Yesterday we came across a phishing website under .ch where we were able to download the phishing kit. A phishing kit is an archive file which contains all the relevant files for hosting a phishing website. In this case, the archive contained some static HTML, JS and image files for hosting the phishing form, but also a PHP file for sending the data to the perpetrator, and – most interestingly –an .htaccess file. The .htaccess file is a configuration file used by some popular web servers, which allows the user of a website to override a subset of the server’s global configuration for the directory that the file is located in and all its sub-directories.
A phishing website is frequently only accessible from the targeted country. In our case, this was controlled by the .htaccess file which contained a large list of IP address ranges from where it is allowed to access the site. As an incident handler, we often get reports of malicious websites that we cannot verify with IP addresses from Swiss ISPs. An unwary user might think that the phishing website has already been taken down, but that is not the case. The user is just not allowed to access the phishing website from its IP address.
The phishing kit in our case contains the following files:
.htaccess index.php info_fichiers/ info_fichiers/footer_global_3d_secure.gif info_fichiers/mini_cvv2.gif info_fichiers/scr_emailBottomCorners_580wx13h.gif info_fichiers/scr_emailTopCorners_580wx13h.gif info_fichiers/secure-corrected.jpg info_fichiers/securecorrected.jpg info_fichiers/submit.gif info_fichiers/validator.js info_fichiers/verified_by_visa.gif info_fichiers/visa-vbv.gif Sa3.php Snapshot_2013-10-09_094758.png Snapshot_2013-10-09_095542.png verified_by_visa.html
The phishing campaign was running on the compromised website on 21 October 2014. However, the phishing kit is a lot older as the snapshot PNG image files indicate. The phishing website tried to steal credit card details of users who clicked on the spoof email that appeared to come from VISA.
The phishing campaign was targeting users from Sweden. The e-mail looked like this:
e-mail translated into English:
Subject: Important Message Dear Verified by Visa/MasterCard SecureCode Member, You have a Private Message! >Click here to read the message<
Security-conscious people who detect such fraudulent e-mails often report these to anti-phishing vendors. Eventually, the e-mail and possibly the phishing URL is blocked by spam and web filters.
Of course, attackers try to work around this by using different e-mail addresses and dynamic URLs in their spoof e-mails to get a higher percentage of e-mails to their victims. The URL behind the link from the phishing e-mail looked like this: hxxp://p3qtegr062.<compromised>.ch/verifiedbyvisa/
As it turns out, this domain name does not resolve to the same IP address as the normal website itself. From passive DNS information, I was able to find out other domain names which resolved to the foreign IP address and were used during this spam campaign. Passive DNS collects DNS response data received by DNS resolvers distributed around the Internet. Such information is tremendously useful in anti-abuse research. In this case, it revealed a long list of domain names which resolved to the foreign IP address:
3q2mixfjft.<compromised>.ch 3vhdtj2b55.<compromised>.ch 423y0ecquy.<compromised>.ch 4kru4hpiy9.<compromised>.ch 5snexdraa4.<compromised>.ch 6igbndgxa6.<compromised>.ch 6ptw829whi.<compromised>.ch 70bnfmcocn.<compromised>.ch 7sa3qshotr.<compromised>.ch 7t2jr0hj16.<compromised>.ch 8ufsdaxkwj.<compromised>.ch 9jfpwrc752.<compromised>.ch ...
Of course, this means the attacker was able to compromise the DNS zone of the domain. In fact, the website was not modified at all, but we nevertheless have to assume that if one account is used to manage the website and the DNS zone, the attacker owns both. The DNS manipulation was achieved by a DNS wildcard entry, which looked like this:
* IN A 126.96.36.199
This foreign IP address belongs to FiberHub. It may be that the server of this IP address is compromised as well. Back to the DNS entry. The attacker can now use any random sub-domain for the spam campaign.
To clean up this phishing website, we had to at least inform the DNS zone operator but it’s also a good idea to get in touch with the abuse contact at FiberHub to remove the phishing kit. Another interesting fact about the Swiss domain was that we had already received a phishing report about this domain name a few weeks earlier. At that time it was targeting American Express and the phishing site was hosted on the domain itself. This shows that if you don’t change all your hosting passwords (FTP, Web, DNS), update your website’s software, and remove potentially malicious files from the web server, the attacker may still be able to control your site.
We have been keeping statistics on the Malware Domain process for .ch/.li since 2010. Our data shows that roughly 15% of compromised websites are subsequently re-compromised. However, less than 3% get compromised more than twice.