Skip to main content

Common techniques for accessing phishing attacks

Can't load the phishing site that you know is there? Here to do some incident response or some SOC tasks? If you’re attempting to respond to an incident or just investigate some phishing pages, you may find that they are inconsistently accessible. Fraudsters will make phishing sites less available to their non-targets to curb their detection. Here’s what to know about phishing attacks and how to access them.

What is a fake 404 page?

It’s pretty easy to make a fake 404 page to display.

<html><head>

<title>404 Not Found</title>

</head><body><h1>Not Found</h1>

                <p>Additionally, a 404 Not Found

error was encountered while trying to use an ErrorDocument to handle the request.</p>

                  <hr>

                  <address>Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips mod_bwlimited/1.4 Server at localhost Port 80

                              <style>

 

This fake 404 page is part of a login for a webshell. The password’s hash and its plaintext mate are found in the file. So when you find a 404 page, do not assume the website is correctly offine.

 

a broken fake 404 page

1. Use a VPN or Proxy in a different country preferably one that matches the suspected target of the attack. There's always an ideal victim for the attacker. It could be that they want to phish customers of a particular store or brand, such as KFC. If an American proxy did work, try Japan who also has a lot of KFC. I'm sure hackers aren't looking to attack this chicken site though. 

2. Change your user agent

if(!empty($_SERVER['HTTP_USER_AGENT'])) {

    $userAgents = array("Googlebot", "Slurp", "MSNBot", "PycURL", "facebookexternalhit", "ia_archiver", "crawler", "Yandex", "Rambler", "Yahoo! Slurp", "YahooSeeker", "bingbot", "curl");

    if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {

        header('HTTP/1.0 404 Not Found');

        exit;

 

There are two main reasons to change your user agent when accessing an attack. First is to not match any user agents that the site may deny. Since fraudsters only when their victims to find them, they remove other illogical ways of accessing the site.

The other reason is that some attacks are specifically crafted to be delivered by SMS and therefore opened with mobile user agents. It would not make sense to have desktop access, and likely those who would access them

 

3. Know which files to access

 function gass(){

        global $dirr , $index ;

        chdir($dirr);

        $me = str_replace(dirname(__FILE__).'/','',__FILE__);

        $files = scandir($dirr) ;

        $notallow = array(".htaccess","error_log","_vti_inf.html","_private","_vti_bin","_vti_cnf","_vti_log","_vti_pvt","_vti_txt","cgi-bin",".contactemail",".cpanel",".fantasticodata",".htpasswds",".lastlogin","access-logs","cpbackup-exclude-used-by-backup.conf",".cgi_auth",".disk_usage",".statspwd","..",".");


Here we have the list of files that should be restricted from access. While it looks like they have thought of everything, they have not... and this is where fuzzing comes in. If you're familiar with the phishing kit you'll probably be aware of the folders and file structure by now. If you're not, use a fuzzer or vulnerability scanner to find those extra files. I recommend this one even though it's freemium. Or there are plenty of scripts on github you can find that'll do the same thing. 

4. Check for redirections

Phishing attacks frequently utilize URL shorteners to hide the phishy URL. There's two reasons to do this; 1 if you're trying to stop blue teams from finding you, you'll require the webpage only to load from it's redirection URL and not share the URL the phishing page. 2 if the redirection URL get flagged or taken down, you can always just make new ones. 

If the attack requires you to have the redirection URL, I would recommend fuzzing the phishing page for insecure object references to load the attack. 

If you want to check where a website goes to without loading it yourself, or there's just a lot of redirects to keep track of, use Redirect DetectiveBrowserling is a browser emulator where you can switch user agents and see redirections.  

 

 

 

 


Comments

Popular posts from this blog

How to Wardrive: Know where to go

Inspired by others, and my goal of getting a golden WiGLE badge, I went wardriving for my birthday. I was hoping for 50k, and I ended up with just over 61k. I'm less than 80k away from my goal! But how do you pick a place to wardrive, and how do you actually do  it? The easiest way is to download WiGLE on an android phone, get some transportation, and be set on your way. But if you want more detail or some tips, keep reading.  Avon Lady Method : Find a city within reasonable distance of travel Examine the results for the past few years of the area; do not use the overall coverage of all time.  Verify if the city is desirable for wardriving Little coverage in the past few years Most residential areas are not covered Use maps to search and define high density residential areas (i.e. apartments, town homes).  Create an order that allows for little overlapping and in a convenient driving pattern. Use landmarks around the city to define the internal roads Wardrive Profit ("internet

The problem with sensing finger magnets

 Okay, I have to make this post quick, but the second part will be way worth the payoff. October 3rd I'm having one of my sensing magnets taken out that I've had for about 5 years; since Nov 2016. It's clearly rejected and when I tried to make the situation better, I made it worse.  In previous posts or tweets, I've mentioned I had a method to re-stimulate the magnet. Do not attempt. It's likely the reason it's now rejected after so many years.  Biohacking comes with a lot of risk, especially if you're afraid of needles and knives, but the benefits outweight the risks. I loved having a strong magnetic sense with both of the magnets. I love the honor I've had to have them all this time. But now it's painful to use my finger and there's a large black bulge where the magnet wants to exit my finger.  Some questions I have before cutting open: 1. How am I going to numb my finger? What method will work? 2. Is the coating or silicone broken? Any risk of

2021 & 2022 Resolutions

 I am not into the whole "New Year, New Me" thing 2022 is going to make 2020 look like a baby. Last year, I made a post about my resolutions and goals for the year, and I thought now would be a great time to update on that. Let's revisit my resolutions from last year: 2021 1) Meatless Mondays 2) No Candy Wednesdays 3) Submit to WiGLE every month (almost!) 4) ... and the Grand Finale: Make an optimized trip half-way across the country in my truck! So I didn't do a great job. I had some other resolutions that I didn't post, and I also didn't do so great on those. I almost summitted to WiGLE every month, but I missed October and November. Similarly, I had a resolution to post to my blog once a month, and I almost made it, except I missed the last two posts. Hopefully, I will make this up by writing posts and back-dating them, so I would at least have completed the goal.  Resolutions I think my goals failed for various reasons. I didn't make realistic goals fo