Skip to main content

Common techniques for accessing phishing attacks

Can't load the phishing site that you know is there? Here to do some incident response or some SOC tasks? If you’re attempting to respond to an incident or just investigate some phishing pages, you may find that they are inconsistently accessible. Fraudsters will make phishing sites less available to their non-targets to curb their detection. Here’s what to know about phishing attacks and how to access them.

What is a fake 404 page?

It’s pretty easy to make a fake 404 page to display.

<html><head>

<title>404 Not Found</title>

</head><body><h1>Not Found</h1>

                <p>Additionally, a 404 Not Found

error was encountered while trying to use an ErrorDocument to handle the request.</p>

                  <hr>

                  <address>Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips mod_bwlimited/1.4 Server at localhost Port 80

                              <style>

 

This fake 404 page is part of a login for a webshell. The password’s hash and its plaintext mate are found in the file. So when you find a 404 page, do not assume the website is correctly offine.

 

a broken fake 404 page

1. Use a VPN or Proxy in a different country preferably one that matches the suspected target of the attack. There's always an ideal victim for the attacker. It could be that they want to phish customers of a particular store or brand, such as KFC. If an American proxy did work, try Japan who also has a lot of KFC. I'm sure hackers aren't looking to attack this chicken site though. 

2. Change your user agent

if(!empty($_SERVER['HTTP_USER_AGENT'])) {

    $userAgents = array("Googlebot", "Slurp", "MSNBot", "PycURL", "facebookexternalhit", "ia_archiver", "crawler", "Yandex", "Rambler", "Yahoo! Slurp", "YahooSeeker", "bingbot", "curl");

    if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {

        header('HTTP/1.0 404 Not Found');

        exit;

 

There are two main reasons to change your user agent when accessing an attack. First is to not match any user agents that the site may deny. Since fraudsters only when their victims to find them, they remove other illogical ways of accessing the site.

The other reason is that some attacks are specifically crafted to be delivered by SMS and therefore opened with mobile user agents. It would not make sense to have desktop access, and likely those who would access them

 

3. Know which files to access

 function gass(){

        global $dirr , $index ;

        chdir($dirr);

        $me = str_replace(dirname(__FILE__).'/','',__FILE__);

        $files = scandir($dirr) ;

        $notallow = array(".htaccess","error_log","_vti_inf.html","_private","_vti_bin","_vti_cnf","_vti_log","_vti_pvt","_vti_txt","cgi-bin",".contactemail",".cpanel",".fantasticodata",".htpasswds",".lastlogin","access-logs","cpbackup-exclude-used-by-backup.conf",".cgi_auth",".disk_usage",".statspwd","..",".");


Here we have the list of files that should be restricted from access. While it looks like they have thought of everything, they have not... and this is where fuzzing comes in. If you're familiar with the phishing kit you'll probably be aware of the folders and file structure by now. If you're not, use a fuzzer or vulnerability scanner to find those extra files. I recommend this one even though it's freemium. Or there are plenty of scripts on github you can find that'll do the same thing. 

4. Check for redirections

Phishing attacks frequently utilize URL shorteners to hide the phishy URL. There's two reasons to do this; 1 if you're trying to stop blue teams from finding you, you'll require the webpage only to load from it's redirection URL and not share the URL the phishing page. 2 if the redirection URL get flagged or taken down, you can always just make new ones. 

If the attack requires you to have the redirection URL, I would recommend fuzzing the phishing page for insecure object references to load the attack. 

If you want to check where a website goes to without loading it yourself, or there's just a lot of redirects to keep track of, use Redirect DetectiveBrowserling is a browser emulator where you can switch user agents and see redirections.  

 

 

 

 


Comments

Popular posts from this blog

2023 Resolutions

Welcome to my New Year's Resolutions! I feel a little vulnerable sharing my goals publicly and auditing if I failed or succeeded over the year.  My 2023 Resolutions 1) HACK THE PLANET! 2) Upload to WiGLE every month 3) Post to the blog at least once a month 4) Continue to follow and maintain my vision board. Don't judge me! I thought they were cheesy and weird, but it's been so effective. I made a blog post about it already, but just as a refresher my current board is below. A vision board is almost a resolution list in of itself. These are all the things I want to achieve in the near future.  5) Pass the HAM radio exam 6) Continue in content creation and make articles or a podcast Let's go over what my resolutions where last year: My 2022 Resolutions 1) Make it to 500,000 unique wifi networks I made it in November! I achieved this goal and obtained the gold WiGLE badge.  2) Upload to WiGLE every month I made this most months, but not every month. I will try again! 3) W

Remove data from Data Brokers

 If you have a little change from your tax return, I have a suggestion on where you should spend it this year. This is not sponsored, not an advertisement, and I do not benefit from these companies. I paid for these services out of pocket on my own. Okay. We all know how scary OSINT can be, being able to look up public information such as age and home address. We hand over this information readily when we use certain products and services. Some of this information is also kept at a criminal level, such as criminal record lookups.  That's not the only information we hand over, we are tracked and have our data collected every day through data brokers. They profit off of our identities selling it back to one another constantly.  There are services now that will automate the removal of your data from data brokers. I found Aura and Incogni when promoted online. Both of them had a referral code, but also a standard discount for an annual subscription instead of monthly. At the time of wr

#WardrivingWednesday

 I've attempted, with mixed results, to establish a hashtag on Mastodon on Wednesdays for wardriving. Why? Because I feel like it. There are so many awesome people in the wardriving space that could probably do it better, but I'm going to do it instead.  I cannot recall where I heard this general rule of thumb, but I believe it was Dragorn who said " For every adapter you can go about 10mph ". I wonder how true that is, and I wonder more how I would begin to test that theory. This is something I'd like to figure out, and will likely need some assistance.  I also plan on remaking my rigs with raspberry pi alternatives. Right now there is a lot of drama surrounding raspberry pi, but I'm doing it just because of the cost and supply issues. There are many alternatives now, and I'm sure they'll make a few rigs. I'll keep the updates posted under the hashtag on Wednesday. If you're interested in wardriving you should join the RF Sanctuary Discord.