Over the last two years I have been fortunate enough (in terms of learning) to be involved in the recovery of more than 1 500 hacked websites. During this time I have learned a lot about cyber crime, and the methods used.  I have also seen how the strategies used by syndicates and criminals (there are actually quite a few freelancers out there) evolve in order to make their products harder to locate and shut down.  One such method is by using hashed (randomized)  URL’s, in order to break the ‘pattern’ of phishing URL’s and make it harder to locate the phish.

Make no mistake – I am not a security researcher, and this is not a blog post about some new method with a ‘Ta-da!’ moment near the 42-minute mark where I teach you a new exploit (if you have been to any ‘Con you will know what I mean) .  These are merely my own observations as Techie at a large web hosting company, dealing with hacking/phishing/fraud on a daily basis.

chase

Case Study: KeNiHaCk Phish kit

This specific Phishing kit is currently quite popular and is being used for quite a few different Phishing attacks at the moment.  The example we will be looking at is a phishing attack against JPMorgan Chase Bank.  The kit is quite simple:

index.php file
 folder named '1' with the phishing kit in.

Let’s look at the contents of /1/  :

KeniHack

The kit is deployed by finding a vulnerable site ( usually Joomla or WordPress sites) and uploading the kit.  The URL is then used in phishing emails sent out – usually from a different domain that gets hacked for this purpose.

How it works

Let’s say our phish kit was uploaded here:

website.co.za/wp-content/plugins/akismet/chase.com/

The victim receives a mail urging him to click on a link (to this URL) and log in to his online banking portal.  The usual tactic is to scare the bank’s client by claiming “irregular activities” on their account, and that they need to log in to verify their bank account and prevent their access to the account being revoked.  Clicking on the link directs the victim to this newly set up phishing site, where the index.php file is immediately loaded.

I have to add here that this happens EVERY time the link is visited.  This gives us an idea of how many visits the phish got by simply counting the hashed directories.  The phish usually stops working after running out of disk space as it cannot create further directories – but by that time it has used up all the available space, it usually already created hundreds of directories.

Now – in an effort to further conceal the fact that this is actually a fake banking site and not the real chase.com site, a hashed’ url is generated by the index.php file.  Let’s look how that is done:

index

As you can see – a random string is generated.  It is then MD5 hashed and then Base64 encrypted.  The script then creates a directory using the output of this randomizer function as the name.  It then copies the contents of the /1/ folder to this directory.  Lastly the script redirects the visitor to this newly created URL (and phishing site).  This script thus creates a unique URL for each visitor to the phishing site.  All of this happens ‘on the fly’ without any input from the visitor or without them even being aware of this happening.

Why all this effort?

Why go through all the effort of creating the random URL each time? Simple – obfuscation.

The obfuscation happens in two parts:

1. Remember the URL to the phishing site:

www.website.co.za/wp-content/plugins/akismet/chase.com/

it now also gets the ‘hashed’ URL added to the end of this:

www.website.co.za/wp-content/plugins/akismet/chase.com/815eddd29c5de18202c869cf92c0d5a9/

But this is not where the URL manipulation stops.  Let’s look at the Phishing kit again:

KeniHack

On getting to the newly generated URL, the index.html loads.  This is what’s inside ‘index.html’ :

index

This is a simple meta-refresh page which redirects to ‘Logon.php’ – BUT it adds the following to the end of the URL:

?LOB=RBGLogon&_pageLabel=page_logonform

So the URL we end up with is:

www.website.co.za/wp-content/plugins/akismet/chase.com/815eddd29c5de18202c869cf92c0d5a9/Logon.php?LOB=RBGLogon&_pageLabel=page_logonform

At first glance that could almost look legit – especially to someone who doesn’t know who to read/dissect a URL.  The length of the URL also fools the eye as we tend to focus on the last part, which is made to look like the real thing.

From there the fake Chase.com banking page loads, where the client will sadly log in and give away their online banking login.

 

|—————–|
The Pixel Forge
Contact us for hack removal and web security in the event of your site being compromised.