In one of our previous investigations into attacks on the service centers, FortiGuard Labs ran across a list of domains used by the criminals. During our subsequent monitoring process, we spotted a phishing HTML page on one of those webservers that was posing as a Dropbox login page. When we then analyzed the connections for this page, we discovered that the same page resides in the hundreds other locations across the web. In the course of further investigation, we found the phishing kit that we believe was used in this “industrial scale” phishing case.
In this article we will analyze the phishing pages, the toolset that we believe was used to create these pages, and the traces that the criminal actors left behind in that phishing toolset.
One of the domains discovered in our previous investigation is brtory[.]com. This domain has a subdomain with the name dropboxfile. The first point of our investigation resides inside the directories of this subdomain – the phishing HTML page.
Considering the URL of this page, it came as no surprise that this is the page posing as the Dropbox login page. While the look of the phishing page is not exactly the same as the original Dropbox sign-in page, it is close enough to deceive unguarded users.
Please note the absence of some important features, like “Forgot your password?” or “create an account.” This type of flaw is common to many phishing pages and is a good indicator that the page you are looking at is actually a fake.
Now let us turn our attention to the phishing page’s code. This HTML page uses the Dreamweaver library “SpryAssets.” Upon further investigation, we found a group of phishing sites that all use this library because of the convenience of its input data format verification. The original Dropbox login page does not use the “SpryAssets” library (at least this was true at the time of writing).
Phishing services are usually designed in a way that allows the data entered by a user (usually login and password) to be transmitted to the criminals. This goal can be achieved using several methods. In this particular case, the phishing page uses the method POST for the same URL, the “form action” field is used to specify the location where the form will be submitted, and the value “#” corresponds to the same URL with the added suffix “#”:
We were able to detect a variation of this page used as an attachment to the phishing email. An example of such an email provided is in the figure below. In this case, “form action” doesn’t contain the “#” value but instead the fully qualified URL to send any user-entered data. Of course, all other related paths are also changed to the absolute paths of the servers controlled by the attackers.
When we analyzed the URLs that all led to the same object (initial html page), we spotted some information in the “tail’ of the some URLs. One example is underlined on the figure below. According to the information found on Google, this addition could mean that hootsuite.com short URL service was used, and that the short link was created with help of its dashboard link shortener.
Later, we found another use of the ow.ly link shortener, which is also associated with Hootsuite.
Hootsuite.com is advertised as a “social media management” platform. Therefore, we can expect that the phishing campaign was launched not only using email messages but in the social media messages as well.
During our continued investigation, we found that the initial object (the HTML page) had been copied to hundreds of different network locations. However, this was not the end of the story. When we started to analyze the related domains we discovered that they can also host multiple phishing pages.
For example, in the figure below, we can see the relations graph for the domain earthspiritenergies[.]com.au. One of its “leaves” is our initial HTML page, shown in the yellow rectangle. The URLs shown in the red circle are related to the Dropbox phishing pages. For clarity, there are only seven of them shown here , but there are actually a few dozen more. Besides the “Dropbox” cluster, there is another “branch” (shown in the blue circle) that represents the DocuSign phishing pages.
Another interesting example is the qtymusic[.]com domain. In the picture below we can see the Dropbox phishing pages cluster (shown in blue this time). The green and violet circles are cPanel and Webdisk URLs. Since they were not available during investigation we could not tell for sure if this was another phishing page or if it was a real cPanel used to manage the webserver content.
However, there is something new here: we can see a strange URL related to the POS software. This does not match the domain name, so there is a chance that this link also was inserted by the criminals.
While no content of this URL was available during our research, we can try to trace the link in the opposite direction. Here is the Google response to our search on the specified domain.
The Google search results shows us two things:
It seems unlikely that all of these domains were registered by the criminals. Instead, it seems more likely that this is the result of some hacking campaign used to promote qtymusic[.]com.
Figure 10 shows one of the sites, which now contains the link to qtymusic[.]com. In this particular case, this shows up in a hacked website of a Japanese hospital.
The numbers of hacked webservers and the “mindlessness” of the inserted hyperlinks tells us that some sort of automation was used. Most likely, all these webservers share a common vulnerability that was exploited with some modifying scripts used by the criminals.
At this point, we understood that we are dealing with some sort of phishing-malware network that had “entangled” thousands of vulnerable webservers. That is why we reference it as Bindweed. We started with its “leaf,” then we followed its “branches.” But does this network actually have a “root”?
Well, while we have not found the “logical root” yet (the persons who did it, for instance), we have found the “technological root.” We managed to find the Phishing Kit that we believe was used to create the phishing infrastructure of the servers.
The phishing kit is essentially a ZIP archive with a full set of directories, images, CSS, and PHP scripts needed to imitate the original Dropbox login page. All paths inside the Phishing Kit are relative. Therefore, it can be unpacked to the vulnerable server without any modifications of the kit’s scripts other than the email addresses to which grabbed information will be sent.
Index.php is a PHP-enabled page that has an embedded HTML page - the same page from which our investigation started. The verification.php page is used to lure a victim to submit a phone number. Both pages share the same code for sending a user’s input.
The code shown in figure below tries to send entered information to the specified email addresses. After that, it redirects the user to the normal Dropbox page.
From the figure above we can see that somebody already input two email addresses for sending (shown in the red rectangle). We realize that these are not the same addresses used in the “Bindweed” network. Instead, these are most probably the emails of the initial publisher of this Kit. Another possibility is that these emails were inserted on purpose - to create a false trace to people not liked by the publisher of this archive.
That being said, we decided to see what we could find out about these email addresses anyway.
When we searched for anthonysaffo24[@]gmail.com, we found information that linked this address to fraud crimes back in 2015. The claim is that this email address was used to deceive a person into paying a security deposit for a rental home. It also looks like the person behind this email address is not related to this house anyhow. We found a story about this incident here.
In the quoted email message we found the phone number (336) 291 38XX. According to this scambook thread, this same phone number has been used with different email addresses, but with the same fraud scenario. Therefore, there is reason to believe that the other email addresses are also being used by the same group of actors, namely:
FortiGuard Labs has discovered a phishing network that has exploited thousands vulnerable web servers. On some of the servers there was more than one phishing domain. There is a probability that these webservers were exploited by two different groups independently, since the code underneath the phishing pages was sufficiently different.
In addition, we managed to trace the origins of the Dropbox phishing pages to one of the published phishing kits. Inside this phishing kit we discovered inserted several email addresses, one of which is known to have been used for fraud crimes.
FortiGuard Labs will continue to monitor the webservers and domains found during this investigation.
Fortinet users are protected from phishing threats mentioned in this article with the following solutions:
7257f7be6c9657fad0503096935d268a763e0f6e413c139d85dad2c307b52e5e - HTML/Agent.1D14!Phish
48c13f603da1e1540cc9530b5c1d50497a128243e4952a161e84581554b138b4 - HTML/Phish.58FC!tr
ab851e5b17f382fdea66e5c52aec6cfde70881e492211ea0e4b4551e60d7b409 – PHP/Agent.ECD6!Phish
547 URLs were added to the Web Filtering as phishing.
-= FortiGuard Lion Team =-
Download our latest Fortinet Global Threat Landscape Report to find out more detail about recent threat landscape trends.
Sign up for our weekly FortiGuard Threat Brief.