Phishing attacks have the potential to do so much damage to your website. Beyond just compromising your data and possible customer information, they can also impact the way Google interacts with your web pages. For many eCommerce website owners, their ability to reliably rank high in Google searches is the lifeblood of their business.

Phishing attacks that inject malware or other harmful code can disrupt that in ways that can do untold damage to your business.

The answer is to have a plan for when this might happen. By teaming with a partner platform that has experience in these kinds of situations, you can assess, diagnose, and fix the problem while minimizing the impact on your website and bottom line.

At Quttera, we recently encountered a customer who ran into a problem stemming from a phishing attack that affected how Google engaged with their site. Here's the story of what happened and how we helped them overcome the problem.

The website owner signed up for ThreatSign platform because Google was blocking their site. On top of that, GoDaddy was reporting suspicious pages within their site. This left them unsure of how to proceed, unaware of the root problem causing the disturbance.
Our researchers quickly identified the source of the problem: a phishing attack that caused an infection. The following link was generated:

This led us to the source of the malicious scripts. The hunt was on.

After we had determined the source of the malicious scripts, we conducted a thorough investigation of their website. Once we did, we uncovered a general phishing kit implemented during an attack.
This phishing kit was collecting login credentials for multiple platforms and services. This compromised site visitor data, which could have led to an erosion of trust between those visitors and the website.
We evaluated the comments of each malicious script found within the directory. Based on the review, we were able to ascertain that the infection was from a phishing kit known as "X-Phisher."
The script was located here: /public_html/amigo /general domains/v2/. Below is a summary of the malicious files:

• index.php
• login.php
• signin.php
• submit.php
• success.php
• verify.php
• visitors.txt
• Your_email.php
• antibots.txt
• antibots1.php
• antibots2.php
• antibots3.php
• antibots4.php
• authenticator.php
• get_browser.php
• get_ip.php
• index.php
• logs.txt
• newips.php

Within the directory, there was an archive file containing the malicious script in a zip file titled "general domains.zip." This alerted us that the zip file was uploaded to the website owner's device as an archived file.
Now we had the location and the list. It was time to figure out exactly how the phishing kit was able to operate and do so much damage to the sites it corrupted.

Once we determined the location and list that pinpointed the root of the attack, we did more digging on the phishing kit itself. We discovered that the phishing kit's goal was to steal a visitor's credentials by requesting their email address.

To add an element of realism, the kit embeds the website of the target email within an iframe. In this particular instance, the URL path of the phishing page was: ?user=test@gmail.com" with a target user email of "test@gmail.com."

The kit then loaded the Gmail website onto the background iframe. It's an insidious plot that taps into a trusted resource - Google and specifically Gmail - and social engineering tactics to gain the visitor's trust. It looks and feels legitimate, which is where so many phishing attacks are able to capitalize on trusting users. The kit used this design to target multiple companies.

Once the visitor enters their password, they'll receive a message that reads Session Expired. They are then directed toward a domain website of the email address. The visitor's login credential will be forwarded to an email address configured on the following file: Your_email.php.

The kit has a sneaky method for avoiding detection by bot crawlers: it features antibots that will check to see if the page or PHP script is being accessed by popular bot crawlers like Googlebot, Twitterbot, MSNbot, and others. If it is, it will display a 404 error page.

We conducted an investigation into where the phishing kit originated, but no concrete evidence turned up during our search. A comment within the kit mentioned a website - xphisher.com - but the site isn't operational at the moment. Github has a site dedicated to an X-Phisher attack, but it is not the same one. Despite not having much data available on the phishing kit's origin, there are still plenty of actions you can take to protect your site. So knowing what we know, what can you do?

Here's what we know: being blocked by Google is akin to a death sentence for your website. It's the most popular search engine in the world and can lead a steady stream of potential customers or audience members to your website. Being a blacklisted website due to a phishing attack is not someplace you want your website to be. With the right tools, however, you can avoid this.

The first step is to identify a platform that can help you detect and avoid similar types of attacks. Quttera's ThreatSign! platform allows you to prevent and respond to phishing attacks. It can help you maintain optimal situational awareness of your website, regularly monitoring for irregularities that might compromise your code or data.

If you do experience a zero-day attack that you were previously unaware of, ThreatSign can assist you in returning to normal operations. We have the capabilities you need to identify, assess, as well as ultimately extinguish threats such as X-Phisher.

With ThreatSign you can protect the website from phishing and avoid blacklisting by Google and other authorities. To protect your website from phishing and other malware, sign up for ThreatSign today!