Skip to main content

Common techniques for accessing phishing attacks

Can't load the phishing site that you know is there? Here to do some incident response or some SOC tasks? If you’re attempting to respond to an incident or just investigate some phishing pages, you may find that they are inconsistently accessible. Fraudsters will make phishing sites less available to their non-targets to curb their detection. Here’s what to know about phishing attacks and how to access them.

What is a fake 404 page?

It’s pretty easy to make a fake 404 page to display.

<html><head>

<title>404 Not Found</title>

</head><body><h1>Not Found</h1>

                <p>Additionally, a 404 Not Found

error was encountered while trying to use an ErrorDocument to handle the request.</p>

                  <hr>

                  <address>Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips mod_bwlimited/1.4 Server at localhost Port 80

                              <style>

 

This fake 404 page is part of a login for a webshell. The password’s hash and its plaintext mate are found in the file. So when you find a 404 page, do not assume the website is correctly offine.

 

a broken fake 404 page

1. Use a VPN or Proxy in a different country preferably one that matches the suspected target of the attack. There's always an ideal victim for the attacker. It could be that they want to phish customers of a particular store or brand, such as KFC. If an American proxy did work, try Japan who also has a lot of KFC. I'm sure hackers aren't looking to attack this chicken site though. 

2. Change your user agent

if(!empty($_SERVER['HTTP_USER_AGENT'])) {

    $userAgents = array("Googlebot", "Slurp", "MSNBot", "PycURL", "facebookexternalhit", "ia_archiver", "crawler", "Yandex", "Rambler", "Yahoo! Slurp", "YahooSeeker", "bingbot", "curl");

    if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {

        header('HTTP/1.0 404 Not Found');

        exit;

 

There are two main reasons to change your user agent when accessing an attack. First is to not match any user agents that the site may deny. Since fraudsters only when their victims to find them, they remove other illogical ways of accessing the site.

The other reason is that some attacks are specifically crafted to be delivered by SMS and therefore opened with mobile user agents. It would not make sense to have desktop access, and likely those who would access them

 

3. Know which files to access

 function gass(){

        global $dirr , $index ;

        chdir($dirr);

        $me = str_replace(dirname(__FILE__).'/','',__FILE__);

        $files = scandir($dirr) ;

        $notallow = array(".htaccess","error_log","_vti_inf.html","_private","_vti_bin","_vti_cnf","_vti_log","_vti_pvt","_vti_txt","cgi-bin",".contactemail",".cpanel",".fantasticodata",".htpasswds",".lastlogin","access-logs","cpbackup-exclude-used-by-backup.conf",".cgi_auth",".disk_usage",".statspwd","..",".");


Here we have the list of files that should be restricted from access. While it looks like they have thought of everything, they have not... and this is where fuzzing comes in. If you're familiar with the phishing kit you'll probably be aware of the folders and file structure by now. If you're not, use a fuzzer or vulnerability scanner to find those extra files. I recommend this one even though it's freemium. Or there are plenty of scripts on github you can find that'll do the same thing. 

4. Check for redirections

Phishing attacks frequently utilize URL shorteners to hide the phishy URL. There's two reasons to do this; 1 if you're trying to stop blue teams from finding you, you'll require the webpage only to load from it's redirection URL and not share the URL the phishing page. 2 if the redirection URL get flagged or taken down, you can always just make new ones. 

If the attack requires you to have the redirection URL, I would recommend fuzzing the phishing page for insecure object references to load the attack. 

If you want to check where a website goes to without loading it yourself, or there's just a lot of redirects to keep track of, use Redirect DetectiveBrowserling is a browser emulator where you can switch user agents and see redirections.  

 

 

 

 


Comments

Popular posts from this blog

Wardriving OSINT & SE

 Disclaimer: do NOT use this information to be a jerk. Don’t try to get the location of my examples, or you’re a big meanie. There's already a post out there about tracking people with wifi. It's helpful for those who use a hotspot or maybe a vehicle hotspot. I believe a personal device that broadcasts Bluetooth is more likely than a hotspot.  Tracking What wardriving can’t do = track people via Bluetooth devices Or shouldn’t be able to work. Most modern Bluetooth devices use MAC randomization, which changes the MAC address of the Bluetooth device at random. Even if you can track a device it may only be short-term, as it’ll change again.  But sometimes they don't turn over to a randomized MAC. Do what you will with that. If you want to see how easy it is to make a random MAC go here . But what if you only need a short-term answer? Better start stumblin’. Let’s forget the purpose of needing that MAC address long-term. With all MAC addresses, OUI can tell you what the

How to Wardrive: Know where to go

Inspired by others, and my goal of getting a golden WiGLE badge, I went wardriving for my birthday. I was hoping for 50k, and I ended up with just over 61k. I'm less than 80k away from my goal! But how do you pick a place to wardrive, and how do you actually do  it? The easiest way is to download WiGLE on an android phone, get some transportation, and be set on your way. But if you want more detail or some tips, keep reading.  Avon Lady Method : Find a city within reasonable distance of travel Examine the results for the past few years of the area; do not use the overall coverage of all time.  Verify if the city is desirable for wardriving Little coverage in the past few years Most residential areas are not covered Use maps to search and define high density residential areas (i.e. apartments, town homes).  Create an order that allows for little overlapping and in a convenient driving pattern. Use landmarks around the city to define the internal roads Wardrive Profit ("internet