Recent Posts

Recent Blog Posts

The PhishLabs Blog

Examining a New Cybercrime OPSEC Technique (And How to Break It)

Posted by Jason Davison, Threat Analyst on May 17, '16
Find me on:


The techniques that cybercriminals use are becoming more advanced. They are going to greater lengths to commit fraud, compromise computers, and steal credentials. The time, money, and effort attackers spend crafting attacks makes it important that they protect their work from being stolen by others or give their actions more life by evading technical analysts and investigators.

Recently, PhishLabs has observed several phish kits in the wild that are taking extraordinary precautions to protect stolen data through the use of data encoding and encryption. This deprives others of the ability to access the stolen credentials in plain text. Phishing sites typically make use of a drop email for data exfiltration, which is generally set up by a phisher and hard-coded into a PHP script. Every time a victim submits credentials via a phishing page, the credentials are forwarded to the drop email address for retrieval by the attacker.  However, it would appear newer tactics are being used in an attempt to increase the overall success rate of the scam.

Protecting Stolen Information

The phish kit examined in this post utilizes AES (Rijndael) encryption coupled with Base64-encoding to keep the credentials from prying eyes while they are awaiting recovery by the criminals. The information targeted in this phishing attack can be seen in the code below.

Cybrecrime values
Values Used to Identify the Victim

Once a victim has submitted their information to the phishing page, the data then undergoes an encryption process before being posted to a form receiver located on an alternative compromised web server that is also controlled by the scammer.

Cybercrime encryption processEncryption Process

The value of the data variable (shown in the first screenshot) is passed into the local variable plaintext and the hard-coded encryption key is passed into the variable textHos. The first line takes the length of the plaintext variable, converts its value to hexadecimal format, and then pads the value by prepending eight zeros. The reason for this is that function MCRYPT_RIJNDAEL_128 requires the initialization vector (IV) to be 16 bytes. The key value for the encryption process is determined by the raw output of the MD5 hash of the hard-coded textHos variable. The ciphertext value is generated by the last line where the mcrypt_encrypt function is used with the following arguments.

attacker ciphertext

Once the encryption process is finished, the ciphertext value is rewritten to include the concatenation of the initialization vector, hash value, length of the plain text credentials, and the encrypted credentials. This value is then Base64 encoded to ensure that the new ciphertext value does not become corrupt or misinterpreted in transit.

cybercrime Base64 encoding
Base64 Encoding  

Cybercrime encoding exampleEncrypted / Encoded Information

The final form of the ciphertext value can be seen above. This is how the credential data will appear in the text file when it is recovered.

Decrypting the Data: Recovering the Stolen Credentials

With these particular phish kits, the scammer was using HTTP to POST the data to a form receiver script on another server. The script receiving the encrypted credentials then wrote them to a text file on the server. Once the text file was identified, we were able to retrieve and decrypt the data to start the recovery process on the encrypted credentials.

Decrypting cybercrime
Heart of the Decrypting Script

The screenshot above depicts a Python script written by PhishLabs that decrypts the text file that is the result of the attacker's encryption routine. The script reads in lines from the encrypted credential files and reverses the process used in the PHP script created by the phishers. Each line is Base64 decoded and then the individual variables are separated using regular expressions with the known length of each variable. The cipher text can then be decrypted using the same key used to encrypt (hex_str). This corresponds to the value testHos after taking the raw output of the MD5 hash in the attacker’s script.  The output of the script, as seen below, contains the plaintext credentials that had been initially compromised.

Script example
Example of Script Output


As you can see from our analysis above phishers are going to greater lengths to protect the data they are stealing.  Once a web server is compromised, it is compromised for everyone. If there is a PHP backdoor present, other cybercriminals could potentially modify the phishing page to send credentials to an email of their choosing or simply steal any plain text credentials stored on the server.  These potential issues are rendered moot through the use of encryption.

Another reason scammers may choose to encrypt compromised information is that it removes the need to utilize a drop email account.  By eliminating the drop email from the equation, the attacker removes a potential point of failure from their scheme, as email providers will often disable email accounts that are known to be used in phishing attacks.  Encrypted text files also draw less attention than plain text credentials.  If a typical user comes across an encrypted text file in the wild, there is a lower probability that they will recognize the file as a malicious artifact, thereby reducing the chance that they will notify a responsible organization regarding its removal. Overall, encrypting credentials adds only minimal overhead to the criminal's operation while providing necessary protection for their stolen bounty.


More cybercrime insight from PhishLabs R.A.I.D.:

Fraudsters Phishing users with Mobile Apps

Technical Dive into a Hardened PhishKit

The 2016 Phishing Trends and Intelligence Report: Hacking the Human

Topics: Phishing, Threat Analysis, Strategy

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Posts by Topic

see all