Firstly I must apologise for what may seem like a double post (especially if you’ve read this) but I wanted to detail yet another phishing page take down which begun with one of my clients being spearphished.

Now “phishing” in general is simply a term used to describe using a “lure” to trick end users into handing over sensitive data such as passwords, usernames, email addresses and more. Traditionally this is done by using fake login pages which are often sent en-masse in spam campaigns world wide.

“SpearPhishing” is the same as phishing but with an increased level of targetting or specific use of social engineering. This might be targeting an individual or attempting to phish them through even more intricate means that would make them more likely to fall for it (such as sending a fake invoice from a real supplier’s email address or sending a fake login page to a system they use frequently).

The Target

As with many spam campaigns as of frequent the target yet again was Office365. This tends to be a popular target as there are many services that are tied to single logins which can make the benefit of taking over an account very ideal for a malicious hacker. Often access to 365 account means more than just access to email, it can be: Access to Sharepoint/Files, Access to internal documentation, Administrative access of an entire domain, Access to flows/internal data or even worse; Access to Azure.

• 

Just above was the page sent within the spam email which posed as a shared onedrive file to my client. The URL used a valid SSL and was a subpage to a blog that had been compromised:

• 

Doing a little digging just before reporting the page I found more and more phishing pages hosted on the index of this blog including a school login page:

• 

Now described in my last post there are free online tools to help discover which registrar hosts the domain of a particular website and in-effect have the ability to take down a website (as its hosted with them).

This information is typically known as “WhoIS” and though details about the exact individual behind a website can be made private, the registrar i.e the company that the domain was purchased from has to be published. In some countries this can be ISP’s rather than just a domain reseller and take down requests/abuse reports are treated differently from border to border.

• 

Some registrars are well aware that their services may easily be abused and almost all will offer some form of reporting method to make them aware of malicious domains/pages being hosted on their domain ecosystem.

Using the above report page and simply firing off an email to abuse@godaddy.com got me a response later that day to say they’ve acted on it.

• 

Now though this might seem like a cat and mouse act, the potential damage that is prevented by reporting the main source is massive.

Lets say this one phishing page is sent in a spam campaign from a few addresses to circa 10,000 end users. In spam terms, that’s still a pretty small target but if it only requires one web page to trick even a fraction of those users it could result in alot of compromised or taken over accounts (which can then be used, resold or abused for far more malicious intentions).

When a phishing page is taken down, regardless of the spam that is sent out it effectively disarms the emails sent out in that campaign. This also means emails already recieved by potential victims (which haven’t been opened straight away) no longer have the initial danger or potential for credential harvesting as they do without being reported.

In my own experience I’ve seen phishing pages still being hosted for months at a time but quite often on popular platforms (or domain registrars in highly regulated nations) tend to act quickly on abuse reports and in the example listed in this article, my take down happened the same day.

A great resource into this whole topic and for those wanting to fight back against this type of attack: www.gotphish.com.

Thanks for reading and hope to be back soon with more interesting topics and indepth guides 🙂