Recently, a colleague sent us a link to a paypal phishing site. After we had a look at the website, we started a “counter-attack”.
What is phishing
So what does ‘phishing’ mean? It’s a kind of a social attack, where the victim is tricked into divulging personal information (often login credentials, credit card data, and so on). Those sites often imitate the websites of big companies like paypal, google, ebay. The criminals buy similiar looking domains so that the url looks similiar to the original one. A common way to get the victims to those malicous pages is to sent a huge amount of spam mails. However, phishing can also be done using XSS attacks (e.g. create a new UI-element which asks for the credentials or change the “action” attribute of a form).
The spam mail
The attackers decided to use the common method to spread their phishing page. We received the following (german) spam mail:
1 2 3 4 5 6 7 8 9 10 11 12
The email states, that paypal checks the account activity as a part of their security measures and that they’ve noticed unnormal activities in your account. You’re told to login to paypal using the given link as soon as possible.
Despite the fact, that the email is lacking any orthography or any complementary close, it’s sounds “convincing” and you’re tempted to login to your account right now. Unexperienced internet users (like your grandma) maybe would enter their login credentials on the phishing page…
Let’s continue with the phishing page. The attackers sent the following two url in their phishing email:
The first question which should come up in your mind is: Why would paypal use a third-party domain? Ok - Maybe that’s a new special marketing feature ;)
If you have a fast look at the middle/end of the url, you’re tempted to read “https://www.paypal.de”. In fact, there’s “https.//www.paypal.com” (notice the difference between ‘:’ and ‘.’).
At this point we can assume that the attackers set up or hacked the domain/website “victorlipkin.com”. We informed the webmaster of this website about this probable hack, but we haven’t received any response yet.
Using ‘curl’ or ‘wget’ we can safely view/download the websites sourcecode. Modern browsers like Google Chrome should display a warning that this page may contain malicious content and stop the redirection, but it takes google some days/hours to add this site to it’s database.
Otherwise we’ll be redirected to a new location:
This page was a good-looking clone of the paypal login/register page. It came with some slightly modifications like the need to enter your credit card details during the registration process. Usually paypals asks for that data after the registration is completed.
Again you should ask yourself:
Why does paypal serve a website without a domain?
Why does it ask for credit card data during the registration process?
Why is there no “green” SSL sign?
Nevertheless there are people which still think that this is a valid paypal website :(
The attackers mistake
In our opinion, this is the most funniest part of this story. The attacker forgot to disable directory listing on his server and thus allowed us to have a closer look:
1 2 3 4 5 6
We decided to download the ‘security.tgz’ file and extract it. There were three php files which were responsible for the phishing attack. The rest was used to re-create the paypal design. This webapplication was designed to steal the vcitims login credentials and/or credit data and store it in two seperate text-files just as well sending them to a specific gmail-adress.
The most interesting part looked like this:
1 2 3 4 5 6 7 8
Boom: The logfile was publicly accessible, so we downloaded a copy of it. After having a quick look into the two logfiles we were shocked:
- ~ 35 people entered their credit card details
- ~ 337 people entered their login credentials
We thought that phishing would not be that profitable anymore, but this proofed that we were wrong.
The attacker did not use a captcha or any rate-limiting. That’s why we wrote a short python script which submits some fake login details:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49
That script should flood the logfile and the attackers inbox. After some hours the attacker decided to remove his phishing page from the internet. Maybe he had noticed that something went “wrong” ;)
Emailing all victims
We thought that it would be our responsibility to inform the victims. In the end it took us some hours to notify all 300 victims (we removed duplicate entries first).
During the process, we saw some emails like: firstname.lastname@example.org. Some companies need to review their security policies :(
About 10% if the victims replied to our information email and thanked for the hint. Some of them said that they’ve noticed the phishing attack after one failed login attempt and that they’ve changed the password immediately. Otheres were quiet surprised about the information.