Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
Phishing is still one of the most relentless and quickly evolving online threats facing today’s businesses.
At RiskIQ, we process tons of web-related threat data, including phishing incidents. From various sources, we receive URLs which may be indicative of phishing, examine the pages with our web-crawling infrastructure, which experiences them as a real user would, and feed the data it collects through our machine-learning technology to classify each detected phishing page appropriately.
Phishing pages’ infrastructure usually takes two forms: self-maintained custom infrastructure and abused or compromised infrastructure belonging to someone else. Below is an instance of a phishing page for email involving the latter. It’s somewhat generic, but an excellent example of something commonly leveled against businesses:
Fig-1 Phishing page
Looking through some sources online, I dug up some additional instances of this phishing kit:
As you can see, there seems to be a theme in the names of these phish examples, with each URL containing ‘sendmail.’ Also, each phish appears very similar in their design.
At RiskIQ, when we explore these pages, we first check if the host is compromised (the majority are) and if so, find where the compromise happened. There are some obvious ones, of course, such as when there’s a ‘/wp-admin/‘ path in the URL, which indicates it’s likely a WordPress instance. In the phish above, when removing the trailing filename ‘index2.htm,’ from its URL, some of the hosts reveal the structure of the phishing kit:
Fig-2 Phishing kit structure
There are three files—index2.htm, sub.php, and rop.php—for which we can find a reference to ‘rop.php’ in the crawl linked at the beginning of this report. The source of the phishing page shows that it sends its stolen credentials to this script via a POST request:
Fig-3 Script to which stolen credentials are sent as captured by RiskIQ Crawlers
This leaves us with sub.php from which we have no idea of its functionality. Digging through more instances of this phishing kit, we found another directory index, only this time the live instance of the phishing kit was gone—however, the actor left his install!
Fig-4 Phishing kit install
We can pull down the disruptive.zip file and take a look; it contains all three files we found in the directory listing above. Let’s take a look at rop.php‘s source code:
Fig-5 Source code
We can see the general method of credential exfiltration, used in the majority of phishing kits, send out an email with the credentials. We find the criminal’s exfiltration email address, email@example.com. We can also see the usage of sub.php where a user is redirected after the credentials are emailed out and which contains the following:
This script redirects victims to a specific page on the Microsoft Windows website. Digging through more of instances of this phishing kit we found another case where a zip file was left:
Fig-7 Phish kit structure containing a zip file
In this one, we also saw an email address in rop.php which had some interesting ties to our data. The email address we uncovered was firstname.lastname@example.org, which you can find in PassiveTotal’s WHOIS search linked to one single domain:
Fig-8 WHOIS for email@example.com
The website itself has had quite a few IP resolutions but currently isn’t functional. What is interesting is that the domain name closely matches a Florida based law firm named ‘McClean Law Group’ and their domain, mccleanlawgroup.com. We haven’t found anything linking these two websites other than their name, nor do we have any insight into what the website looked like if it was ever a working site at all—something to keep an eye on.
Knowing your Risk
RiskIQ provides access to our unique phishing detection capabilities with our External Threats product line. Knowing your phishing risk is only half the battle; our product line offers real-time monitoring and web enforcement capabilities. Protect your assets with RiskIQ’s industry-leading security intelligence.
Tomorrow: RiskIQ's @joshuamayfield sits down with @forrester's @josh_zelonis to discuss what goes into a next-gen vulnerability management program, and why discovering unknowns is where it all starts: https://t.co/kCxgPVJ1sD
What are the keys to a Modern Vulnerability Risk Management Program? On Tuesday, @joshuamayfield and @josh_zelonis will examine why defending your organization's digital attack surface starts with being able to discover unknowns and investigate threats: https://t.co/kCxgPW0Ckb
IGNITE is just 10 days away! RSVP now to kick off #RSAC and party with Flashpoint, @elastic, @ThreatQuotient, @Siemplify, and @RiskIQ: https://t.co/hnlh0UhHEo
The largest UK #GDPR fine was £183m in 2018 as B.A. booking website was hit by Magecart ccard skimming code. @RiskIQ worked with https://t.co/E3JRdvCMWA and Shadowserver to take down the malicious domains. https://t.co/iiH69vbKFK