PhishLabs is studying a wave of phishing attacks that utilize spam to distribute links to phishing sites installed and hosted on the personal computers of residential broadband customers.
The attackers start by scanning residential service IP address space for open RDP (Remote Desktop) ports and brute-force default, common, or otherwise weak passwords. Once access is gained, the attackers install web server software and upload a number of different phishing pages, the links to which are sent out via spam email messages.
This is a significant trend because phishing sites hosted on compromised home PCs typically have longer lifespans that those located in hosting environments (which are far more prevalent). Hosting providers can quickly take action to shut down malicious sites in their environments because they have direct control over the servers and terms of service that explicitly prohibit such activity (even unknowingly). This is not the case with phishing sites hosted on home PCs, where ISPs have little control over the customer-owned home computers connected to their residential broadband networks. The support efforts and costs associated with blocking services (like RDP and HTTP) or attempting remediation make it more difficult for ISPs to effectively shut down phishing sites in a timely fashion.
The Remote Desktop Vector
The attackers appear to exploit the home computers of residential ISP customers who have enabled the Remote Desktop service on Microsoft Windows and use easily-guessed passwords.
The RDP (Remote Desktop Protocol) server listens on port 3389/tcp by default, and all of the major residential broadband ISPs surveyed by PhishLabs enable connections to RDP servers on residential networks, making it trivial for attackers to scan for an locate computers with Remote Desktop enabled.
RDP is turned off by default on desktops/clients with all modern versions of Windows desktop; however, one should not underestimate the number of cases where users have enabled RDP. It's a bundled, Microsoft-supported, free, no-third-party way to remotely access systems at home or elsewhere and it delivers a good user experience even at residential upstream speeds. In regards to the most recent wave of these phishing attacks, note that there has been no evidence uncovered for any of the following:
- Social engineering to get the user to enable RDP or create Remote Assistance invitations
- Exploits with shellcode or malware that enables RDP
- Attacks that target other possible weaknesses in RDP configurations such as Restricted Admin mode in RDP 8.1
In these attacks, the RDP connections are already enabled and protected only by weak passwords.
In a limited study by PhishLabs, a typical ratio of RDP-enabled desktop systems to those with the service disabled (the default) and the frequency of the use of certain weak passwords gives a number that is large enough to explain the success rate in the compromise of the residential ISP customers.
Webserver Software Installed
Once the attackers gain access via Remote Desktop, PHP Triad is downloaded and installed to the home computer. PHP Triad is a free, open source webserver software stack for Windows that allows phishing web pages to be hosted and served on the default port 80/tcp (HTTP), or some other port if port 80/tcp is blocked by the ISP. PhishLabs has also seen some phishing pages hosted on port 114/tcp in this wave of attacks.
The latest version of PHP Triad (available from SourceForge) is 2.2.1 and was last updated more than a decade ago (February 16, 2002). The setup executable installs old versions of Apache (web server), MySQL (backend database system), and PHP (scripting) components. Each of them is unpatched and contain various vulnerabilities. PHP Triad also installs an old version of an administrative tool, phpMyAdmin, and all of the services are controllable using default user IDs and default or blank passwords as credentials. PHP Triad, also written as "PHPTriad" (without the space), runs a control panel page on port 1005 by default, and the configurations for all of the default components can be found linked on the main page.
Figure 1: The PHP Triad Control Panel page running on port 1005/tcp
Phishing Pages Hosted on Home Computers
After PHP Triad is set up and running on the default port, the attackers install a number of phishing pages, anywhere from a handful to several dozen, targeting various financial institutions and payment services.
PhishLabs was able to obtain many of the PHP scripts used and the phishing pages containing forms fields to be filled in with sensitive information by the targets. Obfuscation has been done to hide, even on the server side, the email address or dropzone URL to which the stolen information is posted.
Phishing Links in Spam
Once the phish are installed and ready to dupe unsuspecting visitors, the attackers send out email messages with hyperlinks to the phishing pages on the various compromised home computers. The email content observed by PhishLabs is a single image that, when clicked on, takes the user to the matching phishing page.
Figure 2: A sanitized version of the spam's markup rendered in a sample mail client
In the spam, the "From" fields list sender names like "Bank-Name" or "Bank-Name Alert". In all of the spam samples captured by PhishLabs, the bogus email addresses for the sender are in the form of:
In some incidents, the bogus sender addresses are in all uppercase letters (including the domain name), but in most, they are all lowercase:
From: Bank-Name [mailto:firstname.lastname@example.org]
From: Bank-Name <FHONDS@ACCOUNTS.NET>
Often, the bogus sender email address appears after the sender name, and occasionally, the optional but typical space between the two is missing and the email address has a space between the address and the mailto link instead:
From: Bank-Name<email@example.com <mailto:firstname.lastname@example.org> >
PhishLabs has obtained samples of the spam that have been sent to users with email accounts on the Verizon network. Verizon maintains their own email infrastructure (i.e., Verizon email services are not hosted or operated by a partner such as Yahoo! or Google). It might be that the spambots assigned to the email campaigns are grouping campaigns by the domain names in recipients' email addresses, but there are a number of plausible theories as to why this might be observed.
The body of the spam email messages contain only a single image, a JPG file that is hosted alongside the phishing page hosted on the compromised home computer. It's included in the HTML markup in the message body using an HTML tag with an attribute value containing the URL pointing to the image on the compromised home computer:
- <img src="http://24-183-157-56.dhcp.oxfr.ma.charter.com/ath9.jpg" ...
- <img src="http://ool-182fb2af.dyn.optonline.net:114/ssl17.jpg" ...
The phishing links that are followed when the user clicks on the image take the user to the phishing page hosted on the compromised home computer. All of the links observed by PhishLabs specify the host by the DNS hostname and domain, followed by an HTML file that contains the phishing form to be filled out by the target. Some examples:
- <a href="http://24-183-157-56.dhcp.oxfr.ma.charter.com/ath9.html">
- <a href="http://24-183-157-56.dhcp.oxfr.ma.charter.com/ath37.html">
- <a href="http://ool-182fb2af.dyn.optonline.net:114/ssl17.html">
- <a href="http://ool-182fb2af.dyn.optonline.net:114/ssl42.html">
PhishLabs is continuing to monitor and track these phishing incidents. The phish are being tracked individually for incident management and reporting purposes, but PhishLabs also groups them by hostname/IP of the web server, in this case, the compromised home computer of the residential broadband customer. PhishLabs is providing samples and other intelligence items, including remediation information, to affected clients.