Yesterday we came across a phishing website under .ch where we were able to download the phishing kit. A phishing kit is an archive file which contains all the relevant files for hosting a phishing website. In this case, the archive contained some static HTML, JS and image files for hosting the phishing form, but also a PHP file for sending the data to the perpetrator, and – most interestingly –an .htaccess file. The .htaccess file is a configuration file used by some popular web servers, which allows the user of a website to override a subset of the server’s global configuration for the directory that the file is located in and all its sub-directories.
A phishing website is frequently only accessible from the targeted country. In our case, this was controlled by the .htaccess file which contained a large list of IP address ranges from where it is allowed to access the site. As an incident handler, we often get reports of malicious websites that we cannot verify with IP addresses from Swiss ISPs. An unwary user might think that the phishing website has already been taken down, but that is not the case. The user is just not allowed to access the phishing website from its IP address.