Bannyblanco
Professional
- Messages
- 160
- Reaction score
- 132
- Points
- 43
What can I do when I need anonymous hosting for Phisher ? also domain
Anonymously Hosting And domain
- Thread starter Bannyblanco
- Start date
Father
Professional
- Messages
- 2,602
- Reaction score
- 795
- Points
- 113
New Level of Phishing: Cloudflare + Protonmail + Unvalidated Redirects - Young Phisher Pack
Phishing is still the most popular and most successful type of hacker attack. It's simple, it is not software, not servers, not networks that are attacked, but the most vulnerable components of information systems - users. I often encounter phishing attacks, both sporadic, aimed at private addresses, and massive attacks. In most cases, these are ineptly composed letters and clumsy phishing pages. Until recently, most of these attacks were thwarted at the user level: emails were either immediately ignored (since phishing signs were very obvious) or, in the worst case, emails were redirected to support with the question "is it safe to enter a password on this page?" Of course, some of the users still came across, but in percentage terms it was really the minimum. But literally last week I faced a phishing attack, the level of which surprised me. I did a little analysis and found out exactly how it was organized and what tools were used.
I hope this will not look like instructions for preparing phishing attacks, in fact, the purpose of the article is to tell about a specific case from practice. I will also share the results of a small analysis of the actions of the attackers.
Phishing page
I will not follow the sequence (as already mentioned, this is not a guide to action), and I will start with what surprised me the most, namely the fake page where the victims of the attack were directed. The page was an exact copy of the victim's ADFS page. In addition to visual similarity, the page was on a domain of the same level and the URL differed by only one letter: the real address of the ADFS portal was https://login.contoso.ch/
, the address of the phishing page ishttps://login.contoso.cf/
(hereinafter - the company name is replaced by contoso). And yes, the protocol was the same, the phishing page used SSL with a full-fledged certificate from COMODO! Of course, without Extended Validation, but nevertheless, Chrome displayed the address "greenish".
"Investigation"
How so? Quite stupid "hackers"! Second-level domains and COMODO certificates are not given to just anyone, they will be easy to figure out! But at first glance ...
Domain
Google suggested that .cf domains are being handed out for free. In this case, it is not the price that matters, but the ability to purchase a domain without leaving any traces in the form of a credit card (or other payment method). That is, a regular (left) email address is more than enough. One of the registrars, Freenom, in addition to cf, also offers tk, ml, ga. The only inconvenience, when registering, it is not possible to specify some free e-mail addresses (mail.ru, yandex.ru, yahoo.com), but with most other addresses it is possible to register a domain.
Email
We could not find out what mail our phisher used to register the domain, because the whois server issued the following message: “Due to restrictions in [] Privacy Statement personal information about the user of the domain name cannot be released”. However, it can be assumed that protonmail, since the phishing messages themselves were sent using this service. This is not surprising, since protonmail can be registered completely anonymously, and even if the appropriate authorities are involved for the investigation, it will not be so easy to get protonmail to cooperate, as practice shows.
SSL certificate and hosting
Before this case, we naively believed that it was impossible to set up a web server with a valid ssl certificate from COMODO without leaving any traces. As it turned out, this is not the case. In our case, the attackers used Cloudflare. A little analysis of the proposed features of the free Cloudflare package revealed a treasure trove of phishing opportunities:
- Completely anonymous registration. Mail addresses (from the same protonmail) are more than enough. Theoretically, they can find out from which IP address the registration / login was, but I am more than sure that our attackers could easily hide the real address.
- Free certificate from COMODO. Not only is it free, but it is also issued in a few minutes without any additional verification.
- Hiding the real IP address of the web server. All traffic goes through Cloudflare (this is primarily a CDN service)
- SSL offloading. A real web server can work over insecure http, with Cloudflare all traffic will go through SSL. This is important because it is possible to find free hosting with HTTP, but you have to pay for hosting with SSL support (leaving traces).
And one more fact: with rare exceptions, CA services do not sign certificates for the ga, cf, tk domains. In this case (even if you are not a phisher) Cloudflare solves the problem, through them the certificate is issued without problems.
Unvalidated Redirects Serving Phishing
Now comes the fun part. The phishing email, which itself was a masterpiece of social engineering, naturally contained a link, but not to the phishing page. The link was to the company's website, to a page with an Unvalidated Redirects vulnerability. This may have been one of the reasons that the letter passed all anti-spam filters, the letter to user@contoso.ch contained the only link tohttp://contoso.ch/vulnerable.php?url=https://login.contoso.cf/
Is it realistic to find them?
Without a doubt, we ourselves cannot find them. Will the "organs" be able to find them? You can try to request data from the registrar or from Cloudflare and go to the same protonmail. If they do cooperate, the maximum that can be obtained is an IP address. Is it possible to "figure out" the criminal by the IP address? I doubt it.
Outcome
We do not know how many users "bought" - they will not admit it themselves. Just in case, we advised everyone to change their AD passwords. The company itself was strongly encouraged to enable two-factor authentication on ADFS using Custom Authentication.
P.S. And yet, I'm not sure that I myself would not have fallen for it - the level impressed me.
Phishing is still the most popular and most successful type of hacker attack. It's simple, it is not software, not servers, not networks that are attacked, but the most vulnerable components of information systems - users. I often encounter phishing attacks, both sporadic, aimed at private addresses, and massive attacks. In most cases, these are ineptly composed letters and clumsy phishing pages. Until recently, most of these attacks were thwarted at the user level: emails were either immediately ignored (since phishing signs were very obvious) or, in the worst case, emails were redirected to support with the question "is it safe to enter a password on this page?" Of course, some of the users still came across, but in percentage terms it was really the minimum. But literally last week I faced a phishing attack, the level of which surprised me. I did a little analysis and found out exactly how it was organized and what tools were used.
I hope this will not look like instructions for preparing phishing attacks, in fact, the purpose of the article is to tell about a specific case from practice. I will also share the results of a small analysis of the actions of the attackers.
Phishing page
I will not follow the sequence (as already mentioned, this is not a guide to action), and I will start with what surprised me the most, namely the fake page where the victims of the attack were directed. The page was an exact copy of the victim's ADFS page. In addition to visual similarity, the page was on a domain of the same level and the URL differed by only one letter: the real address of the ADFS portal was https://login.contoso.ch/
, the address of the phishing page ishttps://login.contoso.cf/
(hereinafter - the company name is replaced by contoso). And yes, the protocol was the same, the phishing page used SSL with a full-fledged certificate from COMODO! Of course, without Extended Validation, but nevertheless, Chrome displayed the address "greenish".
"Investigation"
How so? Quite stupid "hackers"! Second-level domains and COMODO certificates are not given to just anyone, they will be easy to figure out! But at first glance ...
Domain
Google suggested that .cf domains are being handed out for free. In this case, it is not the price that matters, but the ability to purchase a domain without leaving any traces in the form of a credit card (or other payment method). That is, a regular (left) email address is more than enough. One of the registrars, Freenom, in addition to cf, also offers tk, ml, ga. The only inconvenience, when registering, it is not possible to specify some free e-mail addresses (mail.ru, yandex.ru, yahoo.com), but with most other addresses it is possible to register a domain.
We could not find out what mail our phisher used to register the domain, because the whois server issued the following message: “Due to restrictions in [] Privacy Statement personal information about the user of the domain name cannot be released”. However, it can be assumed that protonmail, since the phishing messages themselves were sent using this service. This is not surprising, since protonmail can be registered completely anonymously, and even if the appropriate authorities are involved for the investigation, it will not be so easy to get protonmail to cooperate, as practice shows.
SSL certificate and hosting
Before this case, we naively believed that it was impossible to set up a web server with a valid ssl certificate from COMODO without leaving any traces. As it turned out, this is not the case. In our case, the attackers used Cloudflare. A little analysis of the proposed features of the free Cloudflare package revealed a treasure trove of phishing opportunities:
- Completely anonymous registration. Mail addresses (from the same protonmail) are more than enough. Theoretically, they can find out from which IP address the registration / login was, but I am more than sure that our attackers could easily hide the real address.
- Free certificate from COMODO. Not only is it free, but it is also issued in a few minutes without any additional verification.
- Hiding the real IP address of the web server. All traffic goes through Cloudflare (this is primarily a CDN service)
- SSL offloading. A real web server can work over insecure http, with Cloudflare all traffic will go through SSL. This is important because it is possible to find free hosting with HTTP, but you have to pay for hosting with SSL support (leaving traces).
And one more fact: with rare exceptions, CA services do not sign certificates for the ga, cf, tk domains. In this case (even if you are not a phisher) Cloudflare solves the problem, through them the certificate is issued without problems.
Unvalidated Redirects Serving Phishing
Now comes the fun part. The phishing email, which itself was a masterpiece of social engineering, naturally contained a link, but not to the phishing page. The link was to the company's website, to a page with an Unvalidated Redirects vulnerability. This may have been one of the reasons that the letter passed all anti-spam filters, the letter to user@contoso.ch contained the only link tohttp://contoso.ch/vulnerable.php?url=https://login.contoso.cf/
Is it realistic to find them?
Without a doubt, we ourselves cannot find them. Will the "organs" be able to find them? You can try to request data from the registrar or from Cloudflare and go to the same protonmail. If they do cooperate, the maximum that can be obtained is an IP address. Is it possible to "figure out" the criminal by the IP address? I doubt it.
Outcome
We do not know how many users "bought" - they will not admit it themselves. Just in case, we advised everyone to change their AD passwords. The company itself was strongly encouraged to enable two-factor authentication on ADFS using Custom Authentication.
P.S. And yet, I'm not sure that I myself would not have fallen for it - the level impressed me.
