The Phishing Adventures of Huck Phinn, Casting Wide Nets

Chapter 6

In the previous chapter, all seemed well with Huckleberry “Huck” Phinn and the St. Petersburg Wildlife Foundation. Huck and the gang at St. Petersburg partnered up with Mark Ingalls, a trusty companion, to help them with their cybersecurity needs. Still, nefarious Phishermen do not rest - laying bait all over the internet and casting their nets far and wide. It was only a matter of time before Huck found himself faced with another opportunity to test his cybersecurity survival skills in the online wilderness.

One afternoon, Huck received an email from “spwf Support”. He had learned by now to check the sender. So, he hovered over the sender's name. The address the email came from showed “noreply@spwf.org”. At this point, Huck saw no reason to be suspicious. The purpose of this email appeared to be a Zoom meeting invite from an SPWF email address. The message looked like Figure 1. 

Figure 1 - This is a screenshot of the phishing email that Huck Phinn received.

Right away, Huck was suspicious about this email. Can you spot the red flags that he noticed? The email sender is shown as an internal source. However, there are flags that alert Huck this email actually originated from outside of the organization. Huck spotted these flags and sent the email to the Ingalls Information Security Phishing Email Helpdesk for review.

The Ingalls Phishing Email Helpdesk first reviewed the headers of the email. Though the email showed as being sent from “spwf.org”, the email actually originated from a computer named “myrdp” (likely a free, open-source Linux Remote Desktop Protocol (RDP) client that was used by the attacker) from a domain named “agaton[.]ni” and then through another domain named “managua.gob[.]ni”. RDP is a proprietary protocol developed by Microsoft that provides a user with a graphical interface to connect to another computer over a network connection. (Figure 2)

Figure 2 - Headers showing the actual domains and IP addresses where the email actually originated from.

Why was the attacker able to send an email claiming to be from “noreply@spwf.org”? The Ingalls Phishing Email Helpdesk used “MXToolbox.com” to check the “SPWF’s” email configuration and noticed that “spwf.org” did not have a Domain-based Message Authentication, Reporting & Conformance (DMARC) record published or a DMARC Quarantine/Reject policy enabled.

DMARC is an email authentication, policy, and reporting protocol that verifies that an email's "friendly from" domain (spwf.org) matches the actual sender address contained in the message's header and tells the email server what to do with the message if these don't match. If "SPWF" had a DMARC record and a DMARC policy configured correctly, the "SPWF" email server would have quarantined or rejected this message. The attacker was able to spoof an “SPWF” email address due to this configuration issue.

The Ingalls Phishing Email Helpdesk then examined the contents of the email. The "VIEW INVITATION" link didn’t lead to a Zoom website or meeting at all. Instead, the link was directed to “https://hgcdoeatkwmico1-dot-tidy-cortex-321712.nw.r.appspot[.]com/#aHVjay5waGlubkBzcHdmLm9yZw==”, which was a fake Outlook login page. The Ingalls Phishing Email Helpdesk responded to Huck’s message to notify Huck that the email was malicious and advised that he delete the message immediately. Ingalls also notified the “SPWF” IT team that their email DMARC needed to be configured to protect against spoofing. (Figure 3)

Figure 3 - What if Huck had clicked on the link and arrived at the fake login page? Can you spot the red flag that would stop the phishers from succeeding here?

Notice that the URL bar of the browser also labels this site as “Dangerous”. While you can’t rely on this notification to appear on every phishing website. This is an important red flag to look out for when protecting yourself and your organization from cybercriminals. If Huck had entered his password, his email credentials would have been compromised. Thankfully, Huck spotted this phish before getting caught in the phisherman’s nets, but, the story does not end here.

The Ingalls Security Operations Center decided to inspect this phishing page further. Upon investigation, the team noticed that the “right-click” and “F12” features (shortcuts to see the code behind a website) were disabled for this website. Apparently, the phishermen did not want anyone to be able to see the code behind their fake login page, so they used a simple script to disable these features. (Figure 4)

Figure 4 -Script disabling the use of F12 or right-click on the web page to see the code behind the page.

There are still other ways to see this information, and the Ingalls SOC used one of those methods instead to dive deeper. The Ingalls SOC entered fake credentials (fakeemail@fakedomain.xyz) and checked network traffic and activity logs in the developer’s console to find the actual website where the Phishermen stored all of their victims’ captured usernames and passwords. (Figure 5)

Figure 5 -When Ingalls entered fake credentials (fakeemail@fakedomain.xyz), you can see that the phishing page posts to the https://luxurycolection[.]com/css/sort.php URL.

Figure 6 -The fake credentials that Ingalls entered can also be seen in clear text, as the data being sent to luxurycolection[.]com

The website storing the stolen credentials, “luxurycolection[.]com”, and the fake credentials that Ingalls entered, are clearly identifiable from this network console (this is likely why the phishermen attempted to disable potential victims inspecting the code behind the phishing page earlier). Ingalls used Pulsedive threat intelligence to look up information about the “luxurycolection[.]com” domain, which Pulsedive categorized as a medium risk, and noticed that it was registered to a random Gmail account and had 3 VirusTotal engines that categorized the site as malicious. (Figure 7)

Figure 7 -Pulsedive threat intelligence for the “luxurycolection[.]com” website that hosted the compromised credentials.

Ingalls then discovered that if you visit the “luxurycolection[.]com” website and remove “sort.php” from the URL, an open directory can be seen. (Figure 8)

Figure 8 -The credentials harvested in the phishing campaign can be found in the result.txt document seen above.

And now we’ve found the Phishermen’s net and all of the phish that they’ve caught so far, in results.txt, containing all of the actual credentials that phishing victims had entered on the phishing page so far. Unfortunately, unlike Huck, many other employees for various other companies did get caught in the Phishermen’s nets, and their compromised credentials were listed for the Phisherman, and anyone else who comes across this page (which is no longer active), to see. (Figure 9)

Figure 9 -The image above shows a portion of the usernames and passwords that were harvested by this phishing campaign and stored in results.php. This list was viewable by anyone who happened to know how to see where the phishing campaign was sending harvested credentials.

Sadly, there were a lot more victims on this list than what is seen in the image above, and Ingalls Information Security followed up with a responsible disclosure notification by emailing all of the victims, informing them that their credentials had been harvested in a phishing campaign and are currently accessible to anyone on the Internet. Ingalls also reported both the fake login page domain and the domain where the harvested credentials were stored to their web host provider. The fake login page has since been removed.

Thankfully, Huck Phinn has learned a lesson or two from his previous Phishing Adventures. Instead of getting caught in the Phishermen’s nets, he recognized the red flags and reported the email as suspicious, keeping his account safe and protecting the “St. Petersburg Wildlife Foundation” with the assistance of Ingalls Information Security.

Would you have spotted all of the red flags? Do you know someone who might have taken the bait? Download and share our “How to Spot a Phish” checklist to elevate security awareness and keep more people safe online.

Our “How to Spot a Phish” checklist can help you identify phishing emails and provides advice on what to do with them.

About Ingalls

Cybersecurity does not have to be scary.

Let us help you get peace of mind with practical information security solutions tailored to your business needs. Contact us today. 

Follow us on LinkedIn for industry insights, practical security tips for everyday life, and to get connected with our team.