Phishing scam focuses on the basics to harvest business credentials

Criminals are using basic CSS and HTML to scam victims out of their credentials, and in some cases, their phone numbers too. The Phishing campaign is driven by an easily customized kit that uses blurred images as a lure.

The scam starts with an email prompting the victim to follow a link to view an invoice or purchase order. The emails themselves are cleanly coded, and use logos from legitimate organizations, such as HSBC.

If the link is clicked, the victim is directed to a landing page that uses basic images to make it appear as if the documents are real, but require authentication to view. The kit uses low-resolution images to give the appearance of a blurring, with just enough detail to make it look legitimate.

If a victim enters their email address and password, those credentials are collected and forwarded to the person running the campaign, along with their IP address and location (using geoplugin.net) details.

Afterwards, the victim is forwarded to a fake Google authentication portal, where a phone number is requested. If entered, their phone number is logged as well, and the victim is forwarded to a legit PDF file hosted by HSBC.

Word of this scam first came from a SANS ISC blog, which prompted Salted Hash to do some digging.

We discovered five different domains hosting the kit. The domains were legitimate websites, but running outdated versions of WordPress or Joomla. Of the five, four were still active with no warnings, but one domain was being flagged as harmful. Three additional domains in this campaign were reported to services such as VirusTotal, but they are all offline.

The criminals are likely using a shell script to download and unpack the Phishing kit, as each website had the original .zip file in an open directory. The kit uses basic JavaScript, CSS, PHP, and HTML; no fancy scripting or functions.

The campaign created by this Phishing kit is one that awareness training should resolve rather quickly. It uses easily observed markers that indicate a scam. For administrators, the good news is that the kit’s can be easily detected on a web server.

Some IOCs are included below.

Collection emails:

dedbad02 at gmail.com

paulm.petromin at gmail.com

frank.louis2017 at yandex.com

jamesdavid2016 at mail.ru

File paths:

/pdf-file/

/pdf/

/file/pdf-file/

Exploited directories:

/image/

/images/

/wp-includes/

/wp-content/

/sites/modules/

/themes/

Script names:

mailer.php

phone.html

phone.php

Use Method.txt (instruction document)

The images used will depend on the person running the Phishing scam. However, the active domains are all using the same basic invoice image with the name: xxx.png

The kit itself also includes BG2.png, which serves as the background image for the login form, and BG2333.png, which is a fake invoice.

There is an interesting script that’s been added to each of the compromised domains in the directory where the kit has been installed: imp.php

This script clones the kit and all related files, placing them into a new directory under a name generated by taking a random number, converting it into Base64, and hashing it. The script is triggered on access, but isn’t called by the Phishing kit itself. Between two websites, there were over 500 cloned directories created by this file.