Exposing Phishers via Bad OpSec

I got a phishing email at work forwarded to me and was surprised it got through our filter. Looking at it, it was an email with the subject line “Confirm your identity” with an .HTML attachment.

1

Opening the .html attachment up shows a pretty legit looking PayPal page.

2

I put in some bogus info and hit continue

3

Really? My SSN? If you say so

4

Hitting “Continue” then presumably submits the phished data and then redirects you to the actual paypal.com page, so the entire thing seems legit.

Let’s dissect this a bit further.

I’ll use Burp Suite to see where this .html file is actually sending stuff to.

Immediately upon opening the .HTML file, it sends a connection request to what is presumably a compromised website. (Actual URL and names will be blacked out)

5

After filling out the .HTML form and clicking continue, I see it sends the data as a POST request to a PHP file

6

But going to that .PHP file redirects to paypal.com, so I decided to look at the directory it was sitting in, /lm/

7

Oh boy.

So the attacker failed to practice good OpSec and indexing is allowed. I download the “Jokapo Team VBV Scam” .Zip file

Inside I find a few files

8

Including kapos.php, which is the .php file that takes the POST request data.

9

And now your .php code is exposed…

Looking further I see that it opens a .txt file and writes to it

10

But I swear I’ve seen that .txt file before

11

Oh no….

12

YEP

So he is storing the harvested, phished, data in a plain .txt file that is accessible to anyone. But wait, there’s more!

So, to test out their scam, the scammer used their real gmail account

13

So what do we do with any scammers email?

We sign them up for farmersonly.com and Christianmingle.com

23483267_816558521848641_830199883_o

23469157_816559298515230_1904941439_o

As well as signing up for free spam email

Untitled

And then of course reporting him to Google.

Capture1

 

Moral of the story: If you’re going to phish people, at least be good at it…

The owner of the compromised website was also contacted but the site looks like it was last updated in 2014, so I doubt anything will happen there.

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: