The Latest in IT Security

Form-based Phishing

23
Sep
2011

In addition to an interesting malware attack, last week’s spam honeypots prompted this post on something new I’ve been seeing in some phishing attacks: rather than just drop a phishing page onto a hacked site, the Bad Guys drop a self-contained form-generating kit, and use that to generate the page.

Here’s what the phishy e-mail looked like:

screenshot of phishing e-mail

BTW, for anyone who’s wondering, that is NOT my IP address in the e-mail, nor that of the honeypot account’s server, so I assume it’s a random one. I don’t run anything in the “.500” range… 😉

Here is where the bogus PayPal link actually takes you: a hacked German adult-content site, now hosting a nice-looking form (notice that I didn’t say “official-looking”, because it doesn’t really look much like a PayPal page, does it?):

screenshot of phishing site

Out of curiosity, I checked to see if the actual Form Generator interface was publicly available. It was:

screenshot of formgen page

(I thought briefly about designing my own custom phishing form, but decided that would probably be breaking some sort of law in Germany if I saved a page to someone else’s Web server without permission. Not that the phisherman cared.)

The obvious attraction of a kit like this for the Bad Guy is that it lets him easily set up a form; the downside is that the generated forms aren’t as realistic as a hand-built phishing page would be. (It couldn’t just be that is is a phisherman who doesn’t know enough HTML to do his own forms, could it?)

Also of note is that I wasn’t able to find any immediate evidence that this phishing operation is part of one of our known malware networks. But that’s why we still have humans involved in WebPulse; we can’t automate everything, and not all of the Bad Guys run large operations… (Although even for small-scale attacks, we can usually leverage the WebPulse logs and database to scan for “sibling sites” in the attack, and I did find one other hacked site — a Dutch one this time — that appeared to be part of this attack.)

–C.L.

Leave a reply


Categories

THURSDAY, MARCH 28, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments