The market for pre-made phishing kits is thriving. Think of a financial institution, email provider, or e-commerce site and someone somewhere has undoubtedly created a pre-packaged collection of the files necessary to create a fictitious site designed to obtain personal and financial information from unsuspecting victims. These kits are often sold in Dark Web marketplaces or underground hacking forums, but they are also commonly distributed for free on various social media sites.
Because the ultimate motive for the creators of these kits is financial gain, many of these phishers insert hidden backdoors in their kits which, in addition to sending information to the kit’s users, will forward the compromised data to other email accounts controlled by them. This is how they make their money. By freely distributing their kits with hidden backdoors, they are able to greatly increase the amount of compromised information they are able to collect by essentially getting others to do the work for them.
The idea of backdoors in phishing kits is not a new one. Many times, kit creators will obfuscate their backdoors to keep them from being removed by phishers that use their kits. Phish kit creators are always looking for innovative ways to disguise their backdoors and protect their financial gain.
Recently, while analyzing a collection of kits, I discovered two new ways phishers are hiding their backdoors. I call these techniques the Dufresne Backdoor and the Vizzini Backdoor.
The Dufresne Backdoor
If you’ve ever watched The Shawshank Redemption, you probably remember how wrongly-convicted prisoner Andy Dufresne slowly dug his way to freedom using a small geologist’s tool called a rock hammer. He concealed this rock hammer in a bible, which was a gift from the sanctimonious (and hypocritical) warden. In the wake of his escape from Shawshank State Prison, Andy leaves the bible for the warden. A hammer-shaped cut-out was in the bible along with a note that said, “Dear Warden, you were right. Salvation lay within.”
When you look at the PHP file more closely, though, you can see that things are not what they appear to be.
At this point, we can see that what actually executes is an obfuscated PHP script. After deobfuscating the script, the kit’s backdoor becomes readable:
As you can see, the kit’s backdoor sends all of the information submitted to phishing sites that use the kit to a webmail account controlled by the kit creator. This includes:
- IP addresses and geolocation
- Card data (numbers, expiration dates, CVV)
- PII (Social Security numbers, addresses, birthdays)
The Vizzini Backdoor
In another classic movie, The Princess Bride, Princess Buttercup is kidnapped by a trio of outlaws being led by a Sicilian named Vizzini. Shortly after kidnapping the princess, they are pursued by a man who turns out to be Westley, Buttercup’s long lost love. As Westley overcomes numerous obstacles during the pursuit, Vizzini repeatedly exclaims, “INCONCEIVABLE!” which leads a confused Inigo Montoya to eventually respond, in one of the most memorable quotes in the movie, “You keep using that word. I do not think it means what you think it means.”
In the Vizzini backdoor technique, the phishing kit author attempts to cause the same type of confusion by disguising the backdoor code in a file that isn’t what it seems. Instead of inserting the obfuscated backdoor within the contents of a misleading jQuery library, the author adds an additional layer of deception and inserts the backdoor into what would look like a PNG image file to a passive observer.
This technique of embedding PHP scripts within PNG files was previously seen in the CryptoPHP malware, which compromised webservers beginning in 2013 using a malicious PHP script hidden in a file named “social.png.”
Upon opening the PNG file, you can see that its contents have been obfuscated with FOPO (a free PHP obfuscation tool).
After decoding the contents, you find that the script has been obfuscated yet again.
Evolving Phish Kits
From a researcher’s perspective, being able to observe this evolution in kits allows us to analyze the lineage of a kit to determine its ultimate source and original creator. Using this type of genealogical analysis, researchers can identify the primary and most reputable distributors in the phishing kit industry.