Investigation: Chasing the Office 365 Phishing Scammers
What is Phishing?
Phishing is an online scam where criminals send alluring emails to the users and trick them into clicking malicious links to compromise their data or put their digital life at risk by infecting their devices with virus and malware.
Phishing is a scam and a cyber crime.In case anyone from affected parties or law enforcement needs more information, please reach out to me.
It all started on a Friday night when a new email popped up in my inbox. I usually get a few in my inbox (not in junk folder) every other month. Usually I mark them junk or just delete them. But since it was a weekend I got excited to dig deeper. Also got some encouraging suggestions from my friends who also work in the cyber security field.
What is a Phishkit?
Phishkit is a software which includes easy to use web site template which can be deployed with very low technical knowledge and can be used by anyone to setup phishing attacks. This type of kit typically comes complete with different email templates, graphics and sample scripts that can be used to create convincing imitations of legitimate email correspondence.
Analyzing the Phishkit
Let’s take a look at the phishing email first.
Here is the screenshot of the email I received. Keep in mind some templates are really professional looking too.
The button/link “Keep your Password now” takes you to a website link. Now here is the main issue. These phishkits are hosted on random compromised servers. The link looks like below.
The domain in this case was an international telecom company website which was compromised. Once the website is compromised, threat actors upload a zip file and then get it extracted. So from the URL you can guess the zip file name is ‘TO.zip’. Last part of the URL is a Base64 encoded email address which reads ‘email@example.com‘.
Attribution – Who developed this Phishkit?
Looking further into the config.php file, I found an API key URL mentioned. The URL gave me the link to the developers Facebook page and also ICQ Id (People still use ICQ? 😮).
- Main configuration for the phishkit
- Rewrite rules to block a long list of IP address
- IP blocked with reasons mentioned
- Where your passwords entered in the web forms should be sent to
Following the Facebook page lead got more insight into the latest features in the phishkit. Thus confirmed the identity of the developer of this phishkit.
Where do you get the Phishkit from?
Lets see where these phishkits and compromised services are sold. Below screenshot is from their portal advertising the different domain names they use. I checked some of these domains using Netcraft and its running on US based hosting company called “Namecheap”. Will report to them and hope they take action as per this report.
What I found on sale other than Phishkit!
Other than phishkits, the portal also sells several different things like compromised servers, webmail, cpanel rdp, SMTP etc. Some of them in the screenshots below. Keep in mind all these available on the Open Web and not on Dark Web.
How to avoid getting scammed?
In todays world everyone who uses any device to access internet should be aware of what “Cyber Hygiene” is. Specifically on phishing, never click links asking for password change or otherwise. The email mentioned above is just an example but some of the other email templates look very realistic.
Cyber Security and scams are only going to increase when more and more people get online and depend on internet for all our daily activity. The boundary of what to do and what not is upto us as individuals. In general make sure to use Two-Factor Authentication for all your important logins and don’t click links which comes in emails, specially from unknown senders. I prefer Microsoft Authenticator for 2FA but several other options exist in the market.