The techniques that cybercriminals use are becoming more advanced. They are going to greater lengths to commit fraud, compromise computers, and steal credentials. The time, money, and effort attackers spend crafting attacks makes it important that they protect their work from being stolen by others or give their actions more life by evading technical analysts and investigators.
Recently, PhishLabs has observed several phish kits in the wild that are taking extraordinary precautions to protect stolen data through the use of data encoding and encryption. This deprives others of the ability to access the stolen credentials in plain text. Phishing sites typically make use of a drop email for data exfiltration, which is generally set up by a phisher and hard-coded into a PHP script. Every time a victim submits credentials via a phishing page, the credentials are forwarded to the drop email address for retrieval by the attacker. However, it would appear newer tactics are being used in an attempt to increase the overall success rate of the scam.
Protecting Stolen Information
The phish kit examined in this post utilizes AES (Rijndael) encryption coupled with Base64-encoding to keep the credentials from prying eyes while they are awaiting recovery by the criminals. The information targeted in this phishing attack can be seen in the code below.
Values Used to Identify the Victim
Once a victim has submitted their information to the phishing page, the data then undergoes an encryption process before being posted to a form receiver located on an alternative compromised web server that is also controlled by the scammer.
The value of the data variable (shown in the first screenshot) is passed into the local variable plaintext and the hard-coded encryption key is passed into the variable textHos. The first line takes the length of the plaintext variable, converts its value to hexadecimal format, and then pads the value by prepending eight zeros. The reason for this is that function MCRYPT_RIJNDAEL_128 requires the initialization vector (IV) to be 16 bytes. The key value for the encryption process is determined by the raw output of the MD5 hash of the hard-coded textHos variable. The ciphertext value is generated by the last line where the mcrypt_encrypt function is used with the following arguments.
Once the encryption process is finished, the ciphertext value is rewritten to include the concatenation of the initialization vector, hash value, length of the plain text credentials, and the encrypted credentials. This value is then Base64 encoded to ensure that the new ciphertext value does not become corrupt or misinterpreted in transit.
Encrypted / Encoded Information
The final form of the ciphertext value can be seen above. This is how the credential data will appear in the text file when it is recovered.
Decrypting the Data: Recovering the Stolen Credentials
With these particular phish kits, the scammer was using HTTP to POST the data to a form receiver script on another server. The script receiving the encrypted credentials then wrote them to a text file on the server. Once the text file was identified, we were able to retrieve and decrypt the data to start the recovery process on the encrypted credentials.
Heart of the Decrypting Script
The screenshot above depicts a Python script written by PhishLabs that decrypts the text file that is the result of the attacker's encryption routine. The script reads in lines from the encrypted credential files and reverses the process used in the PHP script created by the phishers. Each line is Base64 decoded and then the individual variables are separated using regular expressions with the known length of each variable. The cipher text can then be decrypted using the same key used to encrypt (hex_str). This corresponds to the value testHos after taking the raw output of the MD5 hash in the attacker’s script. The output of the script, as seen below, contains the plaintext credentials that had been initially compromised.
Example of Script Output
As you can see from our analysis above phishers are going to greater lengths to protect the data they are stealing. Once a web server is compromised, it is compromised for everyone. If there is a PHP backdoor present, other cybercriminals could potentially modify the phishing page to send credentials to an email of their choosing or simply steal any plain text credentials stored on the server. These potential issues are rendered moot through the use of encryption.
Another reason scammers may choose to encrypt compromised information is that it removes the need to utilize a drop email account. By eliminating the drop email from the equation, the attacker removes a potential point of failure from their scheme, as email providers will often disable email accounts that are known to be used in phishing attacks. Encrypted text files also draw less attention than plain text credentials. If a typical user comes across an encrypted text file in the wild, there is a lower probability that they will recognize the file as a malicious artifact, thereby reducing the chance that they will notify a responsible organization regarding its removal. Overall, encrypting credentials adds only minimal overhead to the criminal's operation while providing necessary protection for their stolen bounty.
More cybercrime insight from PhishLabs R.A.I.D.: