but people clicked on that anyways.
- Antivirus – antispam issued a warning about spam / malicious PHP phishing.
As of this period of a year, the danger of phishing is eminent as attackers take advantage of people being stressed, do online shopping both from business and private email accounts, people are likely to open strange attachment or click on malicious link at this time of the year.
It is easier to impersonate delivery company, shopping mall, to spread attacks masked as special promotions etc.