Hexbyte – Tech News – Ars Technica |
It’s Friday, August 3, and I have hooked a live one. Using StreamingPhish, a tool that identifies potential phishing sites by mining data on newly registered certificates, I’ve spotted an Apple phishing site before it’s even ready for victims. Conveniently, the operator has even left a Web shell wide open for me to watch him at work.
The site’s fully qualified domain name is appleld.apple.0a2.com, and there’s another registered at the same domain—appleld.applle.0a2.com. As I download the phishing kit, I take a look at the site access logs from within the shell. Evidently, I’ve caught the site just a few hours after the certificate was registered.
As I poke around, I find other phishing sites on the same server in other directories. One targets French users of the telecommunications company Orange; others have more generic names intended to disguise them as part of a seemingly legitimate URL, such as Secrty-ID.com-Logine-1.0a2.com. Others still are spam blogs filled with affiliate links to e-commerce sites.
I check the access log again. The phisher has come back, logged in from an IP address in Morocco. He’s unzipped the phishing kit. I send a heads up to the hosting company, SingleHop, with screenshots of the phishing page. I report the site to Google Safe Browsing and check one more time to see if I’ve missed anything.
The phisher notices something suspicious in his access logs. His site now up and running, he’s deleted his shell—but not one on another subdomain. I consider going back in, but my work here is done anyway.
During the two hours I spent investigating this Apple phish, another 1,678 suspicious sites have popped up—spoofing brands including Apple, PayPal, Netflix, Instagram, and Bank of America. It will be nearly two days before SingleHop responds about the initial Apple one: “We were in touch with the management of the allegedly abused server, and after discussion the reported problem is claimed to be resolved.”
That sort of interaction can’t scale very well, but phishing seems to only be growing in its popularity. So if I learned anything from my StreamingPhish-time on the frontlines of this new digital war, it’s this: if we’re going to make a dent in these phishes, we’re going to need a bigger boat—one with a whole lot more machine learning-based automation.
Hexbyte – Tech News – Ars Technica | Anatomy of a modern phish
The modern phishing economy is like that of a gold rush. There are lots of small players streaming in with little or no prior skill after word spread about big heists. These minnows enrich larger predatory outfitters selling kits and infrastructure. Elsewhere, there are bottom-feeders that steal other people’s kits or create cut-and-pasted kits full of sloppy code, and many of those barely work—though it can be just enough to fool the most credulous among us. But at the top of the food chain, there are a few professional operations that either produce increasingly sophisticated kits for sale or use them for their own more targeted purposes.
Unskilled phishers either just drop kits on hacked WordPress sites or—if they’re more ambitious—on low-rent virtual private servers configured with cPanel, which makes managing phishing domains a totally point-and-click affair. Many tried and now burned kits (essentially ones that have been catalogued as threats by endpoint protection companies) are available by the truck load in packs costing as little as $10.