[Research] Phishermans Friend – Getting control over a phishing backend

Dear Readers, once in a while I enjoy blogging about things unrelated to bug bounties. And so, as it happens, on a quiet Thursday night as I was about to go to bed, I received the following e-mail:

It roughly translates to: Your Attention is needed, there has been an unwanted login from a location near Berlin.

Hmmm unwanted login from a location near Berlin? My younger brother lives in Berlin, I wondered if he logged in to my PayPal Account. I doubted it, so I decided to visit the link in the email. Clicking on it brought me to the following site:

Bildschirmfoto 2016-06-10 um 11.11.56

Interesting, http://paypal.de-conflict.ru/ <- as you probably notice, this is definitely not something we should trust, it’s a phishing site. So ,as you may or may not know, I like to use the awesome tool dirbuster. After firing it up and targeting this address, I quickly find some juicy stuff:

  • info.php <- PHP Info
  • /classes/ <- misconfigured folder
  • /backend/ <- Login Form
  • /backend/install <- ;-)….

I hope this makes you smile too. First, I looked at the info.php and the system description revealed: Linux fox.hidden-server.ru 2.6.32-673.8.1.lve1.4.3.el6.x86_64 #1 SMP Wed Feb 10 08:57:30 EST 2016 x86_64.

So, based on the .ru, seems it’s a Russian service for criminal activities.

The directory  /backend/ was just a simple login form asking for username and password -> I didn’t feel like wasting my time so figured this was a dead end.

Then I found the funniest part, the directory /backend/install:

Translates to: Installation Successful Username, Password
Translates to: Installation Successful Username, Password

Okay, good to know, apparently super criminals use the username admin and the password 123456. Think it’ll work on /backend/? Needing to know, I went back to /backend/ and tried the newly discovered credentials πŸ™‚ Sure enough, I was logged in!

Bildschirmfoto 2016-06-10 um 00.59.09

Tadaaaa the beautiful back end of a Paypal phishing service. As you can see in the charts on the bottom, there had been three visitors by the time I accessed the dashboard. I browsed through the dashboard and found a link to “data sets”, which included the phished Paypal credentials, Credit Card Numbers etc.

 

Bildschirmfoto 2016-06-10 um 01.05.35

 

At the time, there were three entries, one from me, one of a victim and the first one ever submitted, which could be a test :-). On that note, if you’re developing a site, what’s the first thing you typically do after installing a new service? You test it out. Turns out, the owner of this was stupid to enter some credentials on the website to test the site, but didn’t realize, or care, that his IP address was saved too.  I’ve censored the IP-Address because I  can’t be 100% sure it was the one of him though.

After two hours of monitoring the website, there were a couple of real data sets of German phishing victims.

Phished Data including Username, Password, Birth Date, Credit Card Number, Address and everything else needed for online criminals to ruin someones life

Phished Data including Username, Password, Birth Date, Credit Card Number, Address and everything else needed for online criminals to potentially ruin someone’s life.

Hmm, it seemed as if more and more people were falling for this scam, so I decided to take some action against it… how you ask?

Well πŸ™‚ I included on every place I could the phrase β€žYour IP is 85.25.*.*β€œ and went to bed to see what happens next.

Datasets on the left and the Note i left in the middle

Datas ets on the left and the note I left in the middle

Waking up on Friday, the first thing I did was go online see how many more data sets there were… and it turned out.. the site was gone πŸ™‚

Bildschirmfoto 2016-06-10 um 10.05.29

That’s it πŸ™‚ the site is gone and the Russian criminal is now (hopefully) scared that someone recorded his actions and kept evidence of his online identity.

Further Work: 

I know several of my e-mail addresses are likely in a database of phishing targets, as I receive similar emails almost daily. Those scam campaigns are mostly based on the same commercial sold phishing CMS system, my plan is to collect as many phishing sites I can find to test if those are similarly designed.

Disclaimer: 

This post is intended for educational purposes and not meant to promote, incentivize or encourage any action which may or may not be considered illegal. None of the described actions are in any relation with my past, current or future employers.

Q/A

Q = What happened to the harvested credentials?

A = I contacted the victims via mail (4 at that time) and each of them took care and followed the steps I suggested (change Password, contact Paypal, contact Credit Institute, lock the credit cards). Three out of the four contacted persons had a feeling that something strange was going on on that site but decided not to do anything. By the time I contacted them, they knew something strange was going on, and they were glad I took action and contacted them.

 

en_USEnglish