Criminals are using basic CSS and HTML to scam victims out of their credentials, and in some cases, their phone numbers too. The Phishing campaign is driven by an easily customized kit that uses blurred images as a lure.
The scam starts with an email prompting the victim to follow a link to view an invoice or purchase order. The emails themselves are cleanly coded, and use logos from legitimate organizations, such as HSBC.
If the link is clicked, the victim is directed to a landing page that uses basic images to make it appear as if the documents are real, but require authentication to view. The kit uses low-resolution images to give the appearance of a blurring, with just enough detail to make it look legitimate.
If a victim enters their email address and password, those credentials are collected and forwarded to the person running the campaign, along with their IP address and location (using geoplugin.net) details.
Afterwards, the victim is forwarded to a fake Google authentication portal, where a phone number is requested. If entered, their phone number is logged as well, and the victim is forwarded to a legit PDF file hosted by HSBC.
Word of this scam first came from a SANS ISC blog, which prompted Salted Hash to do some digging.
We discovered five different domains hosting the kit. The domains were legitimate websites, but running outdated versions of WordPress or Joomla. Of the five, four were still active with no warnings, but one domain was being flagged as harmful. Three additional domains in this campaign were reported to services such as VirusTotal, but they are all offline.
The campaign created by this Phishing kit is one that awareness training should resolve rather quickly. It uses easily observed markers that indicate a scam. For administrators, the good news is that the kit's can be easily detected on a web server.
Some IOCs are included below.
dedbad02 at gmail.com
paulm.petromin at gmail.com
frank.louis2017 at yandex.com
jamesdavid2016 at mail.ru
Use Method.txt (instruction document)
The images used will depend on the person running the Phishing scam. However, the active domains are all using the same basic invoice image with the name: xxx.png
The kit itself also includes
BG2.png, which serves as the background image for the login form, and
BG2333.png, which is a fake invoice.
There is an interesting script that's been added to each of the compromised domains in the directory where the kit has been installed:
This script clones the kit and all related files, placing them into a new directory under a name generated by taking a random number, converting it into Base64, and hashing it. The script is triggered on access, but isn't called by the Phishing kit itself. Between two websites, there were over 500 cloned directories created by this file.