A fishing buddy of mine describes fishing as, “a jerk on one end of the line, waiting for a jerk on the other end”.
As we have been “beefing-up” our phishing detection, I started thinking about my friend’s comment. Couldn’t phishing be described the same way?
We talk with people everyday who’s websites have been infected by hackers and quite often we hear, “What do these jerks want with my website?” So there is a jerk on one end of the line, waiting for a jerk (or unsuspecting person) on the other end.
Phishing as you probably know, is the act of “fooling” someone into providing their Personally Identifiable Information (PII). In the early days of phishing, you would get an email that may have had all the correct graphics to make it look legitimate, however, there would typically be common mispelled words and other grammatical errors that would indicate that something was amiss.
Now days, the emails look legitimate and so do the websites that are linked to, from the bogus emails.
You may see emails with subject lines like, “PayPal security alert”, or “Attempted change to your banking login”, in order to alarm you into action.
In this post, I’m going to educate you on what hackers do to websites to get them ready for phishing.
First, realize that when a website is compromised (hacked) by someone, they have many options:
- They can inject a script that attempts to infect the computer of any of your visitors
- They can store their games and other illegally obtained software on the site
- They can add phishing files and use the compromised site to steal PII
- Or, in worst case scenarios, they delete all the files to cover their tracks
For now, we’re going to focus on using compromised sites for phishing.
When the hackers turn their attention to phishing, they want to hide their “work” from prying eyes, but yet make it widely available to their potential victims.
How to determine if your website is being used for phishing?
We typically find the phishing files deep inside a multiple level folder structure. It’s not unusual for us to find phishing files buried 10 sub-folders (directories) deep on a website. It’s so common that you could almost classify it as a characteristic of phishing files.
Hackers are so determined to keep their phishing files hidden that they even protect them. We’ve found on numerous sites where the hackers have used a .htaccess file to help keep their files hidden.
Some of the entries in an .htaccess file are:
setenvifnocase Referer castlecops.com spammer=yes
setenvifnocase Referer internetidentity.com spammer=yes
setenvifnocase Referer phishfighting.com spammer=yes
setenvifnocase Referer phishtank.com spammer=yes
setenvifnocase Referer spamcop.net spammer=yes
setenvifnocase Referer spam spammer=yes
setenvifnocase Referer phish spammer=yes
setenvifnocase Referer bezeqint.net spammer=yes
Allow from all
Deny from env=spammer
Let me explain.
Castlecops.com, InternetIdentity.com, Phishfighting.com, Phishtank.com and Spamcop.net all scan the Internet looking for phishing pages. This .htaccess says that if the referer is one of these sites, then identify that traffic as spam (spammer=yes). The Order Allow,Deny section says to allow all traffic (Allow from all), but deny any visitors previously identified as being a spammer.
Of course these sites are not spammers, but that’s what the hacker has identified them as for their own protection. Also, the hackers believe that if someone, such as yourself, looks inside this file, you may just think it’s some security measure and leave it alone.
If you get an email from one of the above organizations, you may want to check your website files for phishing folders.
Some strings to search for are:
By United 4U
Personal Banking Online Verification
Lloyds TSB FullZ By GhostRideR
Northern Rock Online
Your mother’s maiden name
Your Security Number
Barclays Secure Form
Log in to Digital Banking
RBS Refund Form
There are many, many others but this should get you started.
If you have any questions about phishing, or identifying phishing files on your website, please email me at firstname.lastname@example.org.
If you have any information about phishing that you’d like to share, please leave a comment.