From time to time, my friends will send me phishing attacks that they receive. Typically, it starts the same, an email or instant message asking them to go to some site and validate their credentials. If you are anything like myself, then you become curious to how sophisticated the attacker(s) is.
This attack started the same way, except instead of social media or email, it was a SMS asking a peer to validate their credentials to help “protect their account”.
Anyone with common sense will instantly notice that this is a crap shot by this attacker, that being said, later you will see that people still fall for it. Being asked to investigate, due to my friend thinking they submitted their information to it, I dug in.
First thing you notice when you check the domain registrar is that this domain name was just created (high probability it was created just for this attack). You will also note that it traces back to .ru.
Domain name: EBAISECURITI.COM Domain idn name: EBAISECURITI.COM Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited Registry Domain ID: Registrar WHOIS Server: whois.reg.com Registrar URL: https://www.reg.com/ Registrar URL: https://www.reg.ru/ Registrar URL: https://www.reg.ua/ Updated Date: 2018-02-01 Creation Date: 2018-02-01T04:32:23Z <--Red Flag Registrar Registration Expiration Date: 2019-02-01 Registrar: Registrar of domain names REG.RU LLC Registrar IANA ID: 1606 Registrar Abuse Contact Email: email@example.com Registrar Abuse Contact Phone: +7.4955801111 Registry Registrant ID: Registrant ID: Registrant Name: Protection of Private Person Registrant Street: PO box 87, REG.RU Protection Service Registrant City: Moscow <-- Why would ebay be registered here Registrant State/Province: Registrant Postal Code: 123007 Registrant Country: RU Registrant Phone: +7.4955801111 Registrant Phone Ext: Registrant Fax: +7.4955801111 Registrant Fax Ext: Registrant Email: EBAISECURITI.COM@regprivate.ru Admin ID: Admin Name: Protection of Private Person Admin Street: PO box 87, REG.RU Protection Service Admin City: Moscow Admin State/Province: Admin Postal Code: 123007 Admin Country: RU Admin Phone: +7.4955801111 Admin Phone Ext: Admin Fax: +7.4955801111 Admin Fax Ext: Admin Email: EBAISECURITI.COM@regprivate.ru Tech ID: Tech Name: Protection of Private Person Tech Street: PO box 87, REG.RU Protection Service Tech City: Moscow Tech State/Province: Tech Postal Code: 123007 Tech Country: RU Tech Phone: +7.4955801111 Tech Phone Ext: Tech Fax: +7.4955801111 Tech Fax Ext: Tech Email: EBAISECURITI.COM@regprivate.ru Name Server: a.dnspod.com Name Server: b.dnspod.com DNSSEC: Unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2018.02.02T17:27:08Z <<<
Even though everyone reading this already knows at this point that it is malicious, I still kept investigating. After setting up my VPN connection and firing up my dummy box, I decided to check out the page myself.
Many red flags appear here:
- form POST unencrypted (that by itself should always be flagged)
- asked for credit card information
- at the end, it redirected me to ebay site (wasn’t even smart enough to pass my creds along so that it looked liked I logged in)
So what is next?
This is the sucky part, watching a robbery happen and not being able to stop it or call someone to stop it. You just get to watch them wave to you. Only thing you can do is try to understand how this happened and what the scope is.
NMAP results will show that this machine has two services running, WWW and SSH. Interesting enough, banner from SSH shows SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u6 and HTTP comes back with nginx, but based on the input, they are virtually hosting more than a single site (reverse dns lookup did not yield much).
This appears to be actor procured environment as it does not have any other client related services or applications exposed.
Interesting enough, a simple nikto/dirb will yield many files in the root
dirb http://www.ebaisecuriti.com -X .txt,.html ----------------- DIRB v2.22 By The Dark Raver ----------------- URL_BASE: http://www.ebaisecuriti.com/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt EXTENSIONS_LIST: (.txt,.html) | (.txt)(.html) [NUM = 2] ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://www.ebaisecuriti.com/ ---- + http://www.ebaisecuriti.com/.hta.txt (CODE:403|SIZE:210) + http://www.ebaisecuriti.com/.hta.html (CODE:403|SIZE:211) + http://www.ebaisecuriti.com/.htaccess.txt (CODE:403|SIZE:215) + http://www.ebaisecuriti.com/.htaccess.html (CODE:403|SIZE:216) + http://www.ebaisecuriti.com/.htpasswd.txt (CODE:403|SIZE:215) + http://www.ebaisecuriti.com/.htpasswd.html (CODE:403|SIZE:216) + http://www.ebaisecuriti.com/cgi-bin/.html (CODE:403|SIZE:215) + http://www.ebaisecuriti.com/db.txt (CODE:200|SIZE:21410) + http://www.ebaisecuriti.com/index.html (CODE:200|SIZE:7443) + http://www.ebaisecuriti.com/robots.txt (CODE:200|SIZE:65)
Interesting enough, this attacker decided that no one would find their dump. Analyzing the attacker, they log on semi frequently to flush this file. Checking this file, there appears to be a collective ~2000 lines, looking mostly legit. Below is a sample only showing the non legit entries.
18.104.22.168:test:test:name:name :kkk:8979897:987897:98/79:877:ihiuh 22.214.171.124:Df:df:Dd:Xd:Xx:Xx:Xxx:22/12:Dd:Dd
We legally cannot stop them, so now what?
Yup, I guess this is where the hat you wear determines your next course of action. A simple python script can be used to pull email addresses out of the db.txt file and email the impacted users. Hopefully, they will immediately change their credentials.
Also uploading bogus data at a high frequency will cause the attackers disk to fill up quickly and render the next writes from happening, or so they say.
Finally, putting this information out there can entice other more aggressive good people to take the next steps.
There were many signs that could have been used to prevent this attack. Web browsers should alert on newly registered domains. Browsers should also alert anytime a form POST is happening through an unencrypted protocol (HTTP). Finally, you have the “User” piece, which should have seen that ebay was incorrectly spelled, legit companies will never ask you to verify yourself by specifying your credentials and credit card information. So the onus is on the user, but the browsers need to do a better job vetting out the low sophisticated attacks.