Phishing in a Nutshell: January – March 2018

Tao Yan


Category: Unit 42

Summary

Phishing remains one of the most dangerous threat vectors of cyberattacks. Even though Exploit Kits are on the decline overall, as we outlined in our posting Rig EK One Year Later: From Ransomware to Coin Miners and Information Stealers, phishing itself is not on the decline. Unit 42 recently has done research on phishing attacks and phishing URLs. In this blog, we will show some statistical phishing results from the first quarter of 2018, January through March, especially for HTTPS phishing URLs.


Phishing URLs Statistics

In the first quarter of 2018, we found 4,213 URLs from 262 unique domains used in phishing attacks. On average, we found one domain serving 16 different phishing URLs. The heat map below shows the geographic distribution of these 262 domains.

Nutshell_1

Figure 1 Phishing domains geographic heat map

Over half of these phishing domains were hosted in the United States. There was then sharp drop to the two next highest countries: Germany with 28 domains and Poland with 13, as shown below in Figure 2.

Nutshell_2

Figure 2 Phishing domains countries/zones and numbers

 

We also found several phishing domains hosted in Africa and South America.

Among the 4,213 phishing URLs, there are 2,066 using a generic phishing template which can target multiple different companies or organizations; for example, attackers used “next1.php” with the name and id “chalbhai” in a form to target Bank of America customers as shown in Figure 2. We also observed that this similar template targeted DropBox customers and was used for IRS tax fraud schemes.

 

Nutshell_3

Figure 3. chalbhai phishing page source code example

 

In addition to the generic phishing templates, there were 1404 URLs with phishing spoof pages targeting Adobe customers, 155 URLs targeting DropBox customers, 18 URLs targeting Facebook users, 442 URLs targeting Google Doc users, 108 URLs targeting Google Drive users and 20 URLs targeting Office 365 customers. There is a histogram below in Figure 4 showing the phishing URL distribution by targets. From the histogram, we can see the generic phishing URLs account for almost 50% of the total 4213 URLs, followed by the URLs targeting Adobe and Google accounts, accounting for 33% and 13% respectively. In addition to the top 3, there are also a few URLs targeting Office 365 and Facebook accounts..

Nutshell_4

Figure 4. Phishing spoof page distribution


HTTPS Phishing URLs

HTTPS phishing URLs are more difficult to identify. Therefore, we put additional effort into identifying and analyzing them. Of the 4,213 phishing URLs, 1,010 are for HTTPS URLs from 46 unique domains. On average, one domain served 21 different phishing URLs. Figure 5 shows the comparison between HTTP and HTTPS phishing URLs and domains.

Nutshell_5

Figure 5. HTTP and HTTPS comparison

We also investigated the certificate issuers of the 46 domains. We found “cPanel” issued certs for 31 phishing domains, “COMODO” and “Let’s Encrypt” each respectively issued certs for 6 different phishing domains, “Go Daddy Secure” issued one, and also there are 2 domains no longer in use as shown in Figure 6.

Nutshell_6

Figure 6. Cert Issuer Distribution

Unit 42 has contacted all hosters and issuers. The “Comodo” certs have been distrusted by Google and there is only one from “Go Daddy Secure”. A complete list of domains and certs are included below. We highly recommend they be added into suspicious certificate lists.

Nutshell_7

Figure 7. Phishing domains’ cert issuers


Phishing Kits

To make phishing attacks more effective, attackers usually clone and pack the modified files of one website (intended to be used in a phishing campaign) into a zip file and upload it to multiple hacked websites. This zip file can be considered a part of phishing kit. After unpacking the zip files and deploying the phishing site, some attackers fail to remove the zip file leaving it openly accessible to researchers to analyze its contents. During our research, we collected phishing zip file samples. Below is a phishing example meant to target Outlook/Office365 accounts as shown in Figure 8 and Figure 9.

Nutshell_8

Figure 8. Directories of a phishing kit

Nutshell_9

Figure 9. Contents of CSS directory in a phishing kit


Summary

In this blog we showed some phishing statistics from the first quarter of 2018 that demonstrates phishing targets distribution, general phishing templates and phishing kits. In particular, we showed HTTPS phishing URLs and the distribution of certificate issuers with certs being used maliciously. HTTPS phishing URLs are worth noting, because HTTPS is thought by many to be more trustworthy and malicious links are harder to detect.  Palo Alto Networks has the ability to deal with HTTPS phishing URLs and will continue to ensure that our customers can be protected from HTTPS phishing attacks. We also have IPS signatures to detect phishing kits. All Palo Alto Networks customers with a valid threat prevention subscription are protected from all phishing attacks mentioned in this blog.

 

IOCs

Carrentalahmedabad[.]info (dead) (dead)
Sdlfkjttq[.]tk (dead) (dead)
ana-ero[.]bid COMODO ECC Domain Validation Secure Server CA 2  sni50732.cloudflaressl[.]com
www.discoverdiva[.]com COMODO ECC Domain Validation Secure Server CA 2  sni222615.cloudflaressl[.]com
biomedics.000webhostapp[.]com COMODO RSA Domain Validation Secure Server CA  *.000webhostapp[.]com
clements.000webhostapp[.]com COMODO RSA Domain Validation Secure Server CA  *.000webhostapp[.]com
offiicceeeedrop.000webhostapp[.]com COMODO RSA Domain Validation Secure Server CA  *.000webhostapp[.]com
re-fb.000webhostapp[.]com COMODO RSA Domain Validation Secure Server CA  *.000webhostapp[.]com
Allamericantrade[.]eu cPanel, Inc. Certification Authority  Allamericantrade[.]eu
Allamericantrade[.]pl cPanel, Inc. Certification Authority  Allamericantrade[.]pl
Azadtehsil[.]ml cPanel, Inc. Certification Authority  Azadtehsil[.]ml
Bectronix[.]tech cPanel, Inc. Certification Authority  Bectronix[.]tech
Clearwaterfiles[.]ml cPanel, Inc. Certification Authority  Clearwaterfiles[.]ml
Clearwaterfiles[.]tk cPanel, Inc. Certification Authority  Clearwaterfiles[.]tk
Cloudhsh[.]com cPanel, Inc. Certification Authority  Cloudhsh[.]com
Cristaleriags[.]es cPanel, Inc. Certification Authority  Cristaleriags[.]es
cristelito.com[.]pl cPanel, Inc. Certification Authority  cristelito.com[.]pl
cuh-dubai[.]com cPanel, Inc. Certification Authority  cuh-dubai[.]comcom
diabeticosaudavel.com[.]br cPanel, Inc. Certification Authority  diabeticosaudavel.com[.]br
Dunkelbergerz[.]ga cPanel, Inc. Certification Authority  Dunkelbergerz[.]ga
ea23travel[.]com cPanel, Inc. Certification Authority  ea23travel[.]com
Filtrao[.]org cPanel, Inc. Certification Authority  Filtrao[.]org
Footworkapp[.]ga cPanel, Inc. Certification Authority  Footworkapp[.]ga
Hentoshphotography[.]com cPanel, Inc. Certification Authority  Hentoshphotography[.]com
mail.allamericantrade[.]eu cPanel, Inc. Certification Authority  Allamericantrade[.]eu
mail.cristelito.com[.]pl cPanel, Inc. Certification Authority  cristelito.com[.]pl
mecanicoadomicilio.com[.]ve cPanel, Inc. Certification Authority  mecanicoadomicilio.com[.]ve
mic-office[.]cf cPanel, Inc. Certification Authority  mic-office[.]cf
mic-office[.]ga cPanel, Inc. Certification Authority  mic-office[.]ga
richbtc4u[.]com cPanel, Inc. Certification Authority  richbtc4u[.]com
Servicenterelectronic[.]com cPanel, Inc. Certification Authority  Servicenterelectronic[.]com
Theaafiz[.]com cPanel, Inc. Certification Authority  Theaafiz[.]com
vweds.usa[.]cc cPanel, Inc. Certification Authority  vweds.usa[.]cccc
www.allamericantrade[.]eu cPanel, Inc. Certification Authority  Allamericantrade[.]eu
www.cristelito.com[.]pl cPanel, Inc. Certification Authority  cristelito.com[.]pl
www.manglammilk[.]com cPanel, Inc. Certification Authority  Manglammilk[.]com
www.servicenterelectronic[.]com cPanel, Inc. Certification Authority  Servicenterelectronic[.]com
www.upperdelawarescenicbyway[.]org cPanel, Inc. Certification Authority  Upperdelawarescenicbyway[.]org
Zyaviv[.]com cPanel, Inc. Certification Authority  Zyaviv[.]com
Getwealthi[.]com Go Daddy Secure Certificate Authority – G2  Chasethepaper[.]com
Farmking[.]in Let’s Encrypt Authority X3  Farmking[.]in
Cabinetdetectivi[.]ro Let’s Encrypt Authority X3  Cabinetdetectivi[.]ro
Stiesdal[.]com Let’s Encrypt Authority X3  Stiesdal[.]com
Stingereincendiu[.]ro Let’s Encrypt Authority X3  Stingereincendiu[.]ro
usps.com.runningwild.co[.]ke Let’s Encrypt Authority X3  usps.com.runningwild.co[.]ke
www.duannhatrangpearl.com[.]vn Let’s Encrypt Authority X3  duannhatrangpearl.com[.]vn

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.


© 2018 Palo Alto Networks, Inc. All rights reserved.