In addition to an interesting malware attack, last week’s spam honeypots prompted this post on something new I’ve been seeing in some phishing attacks: rather than just drop a phishing page onto a hacked site, the Bad Guys drop a self-contained form-generating kit, and use that to generate the page.
Here’s what the phishy e-mail looked like:
BTW, for anyone who’s wondering, that is NOT my IP address in the e-mail, nor that of the honeypot account’s server, so I assume it’s a random one. I don’t run anything in the “.500” range… 😉
Here is where the bogus PayPal link actually takes you: a hacked German adult-content site, now hosting a nice-looking form (notice that I didn’t say “official-looking”, because it doesn’t really look much like a PayPal page, does it?):
Out of curiosity, I checked to see if the actual Form Generator interface was publicly available. It was:
(I thought briefly about designing my own custom phishing form, but decided that would probably be breaking some sort of law in Germany if I saved a page to someone else’s Web server without permission. Not that the phisherman cared.)
The obvious attraction of a kit like this for the Bad Guy is that it lets him easily set up a form; the downside is that the generated forms aren’t as realistic as a hand-built phishing page would be. (It couldn’t just be that is is a phisherman who doesn’t know enough HTML to do his own forms, could it?)
Also of note is that I wasn’t able to find any immediate evidence that this phishing operation is part of one of our known malware networks. But that’s why we still have humans involved in WebPulse; we can’t automate everything, and not all of the Bad Guys run large operations… (Although even for small-scale attacks, we can usually leverage the WebPulse logs and database to scan for “sibling sites” in the attack, and I did find one other hacked site — a Dutch one this time — that appeared to be part of this attack.)
–C.L.
Leave a reply