Please note that some of the links listed below are, or have historically been, hosting phishing and/or other suspicious behaviour. Treat them with caution and, if you are uncertain, just look at the pictures.
Have you ever wondered what goes on behind the scenes of a phishing attack? What does the infrastructure look like and what does the economy of the market look like?
Here, I will scratch the surface to the answers to some of these questions.
The story of today begins a few weeks ago when a client of NTT Security reached out asking for assistance to analyse an ongoing email phishing campaign towards the company. In the initial conversation, the customer supplied example emails, the files that were attached to the emails and a web link to what they believed was most relevant to the case.
The emails turned out to be quite uninteresting – they followed a recently common technique of referencing an invoice and encouraging the user to open an attached .zip archive.
The .zip archive that was sent to our client contained a .pdf file named similarly to the .zip archive and, when executed, displayed a warning the file was secure. To view its contents, the user would have to click on a button called "open" and "verify" their email.
In reality, the button led the user to a fake Office365 login-page the attacker had created on the domain stylewithandy[.]com.On this fake login page, the attacker had substituted the normal Office365 pictures with pictures from our client’s webpage to make the phishing attempt more trustworthy. At the time of the client contacting us, the specific webpage for our client was offline.
However, when we started looking more closely into this domain, we noticed the directory listing of files for the directory "http://stylewithandy[.]com/wp-admin/user/important/" was turned on and it contained two things, a folder and a .zip-file.
Inside the docusign folder, were multiple generic still ongoing phishing attacks towards among others users of Facebook, LinkedIn and Google.
While it was an interesting turn of events that there were other still ongoing phishing attacks on the same domain, it did not tell us much about the attacker. Instead, we turned our attention towards the .zip file located in the parent directory that we previously identified. In this file, we found the source code used to create the webpages in the docusign folder.
The information in the source code among other things identify what should be done with the information that someone put into the login box.
In the Outlook365 and LinkedIn source code data, the instructions were to send the information forward to an email "firstname.lastname@example.org" and, in the Yahoo version, it was "email@example.com". It is important to note that it is unclear if this is the case for the active websites or if the data in the zip archive is a template that was edited before using in the live environment.
During our analysis of the .zip files, we also found references to the following email addresses: firstname.lastname@example.org and email@example.com. But also a webpage: fudpage.com.
Visiting the domain fudpage[.]com, it appears to be a webpage that offers different types of tailored/bulk phishing attacks, malware hosting etc. We found fake login pages for most large banks and online retailers.
Fudpages also has a YouTube channel with instructional videos on how to use its services.https://www.youtube.com/channel/UCt6OM5-Tzsh_83guFgTNuWw
Now to tie our new findings out the possible organisers behind this domain and the phishing campaign towards our client, we need to go back to the PDF.Fudpage[.]com is a domain registered in Karachi, Pakistan. Karachi is located at +05:00 UTC.
The meta-data in the PDF tells us the file was created with timezone +05:30 UTC.
<xmp:CreateDate>2017-10-05T12:33:43+05:30</xmp:CreateDate> <xmp:CreatorTool>Microsoft® Word 2016</xmp:CreatorTool> <xmp:ModifyDate>2017-10-05T12:40:59+05:30</xmp:ModifyDate> <xmp:MetadataDate>2017-10-05T12:40:59+05:30</xmp:MetadataDate>
Now if we look even further into the whois data and Google "firstname.lastname@example.org", we pretty soon find out this email has been used to register a number of domains under the name of "Madih-ullah Riaz". And all with the location of Karachi, Pakistan. Madih-ullah Riaz is also named by investigative journalist Brian Krebs as a member of the "Manipulators Team", a phishing gang that has been active since at least 2015: https://krebsonsecurity.com/2015/05/phishing-gang-is-audacious-manipulator/#more-31017
In the end, we have concluded that someone most likely with the use of the phishing service at fudpage[.]com launched an phishing attack towards our client. The files were hosted on a separate domain that likely had nothing to do with our client or the attackers, and we added both external domains plus all the domains registered by the "Manipulators Team" to our watchlist.