Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ph'ing Phishers

711 views

Published on

Slide deck that was used for Ph'ing Phishers talk given at Thotcon 2017 and CircleCityCon 2017.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Ph'ing Phishers

  1. 1. PH’ING PHISHERS JAE CIRCLECITYCON2017
  2. 2. THIS GUY IS LAME ONLY A LITTLE BIT ▸ Sig writer / Malware Researcher for Emerging Threats ▸ Suricata signature development for OISF ▸ Strong focus on credphish ▸ Not much ET coverage of credphish a year ago ▸ Significantly better now ▸ Credphish still garbage, still a challenge
  3. 3. OR STAY HERE FOR MORE GOONIES & PHISH TL;DW ▸ I automated some credphish analysis ▸ https://github.com/hadojae/DATA ▸ BUCKLEGRIPPER ▸ SLICKSHOES ▸ BULLYBLINDER
  4. 4. 1 HR IS BETTER THAN 2 HRS AGENDA ▸ Source Acquisition ▸ Timestamps ▸ Credphish Analysis ▸ Automation ▸ Obfuscations ▸ SIGS
  5. 5. FREE ON SCAM SITES AKA BACKDOORED
  6. 6. UPLOAD MY KIT FOLLOW THE README PLEAZE ▸ unzip it locally ▸ edit the email ▸ zip it up ▸ upload to server ▸ unzip ▸ ready
  7. 7. PLZ NEVER DELETE THE ZIP FILES GUISE TKS BUCKLEGRIPPER - INTRO ▸ There is a ~5% chance that someone has left an archive laying around on a live phishing url. ▸ This isn’t a small number, lets automate retrieval ▸ 2 main methods that I use looking for phishing source ▸ Opendirs ▸ Append .zip to every folder and request (dumb yes) ▸ For http://www.ophidianaspects.com/warlock/void/nova.php ▸ http://www.ophidianaspects.com/warlock/void.zip ▸ http://www.ophidianaspects.com/warlock.zip
  8. 8. FIRST SCRIPT BUCKLEGRIPPER - EXTRAS ▸ Also lets search for rar/txt in the opendirs ▸ Log observed php files, sometimes shells/mailers/etc ▸ Also lets make sure we get screenshots ▸ Also lets do some fuzzy hashing on the screencaps to try and determine known phishing domains ▸ convert image to black and white ▸ shrink it down ▸ ssdeep and compare ▸ This isn’t a great way to do TP/FP - but its something
  9. 9. DEMO, BUCKLEGRIPPER
  10. 10. [+] Processing http://ammanchamber.com.ng/acc14/adbb/ad/index.html [+] Screencapped http://ammanchamber.com.ng/acc14/adbb/ad/index.html as 20170427-155006-bucklegripper-ammanchamber.com.ng.png [+] Found Opendir at http://ammanchamber.com.ng/acc14/ [+] Saved http://ammanchamber.com.ng/acc14/adbb123..zip as 20170427-155007-bucklegripper-ammanchamber.com.ng-adbb123..zip [+] Found Opendir at http://ammanchamber.com.ng/ [+] Saved http://ammanchamber.com.ng/ 68BD8AC1A32B3F118EBC0FD0EDBE535F.txt as 20170427-155007- bucklegripper- ammanchamber.com.ng-68BD8AC1A32B3F118EBC0FD0EDBE535F.txt
  11. 11. [+] Processing http://www.asociacioncar.com/uploads/banqpop/ [+] Screencapped http://www.asociacioncar.com/uploads/banqpop/ as 20170427-155317-bucklegripper-www.asociacioncar.com.png [+] Found Zip file at http://www.asociacioncar.com/uploads/ banqpop.zip [+] Saved http://www.asociacioncar.com/uploads/banqpop.zip as 20170427-155319-bucklegripper-www.asociacioncar.com-banqpop.zip
  12. 12. OH SNAP IMA MAKE A BUCKLEGRIPPER TWITTER BOT AND GET INTERNET FAMOUZ ▸ Don’t be that guy/girl ▸ There are far more fun things to do ▸ There are plenty of free sites that we fight to shut down for these jerks already ▸ They don’t need another source ▸ Happy to provide my feed of acquired phish kit archives for non-commercial purposes - hit me up ▸ Usually about 150-300 unique kits per day
  13. 13. SOME KITS JUST A USUAL DAY
  14. 14. WELL IF YOURE NOT GETTING INTERNET FAMOUZ WHAT ARE YOU DOING WITH ALL THESE ▸ Writing Sigs ▸ Encodings / Backend PHP ▸ Metadata and Timestamps ▸ Reporting ▸ Archiving metadata for trending
  15. 15. THIS BETTER NOT BE A FING VENDOR PITCH WRITING SIGS FROM PHISH KIT SOURCE
  16. 16. OK COOL WRITING SIGS FROM PHISH KIT SOURCE Terrible UA/IP blocklist
  17. 17. WRITING SIGS FROM PHISH KIT SOURCE Get a random num Terrible UA/IP blocklist
  18. 18. WRITING SIGS FROM PHISH KIT SOURCE Get a random num MD5 Terrible UA/IP blocklist
  19. 19. WRITING SIGS FROM PHISH KIT SOURCE Get a random num MD5 Copy the contents of a folder to the new folder Terrible UA/IP blocklist
  20. 20. WRITING SIGS FROM PHISH KIT SOURCE Get a random num MD5 Copy the contents of a folder to the new folder Redir the browser to the newly created folder Terrible UA/IP blocklist
  21. 21. WRITING SIGS FROM PHISH KIT SOURCE
  22. 22. WRITING SIGS FROM PHISH KIT SOURCE This is weird bruh
  23. 23. WRITING SIGS FROM PHISH KIT SOURCE ▸ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Phishing Redirect Feb 9"; flow:to_client,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; content:"|0d 0a|location|3a 20|"; fast_pattern; http_header; content:"|0d 0a|location|3a 20|"; pcre:"/^[a-f0-9] {32}x0dx0a/Rmi"; classtype:trojan-activity; sid: 1000000; rev:2;)
  24. 24. WRITING SIGS FROM PHISH KIT SOURCE Seems legit
  25. 25. WRITING SIGS FROM PHISH KIT SOURCE Seems legit Where’s $to set? hum.
  26. 26. WRITING SIGS FROM PHISH KIT SOURCE Seems legit Where’s $to set? hum. Backups are important
  27. 27. WRITING SIGS FROM PHISH KIT SOURCE Seems legit Where’s $to set? hum. Backups are important Redir the browser
  28. 28. WRITING SIGS FROM PHISH KIT SOURCE POST Body
  29. 29. WRITING SIGS FROM PHISH KIT SOURCE 302 POST Body
  30. 30. WRITING SIGS FROM PHISH KIT SOURCE Legitimate Page 302 POST Body
  31. 31. YEA WRITING SIGS FROM PHISH KIT SOURCE ▸ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish (set) Feb 26"; flow:to_server,established; content:"POST"; http_method; content:"email"; nocase; http_client_body; content:"pass"; nocase; http_client_body; distance:0; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:trojan-activity; sid:1000001; rev:6;)
  32. 32. HOLY CRAP MY EYES IT BURNS WTF WRITING SIGS FROM PHISH KIT SOURCE ▸ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish Jan 14"; flow:to_client,established; flowbits:isset,ET.genericphish; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Location|3a 20|http"; nocase; fast_pattern; http_header; content:"Location|3a 20| http"; nocase; pcre:"/^(?:s)?x3a//[^/]*(?:(?:a(?:m(?:ericanexpress|azon)|(?:dob|ppl)e|libaba| ol)|r(?:e(?:gions|max)|bcroyalbank)|f(?:irst-online|acebook|edex)|m(?:icrosoft(?:online)?|atch)| u(?:s(?:bank|aa|ps)|[bp]s)|(?:technologyordi|googl)e|na(?:twest|ver)|d(?:ropbox|hl)| yahoo(?:mail)?|1(?:26|63)|keybank|qq).com|i(?:n(?:t(?:ertekgroup.org|uit.com)| vestorjunkie.com|g.(?:be|nl))|c(?:icibank.com|scards.nl)|mpots.gouv.fr|rs.gov)|c(?: (?:h(?:ristianmingl|as)e|apitalone(?:360)?|ibcfcib|panel).com|om(?:mbank.com.au|cast.net)| redit-agricole.fr)|b(?:a(?:nkofamerica.com|rclays.co.uk)|(?:igpond|t).com|luewin.ch)|o(?: (?:utlook|ffice).com|range.(?:co.uk|fr)|nline.hmrc.gov.uk)|s(?:(?:(?:aatchiar|untrus)t|c).com| ecure.lcl.fr|parkasse.de)|h(?:a(?:lifax(?:-online)?.co.uk|waiiantel.net)|otmail.com)|p(?: (?:rimelocation|aypal).com|ostbank.de)|l(?:i(?:nkedin|ve).com|abanquepostale.fr)| we(?:llsfargo.com|stpac.co.nz)|etisalat.ae)/?/Ri"; classtype:trojan-activity; sid:1000002; rev: 9;)
  33. 33. THATS BETTER WRITING SIGS FROM PHISH KIT SOURCE ▸ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Phish Jan 14"; flow:to_client,established; flowbits:isset,ET.genericphish; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Location|3a 20|http"; nocase; fast_pattern; http_header; content:"Location|3a 20|http"; nocase; pcre:”/[LOTS OF WEBSITES]/Ri”; classtype:trojan-activity; sid:1000002; rev:9;)
  34. 34. WATCH HIM MENTION THE WHITEPAPER THAT NO ONE HAS EVER READ FINDING ENCODINGS ▸ Page encodings - Bypassing mechanisms for avoiding detection by encoding / obscuring the page content. ▸ AES (implemented in Javascript) <- Most Common (also dumb) ▸ Stupid Data URI <- Common ▸ Javascript Unescape Encodings <- Also Common ▸ Base64 (variations) <- Also Common ▸ XOR ▸ Custom Stuff ▸ https://www.proofpoint.com/sites/default/files/proofpoint-obfuscation- techniques-phishing-attacks-threat-insight-en-v1.pdf
  35. 35. WE SHOULD TWEET ABOUT THIS! NESTED BASE64 DATA URI
  36. 36. THIS IS NOT A NEW TACTIC. YOU DONT NEED TO TWEET ABOUT IT. NESTED BASE64 DATA URI
  37. 37. NESTED BASE64 DATA URI
  38. 38. JUST BECAUSE YOU HAVEN’T SEEN IT BEFORE NESTED BASE64 DATA URI + EDWARDS PACKER
  39. 39. NESTED BASE64 DATA URI + EDWARDS PACKER + IFRAME DOESN’T MEAN IT’S NEW
  40. 40. NESTED BASE64 DATA URI + EDWARDS PACKER + IFRAME K
  41. 41. NICE LITTLE SCARY ALERT
  42. 42. THATS AN BEGINNER/INTERMEDIATE CREDPHISH OBFUSCATION JQUERY EMAIL / PASSWORD FORM
  43. 43. CUSTOM AKA INTERESTING - SECTION 1
  44. 44. CUSTOM AKA INTERESTING - SECTION 1 DECODED
  45. 45. CUSTOM AKA SEMI-INTERESTING - SECTION 2
  46. 46. CUSTOM AKA SEMI-INTERESTING - SECTION 3
  47. 47. CUSTOM AKA SEMI-INTERESTING - SECTION 3
  48. 48. CUSTOM AKA SEMI-INTERESTING
  49. 49. CUSTOM AKA SEMI-INTERESTING
  50. 50. ZIP FILE TIMESTAMPS ▸ Timestamps of individual files and folders is preserved within zip files ▸ In standard operation :) ▸ We can use this to determine two things: ▸ Deployment Age ▸ Subtract newest .html/.htm/.php from current date ▸ Relative Age ▸ Subtract newest .html/.htm/.php from oldest .html/.htm/.php
  51. 51. ZIP FILE TIMESTAMPS ▸ Archives with HIGH Relative Age and LOW Deployment Age ▸ This is probably an old kit that someone is redeploying
  52. 52. ZIP FILE TIMESTAMPS ▸ Archives with HIGH Relative Age and LOW Deployment Age ▸ This is probably an old kit that someone is redeploying ▸ Archives with LOW Relative Age and HIGH Deployment Age ▸ Looks like this is old and all the files were modified around the same time
  53. 53. ZIP FILE TIMESTAMPS ▸ Archives with HIGH Relative Age and LOW Deployment Age ▸ This is probably an old kit that someone is redeploying ▸ Archives with LOW Relative Age and HIGH Deployment Age ▸ Looks like this is old and all the files were modified around the same time ▸ Archives with HIGH Relative Age and HIGH Deployment Age ▸ The least interesting…this is old all around
  54. 54. ZIP FILE TIMESTAMPS ▸ Archives with HIGH Relative Age and LOW Deployment Age ▸ This is probably an old kit that someone is redeploying ▸ Archives with LOW Relative Age and HIGH Deployment Age ▸ Looks like this is old and all the files were modified around the same time ▸ Archives with HIGH Relative Age and HIGH Deployment Age ▸ The least interesting…this is old all around ▸ Archives with LOW Relative Age and LOW Deployment Age ▸ INTERESTING!
  55. 55. OLD TEMPLATE CITY HIGH RELATIVE / LOW DEPLOYMENT
  56. 56. THIS COULD BE WORTH A GLANCE, SEE IF ITS ANYTHING NEW LOW RELATIVE / LOW DEPLOYMENT
  57. 57. PDF ANALYSIS ▸ Feel like i come across these most often ▸ VT / Hybrid Analysis ▸ Super common submissions ▸ Can be annoying to have to open them and find the URL ▸ /URL or /Javascript (in the clear) ▸ Streams (not in the clear) ▸ Dumb little script to dump out all the urls
  58. 58. DEMO, SLICKSHOES
  59. 59. TKS MICROSOFT DONT YOU, FORGET ABOUT DOCS
  60. 60. TKS MICROSOFT DONT YOU, FORGET ABOUT DOCS
  61. 61. TKS MICROSOFT DONT YOU, FORGET ABOUT DOCS
  62. 62. CREDPHISH ANALYSIS
  63. 63. HOW YOU KNOW WHAT YOU DONT KNOW THE RESEARCHER / SOC ANALYST PERSPECTIVE ▸ How do you analyze cred phish? ▸ 1. Find phish url ▸ 2. Start up wireshark ▸ 3. Visit landing ▸ 4. Enter in fake information (i hope this kit isnt checking for a valid account...) - paypal ▸ 5. Click ▸ 6. Enter in fake information (i hope you are using a luhn validated CC number...) - js validation
  64. 64. HOW YOU KNOW WHAT YOU DONT KNOW THE RESEARCHER / SOC ANALYST PERSPECTIVE ▸ 7. Click ▸ 8. Enter in fake information (i hope you know what UK zipcodes are formatted in...) - js validation ▸ 9. Click ▸ 10. Stop wireshark ▸ 11. Review pcap ▸ 12. Check for any ZIPs or opendirs ▸ 13. Look for any similarities on your network ▸ 14. GOTO 1
  65. 65. YEA THATS LAME GETS OLD REAL FAST ▸ Did this probably 50x a day when starting out ▸ Not sustainable ▸ Wrote a lot of signatures ▸ Wrote a LOT of signatures ▸ Once I started hitting duplicates, it became unbearable
  66. 66. AUTOMATING' COMES FROM THE ROOTS 'AUTO-' MEANING 'SELF-', AND 'MATING', MEANING 'SCREWING'. XKCD.COM/1319
  67. 67. GETTING TO THE GOOD STUFF BULLYBLINDER ▸ Automate that whole 14 step process ▸ Semi-Intelligent Form Filling ▸ Handle Cookies / Redirects / Refreshes / JS ▸ Mechanize/Selenium/Python ▸ Works best on HTTP POST credphish ▸ Firefox ▸ If it makes life harder for scammers, then cool
  68. 68. GETTING TO THE GOOD STUFF BULLYBLINDER - FAKER ▸ https://github.com/joke2k/faker ▸ Awesome lib for generating fake data ▸ Based on the content of the form data observed by mechanize, we can somewhat guess at what they are expecting ▸ We can use faker to gen fake data ▸ name, email, phone number, CC, address, etc…
  69. 69. DEMO, BULLYBLINDER
  70. 70. ITS JUST FORM FILLING HOW HARD COULD IT BE?
  71. 71. EX1 - COMMON MULTI-EMAIL PROVIDER GDOC PHISH
  72. 72. EX1 - COMMON MULTI-EMAIL PROVIDER GDOC PHISH
  73. 73. EX1 - COMMON MULTI-EMAIL PROVIDER GDOC PHISH
  74. 74. EX1 - BULLYBLINDER OUTPUT
  75. 75. EX1 - WIRESHARK - LANDING GET REQUEST
  76. 76. EX1 - WIRESHARK - HTTP POST CREDENTIAL LOSS
  77. 77. EX2 - COMMON DROPBOX MULTI-EMAIL PHISH
  78. 78. EX2 - COMMON DROPBOX MULTI-EMAIL PHISH
  79. 79. EX2 - COMMON DROPBOX MULTI-EMAIL PHISH
  80. 80. EX2 - BULLYBLINDER OUTPUT
  81. 81. EX2 - WIRESHARK PHISH REDIR
  82. 82. EX2 - WIRESHARK REDIR AND PHISH LANDING
  83. 83. EX2 - WIRESHARK YAHOO POPUP
  84. 84. EX2 - WIRESHARK HTTP POST
  85. 85. EX3 - APPLE PHISHING LANDING
  86. 86. EX3 - APPLE PHISHING FORM
  87. 87. EX3 - APPLE PHISHING SECONDARY LANDING
  88. 88. EX3 - APPLE PHISHING JS AES ENCRYPTION
  89. 89. ITS JUST FORM FILLING HOW HARD COULD IT BE?
  90. 90. ITS JUST FORM FILLING HOW HARD COULD IT BE?
  91. 91. ITS JUST FORM FILLING HOW HARD COULD IT BE?
  92. 92. ITS JUST FORM FILLING HOW HARD COULD IT BE?
  93. 93. ITS JUST FORM FILLING HOW HARD COULD IT BE?
  94. 94. ITS JUST FORM FILLING HOW HARD COULD IT BE?
  95. 95. ITS JUST FORM FILLING HOW HARD COULD IT BE? BULLYBLINDER - CHALLENGES (REDIR/REFRESH/OBFUSCATION) ▸ popupwnd ▸ ameli.fr refresh (and similar) ▸ JS timeout redir ▸ JS top.location redir ▸ JS window.location.href redir ▸ byethost AES redir ▸ base64 data uri refresh ▸ example.com redir ▸ javascript unescape ▸ JS AES encoding ▸ b64 frame source refresh ▸ select your email provider ▸ generic iframe ▸ bit.ly / twitter / cloudflare
  96. 96. BULLYBLINDER - CHALLENGES (JQUERY / AJAX / GET) ▸ Script basically expects there to be a POST form ▸ This is ~98% of the Credphish that I process ▸ Sometimes more than one POST ▸ Blacklist form elements (control/id) ▸ There are a lot of reasons that we may not find a form ▸ Currently not a great way to throw more CPU at it at the scale i’m processing - though i have ideas
  97. 97. BULLYBLINDER - CHALLENGES (PHISHER COUNTERMEASURES) ▸ UA Blocklist ▸ Sometimes this helps, easy to get around ▸ IP Blocklist ▸ Just dont be on the blocklist, be creative :) ▸ Mobile UA ▸ I don’t have anything in place for this other than manual runs w/ fake UA ▸ GeoLoc ▸ Have lots of exit points, if known, we can assign templates to particular exits
  98. 98. BULLYBLINDER - CHALLENGES (PHISHER ERROR) ▸ Broken forms ▸ Might confuse selenium/mechanize ▸ Dead pages ▸ Misconfigs ▸ Bad redirects ▸ Pages that don’t exist ▸ Infinite loops
  99. 99. BULLYBLINDER - PRECAUTIONS ▸ No reason a smart scammer can’t put an EK/exploit on the phish landing ▸ Use a VM ▸ Don’t use your work/home/personal IP space ▸ Don’t be a doofus.
  100. 100. DO ACTUAL THINGS WITH THIS DATA WRITING ET IDS CREDPHISH SIGS ▸ I write three main categories of signatures for credphish ▸ Redirectors / Obfuscation (Low Priority) - COVERED ▸ Landing (Low Priority) ▸ Successful Credential Theft (High Priority) ▸ Generics - COVERED ▸ Domains ▸ HTTP POST Contents ▸ Subsequent Landings ▸ Flowbit Sigs - COVERED
  101. 101. WRITING ET IDS CREDPHISH SIGS - LANDING
  102. 102. WRITING ET IDS CREDPHISH SIGS - LANDING
  103. 103. WRITING ET IDS CREDPHISH SIGS - LANDING ▸ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Docusign Phishing Landing Mar 08 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>|26 23|68|3b 26 23|111|3b 26 23|99|3b 26 23|117|3b 26 23|115|3b 26 23|105|3b 26 23|103|3b 26 23|110|3b|"; fast_pattern:33,20; classtype:trojan-activity; sid:1000004; rev:2;)
  104. 104. WRITING ET IDS CREDPHISH SIGS - LANDING
  105. 105. WRITING ET IDS CREDPHISH SIGS - LANDING
  106. 106. WRITING ET IDS CREDPHISH SIGS - LANDING ▸ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Google Drive Phishing Landing Sept 3"; flow:established,from_server; file_data; content:"<title>Google Drive</title>"; fast_pattern:7,20; content:"For security reasons"; distance:0; content:"access shared files and folders"; distance:0; content:"select your email provider below"; distance:0; content:"-- Select your email provider --"; distance:0; content:"G Mail"; distance:0; content:"Others"; distance:0; content:"Email:"; distance:0; content:"Password:"; distance:0; classtype:trojan-activity; sid:1000005; rev:2;)
  107. 107. WRITING ET IDS CREDPHISH SIGS - SUCCESSFUL THEFT VIA POST
  108. 108. WRITING ET IDS CREDPHISH SIGS - SUCCESSFUL THEFT VIA POST
  109. 109. ▸ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful TeamIPwned Phish Aug 30 2016"; flow:to_server,established; content:"POST"; http_method; content:"hellion.php"; nocase; http_uri; fast_pattern; content:"pass"; nocase; http_client_body; classtype:trojan-activity; sid:1000006; rev:2;) WRITING ET IDS CREDPHISH SIGS - SUCCESSFUL THEFT VIA POST
  110. 110. ▸ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”ET CURRENT_EVENTS Successful Personalized OWA Webmail Phish Oct 04 2016"; flow:to_server,established; content:"POST"; http_method; content:".php?"; nocase; http_uri; content:"&email="; nocase; http_uri; distance:0; content:"curl="; depth:5; nocase; http_client_body; content:"&flags="; nocase; distance:0; http_client_body; content:"&forcedownlevel="; nocase; distance:0; http_client_body; content:"&formdir="; nocase; distance:0; http_client_body; content:"&trusted="; nocase; distance:0; http_client_body; content:"&username="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; content:"&SubmitCreds="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:1000007; rev:2;) WRITING ET IDS CREDPHISH SIGS - SUCCESSFUL THEFT VIA POST
  111. 111. WRITING ET IDS CREDPHISH SIGS - FREE HOSTER DOMAINS
  112. 112. WRITING ET IDS CREDPHISH SIGS - FREE HOSTER DOMAINS
  113. 113. ▸ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Phish to Hostinger Domains Apr 4 M4"; flow:to_server,established; content:"POST"; http_method; content:"username"; nocase; http_client_body; fast_pattern; content:"pass"; nocase; http_client_body; distance:0; pcre:"/Hostx3ax20[^rn]+.(?:(?:esy|hol) .es|(?:890m|16mb).com|pe.hu)rn/Hmi"; classtype:trojan-activity; sid:1000008; rev:2;) WRITING ET IDS CREDPHISH SIGS - FREE HOSTER DOMAINS
  114. 114. WRITING ET IDS CREDPHISH SIGS - SUBSEQUENT LANDINGS
  115. 115. WRITING ET IDS CREDPHISH SIGS - SUBSEQUENT LANDINGS
  116. 116. WRITING ET IDS CREDPHISH SIGS - SUBSEQUENT LANDINGS
  117. 117. ▸ alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful OWA Phish Apr 25 2017"; flow:from_server,established; file_data; content:"<meta http-equiv="; nocase; content:"refresh"; nocase; distance:1; within:7; content:"office365.com/ owa/"; nocase; distance:0; content:"<title>Account"; nocase; distance:0; content:"Success"; nocase; distance:0; classtype:trojan-activity; sid:1000009; rev:1;) WRITING ET IDS CREDPHISH SIGS - SUBSEQUENT LANDINGS
  118. 118. JAE@EMERGINGTHREATS.NET QA / TKS

×