Skip to main content

Common techniques for accessing phishing attacks

Can't load the phishing site that you know is there? Here to do some incident response or some SOC tasks? If you’re attempting to respond to an incident or just investigate some phishing pages, you may find that they are inconsistently accessible. Fraudsters will make phishing sites less available to their non-targets to curb their detection. Here’s what to know about phishing attacks and how to access them.

What is a fake 404 page?

It’s pretty easy to make a fake 404 page to display.

<html><head>

<title>404 Not Found</title>

</head><body><h1>Not Found</h1>

                <p>Additionally, a 404 Not Found

error was encountered while trying to use an ErrorDocument to handle the request.</p>

                  <hr>

                  <address>Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips mod_bwlimited/1.4 Server at localhost Port 80

                              <style>

 

This fake 404 page is part of a login for a webshell. The password’s hash and its plaintext mate are found in the file. So when you find a 404 page, do not assume the website is correctly offine.

 

a broken fake 404 page

1. Use a VPN or Proxy in a different country preferably one that matches the suspected target of the attack. There's always an ideal victim for the attacker. It could be that they want to phish customers of a particular store or brand, such as KFC. If an American proxy did work, try Japan who also has a lot of KFC. I'm sure hackers aren't looking to attack this chicken site though. 

2. Change your user agent

if(!empty($_SERVER['HTTP_USER_AGENT'])) {

    $userAgents = array("Googlebot", "Slurp", "MSNBot", "PycURL", "facebookexternalhit", "ia_archiver", "crawler", "Yandex", "Rambler", "Yahoo! Slurp", "YahooSeeker", "bingbot", "curl");

    if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {

        header('HTTP/1.0 404 Not Found');

        exit;

 

There are two main reasons to change your user agent when accessing an attack. First is to not match any user agents that the site may deny. Since fraudsters only when their victims to find them, they remove other illogical ways of accessing the site.

The other reason is that some attacks are specifically crafted to be delivered by SMS and therefore opened with mobile user agents. It would not make sense to have desktop access, and likely those who would access them

 

3. Know which files to access

 function gass(){

        global $dirr , $index ;

        chdir($dirr);

        $me = str_replace(dirname(__FILE__).'/','',__FILE__);

        $files = scandir($dirr) ;

        $notallow = array(".htaccess","error_log","_vti_inf.html","_private","_vti_bin","_vti_cnf","_vti_log","_vti_pvt","_vti_txt","cgi-bin",".contactemail",".cpanel",".fantasticodata",".htpasswds",".lastlogin","access-logs","cpbackup-exclude-used-by-backup.conf",".cgi_auth",".disk_usage",".statspwd","..",".");


Here we have the list of files that should be restricted from access. While it looks like they have thought of everything, they have not... and this is where fuzzing comes in. If you're familiar with the phishing kit you'll probably be aware of the folders and file structure by now. If you're not, use a fuzzer or vulnerability scanner to find those extra files. I recommend this one even though it's freemium. Or there are plenty of scripts on github you can find that'll do the same thing. 

4. Check for redirections

Phishing attacks frequently utilize URL shorteners to hide the phishy URL. There's two reasons to do this; 1 if you're trying to stop blue teams from finding you, you'll require the webpage only to load from it's redirection URL and not share the URL the phishing page. 2 if the redirection URL get flagged or taken down, you can always just make new ones. 

If the attack requires you to have the redirection URL, I would recommend fuzzing the phishing page for insecure object references to load the attack. 

If you want to check where a website goes to without loading it yourself, or there's just a lot of redirects to keep track of, use Redirect DetectiveBrowserling is a browser emulator where you can switch user agents and see redirections.  

 

 

 

 


Labels:

Comments

Post a Comment

Popular posts from this blog

How to program a NTAG215 NFC Tag

Hi! Did you just acquire a NTAG215 NFC tag? Very cool. Maybe you scanned it and it brought you here. Here's how to edit the content on the tag to make it do what you want.  Easy Steps Download an NFC writing app on a smartphone like this one for Android or this one for iPhone. I assume you might have this app already if you're reading this tag. Done Decide what type of data you want to save. If you picked up more than one of the NFC tags, you may have a variety of data saved to them like the ones below: Plain text URL/URI Link to a search Social networks Video File Application Mail Contact Phone number SMS Location Address Proximity search Street View Emergency info Bitcoin address Bluetooth connection WiFi network settings other custom fields Make sure if you select the correct format to make it easier to scan, save the write data, and re-scan the tag. Switch back to the read function and test your tag! Next Method The above method doesn't cover making everything, such a...
Post a Comment
Read more

Phishing Kits

Let's make a phishing attack (just kidding). The easiest way to do so is obtaining a pre-made phishing kit. Phishing kits represent a significant and growing danger. These tools, readily available in the darker corners of the internet, empower even technically unsophisticated criminals to launch effective phishing campaigns. This post aims to demystify phishing kits, explore their dangers, and provide practical advice on safeguarding against these insidious threats.  Phishing kits are pre-packaged sets of tools and resources designed to facilitate phishing attacks. The parts of a phishing kit can be broken down into the following components: Email templates Webpage clones (usually scraped from the legit site) Scripts and code repositories  Hosting Platforms Delivery Systems Readme & docs Premium services Real-time data analysis tools Customer service* Social engineering tools These kits are designed for ease of use, allowing attackers to launch phishing campaigns with mini...
Post a Comment
Read more

Anti-Phishing Working Group Report from Q2 2023

 The Anti-Phishing Working Group (APWG) is an international coalition focused on unifying the global response to cybercrime, particularly phishing and e-mail fraud. Established in 2003, APWG brings together businesses, government entities, law enforcement, and non-governmental organizations to combat phishing, crimeware, and e-mail spoofing.They create regular reports on the nature of phishing "in the wild" and share trends in this report. You can download the report here .  I wanted to report on a more recent trend report, but at the time of writing I haven't seen a newer one. It being in the middle of 2023, I believe the report is recent enough.  I found a few areas of interest, and questioned a few pieces. There was a reported downward trend in phishing. Despite the high numbers, there was a notable downward trend in phishing by the end of the quarter, indicating a possible shift in tactics or improved countermeasures. I have doubt that phishing is occurring less,...
Post a Comment
Read more