Threat Research

Bindweed: Digging Down to a Root of a Hidden Phishing Network

By Yueh-Ting Chen and Artem Semenchenko | October 08, 2018

In one of our previous investigations into attacks on the service centers, FortiGuard Labs ran across a list of domains used by the criminals. During our subsequent monitoring process, we spotted a phishing HTML page on one of those webservers that was posing as a Dropbox login page. When we then analyzed the connections for this page, we discovered that the same page resides in the hundreds other locations across the web. In the course of further investigation, we found the phishing kit that we believe was used in this “industrial scale” phishing case.

In this article we will analyze the phishing pages, the toolset that we believe was used to create these pages, and the traces that the criminal actors left behind in that phishing toolset.

Bindweed’s Leaf - a Phishing Page

One of the domains discovered in our previous investigation is brtory[.]com. This domain has a subdomain with the name dropboxfile. The first point of our investigation resides inside the directories of this subdomain – the phishing HTML page.

hxxp://dropboxfile.brtory[.]com/dropbox/filebox/dropboxx/index.php

48c13f603da1e1540cc9530b5c1d50497a128243e4952a161e84581554b138b4

Considering the URL of this page, it came as no surprise that this is the page posing as the Dropbox login page. While the look of the phishing page is not exactly the same as the original Dropbox sign-in page, it is close enough to deceive unguarded users.

Figure 1: The phishing page on the left and the original Dropbox login page on the right

Please note the absence of some important features, like “Forgot your password?” or “create an account.” This type of flaw is common to many phishing pages and is a good indicator that the page you are looking at is actually a fake.

Now let us turn our attention to the phishing page’s code. This HTML page uses the Dreamweaver library “SpryAssets.” Upon further investigation, we found a group of phishing sites that all use this library because of the convenience of its input data format verification. The original Dropbox login page does not use the “SpryAssets” library (at least this was true at the time of writing).

Figure 2: A portion of the phishing page code

Phishing services are usually designed in a way that allows the data entered by a user (usually login and password) to be transmitted to the criminals. This goal can be achieved using several methods. In this particular case, the phishing page uses the method POST for the same URL, the “form action” field is used to specify the location where the form will be submitted, and the value “#” corresponds to the same URL with the added suffix “#”:

Figure 3: A portion of the code of the phishing HTML page

We were able to detect a variation of this page used as an attachment to the phishing email. An example of such an email provided is in the figure below. In this case, “form action” doesn’t contain the “#” value but instead the fully qualified URL to send any user-entered data. Of course, all other related paths are also changed to the absolute paths of the servers controlled by the attackers.

Figure 4: A phishing email example
Figure 5: A portion of the phishing HTML page used in email campaign

A Short URL Telltale Sign

When we analyzed the URLs that all led to the same object (initial html page), we spotted some information in the “tail’ of the some URLs. One example is underlined on the figure below. According to the information found on Google, this addition could mean that hootsuite.com short URL service was used, and that the short link was created with help of its dashboard link shortener.

Figure 6: The "tail sign" of the short URL service

Later, we found another use of the ow.ly link shortener, which is also associated with Hootsuite.

Hootsuite.com is advertised as a “social media management” platform. Therefore, we can expect that the phishing campaign was launched not only using email messages but in the social media messages as well. 

Following the Bindweed’s Branches – a Phishing Network

During our continued investigation, we found that the initial object (the HTML page) had been copied to hundreds of different network locations. However, this was not the end of the story. When we started to analyze the related domains we discovered that they can also host multiple phishing pages.

For example, in the figure below, we can see the relations graph for the domain earthspiritenergies[.]com.au. One of its “leaves” is our initial HTML page, shown in the yellow rectangle. The URLs shown in the red circle are related to the Dropbox phishing pages. For clarity, there are only  seven of them shown here , but there are actually a few dozen more. Besides the “Dropbox” cluster, there is another “branch” (shown in the blue circle) that represents the DocuSign phishing pages.

Figure 7: Different phishing URL clusters for the domain earthspiritenergies[.]com.au. Graph was created with VirusTotal Graph.

Another interesting example is the qtymusic[.]com domain. In the picture below we can see the Dropbox phishing pages cluster (shown in blue this time). The green and violet circles are cPanel and Webdisk URLs. Since they were not available during investigation we could not tell for sure if this was another phishing page or if it was a real cPanel used to manage the webserver content.

Figure 8: Connections graph for the domain qtymusic[.]com. Graph was created with VirusTotal Graph.

However, there is something new here: we can see a strange URL related to the POS software. This does not match the domain name, so there is a chance that this link also was inserted by the criminals.

While no content of this URL was available during our research, we can try to trace the link in the opposite direction. Here is the Google response to our search on the specified domain.

Figure 9: Google search result for the qtymusic[.]com

The Google search results shows us two things:

  • There are several hundred different websites that contain a link to qtymusic[.]com.
  • The link was randomly inserted in the middle of sentences.

It seems unlikely that all of these domains were registered by the criminals. Instead, it seems more likely that this is the result of some hacking campaign used to promote qtymusic[.]com.

Figure 10 shows one of the sites, which now contains the link to qtymusic[.]com. In this particular case, this shows up in a hacked website of a Japanese hospital.

Figure 10: The modified web site with a randomly inserted link to “qtymusic[.]com”

The numbers of hacked webservers and the “mindlessness” of the inserted hyperlinks tells us that some sort of automation was used. Most likely, all these webservers share a common vulnerability that was exploited with some modifying scripts used by the criminals.

Digging to Bindweed’s “Root”

At this point, we understood that we are dealing with some sort of phishing-malware network that had “entangled” thousands of vulnerable webservers. That is why we reference it as Bindweed. We started with its “leaf,” then we followed its “branches.” But does this network actually have a “root”?

Well, while we have not found the “logical root” yet (the persons who did it, for instance), we have found the “technological root.” We managed to find the Phishing Kit that we believe was used to create the phishing infrastructure of the servers.

The Phishing Kit

ab851e5b17f382fdea66e5c52aec6cfde70881e492211ea0e4b4551e60d7b409

The phishing kit is essentially a ZIP archive with a full set of directories, images, CSS, and PHP scripts needed to imitate the original Dropbox login page. All paths inside the Phishing Kit are relative. Therefore, it can be unpacked to the vulnerable server without any modifications of the kit’s scripts other than the email addresses to which grabbed information will be sent. 

Figure 11: The phishing kit image files directory

Index.php is a PHP-enabled page that has an embedded HTML page - the same page from which our investigation started. The verification.php page is used to lure a victim to submit a phone number. Both pages share the same code for sending a user’s input.

The code shown in figure below tries to send entered information to the specified email addresses. After that, it redirects the user to the normal Dropbox page.

Figure 12: The code used for sending user information to a specified email addresses

From the figure above we can see that somebody already input two email addresses for sending (shown in the red rectangle). We realize that these are not the same addresses used in the “Bindweed” network. Instead, these are most probably the emails of the initial publisher of this Kit. Another possibility is that these emails were inserted on purpose - to create a false trace to people not liked by the publisher of this archive.

That being said, we decided to see what we could find out about these email addresses anyway.

Email Addresses Found

When we searched for anthonysaffo24[@]gmail.com, we found information that linked this address to fraud crimes back in 2015. The claim is that this email address was used to deceive a person into paying a security deposit for a rental home. It also looks like the person behind this email address is not related to this house anyhow. We found a story about this incident here.

In the quoted email message we found the phone number (336) 291 38XX. According to this scambook thread, this same phone number has been used with different email addresses, but with the same fraud scenario. Therefore, there is reason to believe that the other email addresses are also being used by the same group of actors, namely:

anthonysaffo24[@]gmail.com

ashleydenton67[@]yahoo.com

truss.jason[@]yahoo.com

davidsewell197[@]outlook.com

Conclusion

FortiGuard Labs has discovered a phishing network that has exploited thousands vulnerable web servers. On some of the servers there was more than one phishing domain. There is a probability that these webservers were exploited by two different groups independently, since the code underneath the phishing pages was sufficiently different.

In addition, we managed to trace the origins of the Dropbox phishing pages to one of the published phishing kits. Inside this phishing kit we discovered inserted several email addresses, one of which is known to have been used for fraud crimes.

FortiGuard Labs will continue to monitor the webservers and domains found during this investigation.

Solution

Fortinet users are protected from phishing threats mentioned in this article with the following solutions:

  • Files are detected by FortiGuard Antivirus
  • Malicious and Phishing URLs are blocked by our FortiGuard Web Filtering Service

IOCs

7257f7be6c9657fad0503096935d268a763e0f6e413c139d85dad2c307b52e5e - HTML/Agent.1D14!Phish

48c13f603da1e1540cc9530b5c1d50497a128243e4952a161e84581554b138b4 - HTML/Phish.58FC!tr

ab851e5b17f382fdea66e5c52aec6cfde70881e492211ea0e4b4551e60d7b409 – PHP/Agent.ECD6!Phish

 

547 URLs were added to the Web Filtering as phishing.

-= FortiGuard Lion Team =-

Download our latest Fortinet Global Threat Landscape Report to find out more detail about recent threat landscape trends.

Sign up for our weekly FortiGuard Threat Brief.