25 Feb, 2019

Protecting Your Website from Phishing Kits

Phishing schemes fool even careful people. Deceptive messages lead their victims to a website that looks like a legitimate login page for a well-known website.
Phishing schemes fool even careful people. Deceptive messages lead their victims to a website that looks like a legitimate login page for a well-known website. The victim thinks it's the real site and enters a username and password. The password goes to a server run by criminals, where they can use it later on. Meanwhile, the fake site redirects the target to the real site. It may display a message such as "Invalid login, try again." The victim shrugs, tries again, and logs in. It works as if there had never been anything wrong beyond a slip of the fingers.

Where do these fake pages live? Sometimes they are on servers belonging to the thieves. However, they get blocked if they keep it up for long. A more devious approach is to infiltrate a legitimate site and place the page there. It doesn't do anything obviously harmful by itself. It just accepts some user input and redirects the user to another site.

Making the scam work requires several steps that aren't easy. The first step is to create malware that can get access to a target site. Then it's necessary to create a convincing imitation of a legitimate login page. The URL needs to be disguised so that it seems valid at a quick glance. A server needs to be set up to collect personal information.

Unfortunately, they can save steps by buying a phishing kit on Dark Web sites. The kit provides them with convincing fake pages, which they can upload once they've penetrated a site. These pages not only look like the real thing but collect passwords, credit card numbers, and other confidential information which the victims enter.

The kit doesn't affect the existing pages on the target site, so the site looks normal to regular users. It's only people who follow the link from an email message who will see the bogus page. Unless the site owner scans for files that shouldn't be there or abnormal traffic, the infiltration could go unnoticed. If it isn't removed, eventually the site will be blacklisted for hosting a phishing page.

Some phishing kits do other tasks as well, such as sending out email messages to lure people in. Gaining access to the site is usually a separate operation, done by a backdoor or by acquiring an administrator password.
Targeting Apple Users with 16shop
Our server-side malware scanner service has encountered infections by a phishing kit called 16shop on customer sites. The kit uses PHP on the server, so it's platform-independent, but it's designed to lure Apple users. It tries to get people to log in with their Apple ID. If it successfully tricks them, a criminal gets access to their Apple account. The first reports of 16shop came in over a year ago.

The code uses the PHP eval function with hex-encoded data to obfuscate the code. This is itself a warning sign. Whenever eval or other data execution functions are called with data in a hard-to-read form, there's a good chance they're doing something unauthorized. In this case, it uses the str_rot13 twice, to make the code just a little harder to decipher. Rot13 is hardly sophisticated encryption, and it would seem to attract suspicion more than it makes the code hard to analyze.

The 16shop kit goes to some lengths for plausibility. It tailors the login screen to the device. It gathers information about the IP address and geographic location of the visitor, so it can selectively block access to avoid unwanted attention. It includes code for sending email, though it isn't immediately clear whether it sends phishing mail or something else.

Motherboard reports that phishing kit operators have targeted users of stolen, locked iPhones. By getting the owner's credentials, they can request an "iCloud unlock," making everything on the phone available to them. The thieves can then get at applications for making purchases and accessing bank accounts. The article doesn't say whether they're using 16shop or another phishing kit, but the approach is basically the same.
How Can You Keep Phishing Kits off Your Site?
The best defense against unauthorized code and pages on a site is to make it hard to penetrate the site in the first place. Phishing kits are useful to information thieves on any site, large or small. Careful management of your PHP site will decrease its vulnerability.

  • Use strong passwords and multi-factor authentication for administrative accounts.
  • Don't allow untrusted people to upload files to the site.
  • Use only trustworthy sources for plugins, themes, widgets, and other add-ons.
  • Use HTTPS protection throughout, with a valid certificate
  • In many cases, designating a data protection officer is required.
  • Certain agencies of the EU and its member states have regulatory authority.
The biggest sources of malware on PHP sites are administrator account hijacking, malicious add-ons, and file uploads. Guard against these, and the chances of trouble are much lower.
How Can You Detect and Remove Phishing Kits?
A phishing kit won't affect the normal operation of a site since it's an independent page. The best way to find it is to run periodic file scans. Our internal and external malware scanners will examine all the files on your site and report any suspicious code.

If you receive a report that your site has been blocked or blacklisted, you should run a malware scan on it immediately. Assuming you aren't doing anything questionable yourself, the chances are high that there is something on your site which you don't know about. You need to find and remove it quickly to minimize the damage to your site's reputation.

You can use our free online PHP decoder to analyze a file which you think is suspicious. You may then be able to remove it by following the directions in our malware removal guide.

For thorough and regular checking for malware and phishing pages on your site, subscribe to our ThreatSign platform. It will scan your site internally for backdoors, phishing kits, and other malware. ThreatSign includes Quttera's cloud-based Web Application Firewall (WAF), which keeps known threats and suspicious requests from reaching your site. Quttera's WordPress Malware Scanner performs both internal and external scans for any signs of illegitimate activity.

With regular protection and scanning, you will be able to keep the large majority of threats from doing any harm to your site.