Credential phishing kits target victims differently depending on location

There is a new attack vector in town – the customization of phishing kits. In a recent case uncovered by PhishMe Intelligence, a phishing kit was crafted to target residents of specific regions using either TrickBot or Locky.

Instead of determining what malware to deploy, this kit determined what personal information to collect from its victims. Because the United States was the first in online banking, phishers originally began targeting United States residents. As online banking becomes more prevalent around the world, targeting victims on a global landscape requires more customization of phishing scams and techniques to match local expectations.

Phishing in the wild: A deeper look

In October 2017, PhishMe Intelligence observed a phishing campaign that spoofed a PayPal login page. The email falsely informed the recipient of an account limitation and instructed the recipient to follow “3 easy steps” to remove the limitation. The kit also used AES encryption to encrypt the source code of the phishing page, which prevents crawlers and static scanners from viewing the source code. This presents a stealthy technique in evading detection by browsers and poses a major security risk for phishing victims.

Breaking down the details

When victims click the “Review Your Information” button, they are first required to enter the email address associated with the PayPal account, followed by the password. This information is submitted to the threat actors via email.

Because the source code of the landing page is encrypted, it becomes difficult to investigate how the kit functions and where stolen information goes once it is entered. This helps the phish to evade detection by traffic-inspecting boundary devices, such as next-generation firewalls and anti-virus solutions.

Each of the three PHP scripts referenced in Figure 1 plays a role in the source code encryption and credential exfiltration. The “checkbots.php” script is designed to determine the victim’s user agent and IP address. This allows the phish to identify and prevent access from certain IP addresses and servers, and instead, redirect those visitors to a 404-error page.

Location, location, location

Geolocation is also used in this phishing scam as threat actors determine the countries from which victims visit the page by retrieving each victim’s IP address. Figure 2 displays a snippet of source code used to accomplish this goal.

The script “mail.php” is used to send the victim’s information to the threat actors at the email address getright3533[@]gmail[.]com, shown in Figure 3. The misspelled comment, “Your Eamil Here” indicates this kit was intended for use by either numerous threat actors or in conjunction with various email addresses serving as exfiltration points for the stolen credentials.

The phish verifies the victim’s browser and location and compares it against a blacklist to determine whether the victim will progress to the next step in the scam or will be directed to a 404-error page. As some victims progress through the process, they are asked to enter billing and credit card information.

A further verification performed by this phish was a check for whether the card number entered by the victim is available on lookup.binlist.net. This is a public website that allows anyone to search for information about a valid Bank Identification Number (BIN), also known as an Issuer Identification Number (IIN)-the first six digits of a credit card that identifies the card issuer. When that number is entered, the site will return information such as brand, card number length, country, type of card (bank or debit), and bank-premium account information.

If the BIN value is not listed on BINlist, the threat actors collect the victim’s bank name, bank homepage, bank country, card type, card brand, and card scheme-an attempt to recreate the information that would have been retrieved from the BINlist website.

Oh wait, there is more

This phish took the scam one step further by spoofing the “Verified by Visa” fraud prevention measure. In Figure 4, PhishMe analysts were able to simulate a visit to this phish from a United States IP address. A victim from the United States is asked to submit the cardholder’s name, date of birth, card number, CVV/CVC number (a security element known as “3D secure value”), as well as what is likely meant to be the victim’s Social Security Number (mislabeled as “SNN”), and his or her mother’s maiden name, before proceeding to the next page. This indicates that threat actors were trying to collect as much Personally Identifiable Information (PII) as possible, which could enable those actors to compromise other personal accounts and sensitive private data.

The kit contained a list of regions located in North America, Australia, the United Kingdom, and parts of Europe. Each of these regions had a set of values that were to be exfiltrated by the threat actors based on the victim’s credit card information. Figure 5 displays the credentials needed from residents of the United Kingdom, United States, and Canada–although only the United States required a Social Security Number.

By identifying the country of origin for the IP address of the visitor, the threat actors can gain pointed insight into the country-specific information required by those actors. For example, victims in Cyprus are solicited for their tax number-a value that would be meaningless to victims elsewhere.

While each of the techniques presented by this credential phishing kit are not new, the kit does showcase the advantage threat actors have in customizing their own phishing kits by incorporating:

• Encryption in the browser
• Geolocation techniques
• Collection of various PII that supports narrower targeting.

This won’t be the last of credential phishing

Credential phishing poses a serious risk to enterprises and individuals. Not only can credential phishing scams easily impersonate another entity, but they can also lead to access to, and subsequent theft of, an organization’s private data.

As the threat landscape continues to evolve, so do the tactics, techniques, and procedures used by attackers. However, by empowering computer users to recognize and detect suspicious emails, they can avoid falling for a phishing scam. Actionable threat intelligence can help security professionals both understand the common methods used by threat actors and anticipate their attacks.