Skip to main content

Common techniques for accessing phishing attacks

Can't load the phishing site that you know is there? Here to do some incident response or some SOC tasks? If you’re attempting to respond to an incident or just investigate some phishing pages, you may find that they are inconsistently accessible. Fraudsters will make phishing sites less available to their non-targets to curb their detection. Here’s what to know about phishing attacks and how to access them.

What is a fake 404 page?

It’s pretty easy to make a fake 404 page to display.

<html><head>

<title>404 Not Found</title>

</head><body><h1>Not Found</h1>

                <p>Additionally, a 404 Not Found

error was encountered while trying to use an ErrorDocument to handle the request.</p>

                  <hr>

                  <address>Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips mod_bwlimited/1.4 Server at localhost Port 80

                              <style>

 

This fake 404 page is part of a login for a webshell. The password’s hash and its plaintext mate are found in the file. So when you find a 404 page, do not assume the website is correctly offine.

 

a broken fake 404 page

1. Use a VPN or Proxy in a different country preferably one that matches the suspected target of the attack. There's always an ideal victim for the attacker. It could be that they want to phish customers of a particular store or brand, such as KFC. If an American proxy did work, try Japan who also has a lot of KFC. I'm sure hackers aren't looking to attack this chicken site though. 

2. Change your user agent

if(!empty($_SERVER['HTTP_USER_AGENT'])) {

    $userAgents = array("Googlebot", "Slurp", "MSNBot", "PycURL", "facebookexternalhit", "ia_archiver", "crawler", "Yandex", "Rambler", "Yahoo! Slurp", "YahooSeeker", "bingbot", "curl");

    if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {

        header('HTTP/1.0 404 Not Found');

        exit;

 

There are two main reasons to change your user agent when accessing an attack. First is to not match any user agents that the site may deny. Since fraudsters only when their victims to find them, they remove other illogical ways of accessing the site.

The other reason is that some attacks are specifically crafted to be delivered by SMS and therefore opened with mobile user agents. It would not make sense to have desktop access, and likely those who would access them

 

3. Know which files to access

 function gass(){

        global $dirr , $index ;

        chdir($dirr);

        $me = str_replace(dirname(__FILE__).'/','',__FILE__);

        $files = scandir($dirr) ;

        $notallow = array(".htaccess","error_log","_vti_inf.html","_private","_vti_bin","_vti_cnf","_vti_log","_vti_pvt","_vti_txt","cgi-bin",".contactemail",".cpanel",".fantasticodata",".htpasswds",".lastlogin","access-logs","cpbackup-exclude-used-by-backup.conf",".cgi_auth",".disk_usage",".statspwd","..",".");


Here we have the list of files that should be restricted from access. While it looks like they have thought of everything, they have not... and this is where fuzzing comes in. If you're familiar with the phishing kit you'll probably be aware of the folders and file structure by now. If you're not, use a fuzzer or vulnerability scanner to find those extra files. I recommend this one even though it's freemium. Or there are plenty of scripts on github you can find that'll do the same thing. 

4. Check for redirections

Phishing attacks frequently utilize URL shorteners to hide the phishy URL. There's two reasons to do this; 1 if you're trying to stop blue teams from finding you, you'll require the webpage only to load from it's redirection URL and not share the URL the phishing page. 2 if the redirection URL get flagged or taken down, you can always just make new ones. 

If the attack requires you to have the redirection URL, I would recommend fuzzing the phishing page for insecure object references to load the attack. 

If you want to check where a website goes to without loading it yourself, or there's just a lot of redirects to keep track of, use Redirect DetectiveBrowserling is a browser emulator where you can switch user agents and see redirections.  

 

 

 

 


Comments

Popular posts from this blog

How to Wardrive: Know where to go

Inspired by others, and my goal of getting a golden WiGLE badge, I went wardriving for my birthday. I was hoping for 50k, and I ended up with just over 61k. I'm less than 80k away from my goal! But how do you pick a place to wardrive, and how do you actually do  it? The easiest way is to download WiGLE on an android phone, get some transportation, and be set on your way. But if you want more detail or some tips, keep reading.  Avon Lady Method : Find a city within reasonable distance of travel Examine the results for the past few years of the area; do not use the overall coverage of all time.  Verify if the city is desirable for wardriving Little coverage in the past few years Most residential areas are not covered Use maps to search and define high density residential areas (i.e. apartments, town homes).  Create an order that allows for little overlapping and in a convenient driving pattern. Use landmarks around the city to define the internal roads Wardrive Profit ("internet

Goal Setting: Creating a vision board

 Hey y'all! I know I've missed my 2022 resolution to post once a month on the blog. It's something I think about frequently. I have been pouring my efforts into other areas of my life and haven't set enough time to create content or write blog posts. I've recently been reinvigorated after coming back from GrrCON 2022. Not only was GrrCON so much fun, I presented a pretty good talk: Hey Ma' Where's Malware Come From? It'll have it's own blog post once all the content is ready.  If you want to follow along, make your own vision board for free here .  I have a lot on my plate of tasks I don't attend to; things I want to do and things I need to do. I decided to help me clarify my goals and give myself some good mile markers via a vision board. Here's what the board means to me: (from left to right) Fox: I want to strive to do my best a work and position myself for future career growth and opportunities. I value where I work and want to be a helpf

#WardrivingWednesday

 I've attempted, with mixed results, to establish a hashtag on Mastodon on Wednesdays for wardriving. Why? Because I feel like it. There are so many awesome people in the wardriving space that could probably do it better, but I'm going to do it instead.  I cannot recall where I heard this general rule of thumb, but I believe it was Dragorn who said " For every adapter you can go about 10mph ". I wonder how true that is, and I wonder more how I would begin to test that theory. This is something I'd like to figure out, and will likely need some assistance.  I also plan on remaking my rigs with raspberry pi alternatives. Right now there is a lot of drama surrounding raspberry pi, but I'm doing it just because of the cost and supply issues. There are many alternatives now, and I'm sure they'll make a few rigs. I'll keep the updates posted under the hashtag on Wednesday. If you're interested in wardriving you should join the RF Sanctuary Discord.