Attacking the Phishers: An Autopsy on Compromised Phishing Websites

February 10, 2012 by Azim Poonawala

In this article we will cover the results of an informal investigation I performed into phishing websites.

Rather than simply reviewing them externally as a potential phishing victim would, I performed an autopsy on the tools, techniques and methods used by these cybercriminals. I will review how to find phishing sites to target and some general strategies for compromising their often vulnerable phishing applications.

Phishing as a Service (Ph-a-a-S) ?

This document is not a step-by-step guide on how to setup a phishing page. It’s a practical autopsy on live phishing pages which I “stumbled” upon. This document will not only point out the mistakes and trails left by phishers, but will demonstrate how as a potential, or a past victim of, a phishing scam you can help stop further damage. If you are a phisher, then you can rate yourself based on whether you committed any of the blunders discussed.

A lot of times cybercriminals break into a large number of websites using just one common vulnerability. A recent WordPress or Joomla! plugin SQL Injection exploit, or a recently discovered admin backdoor in another commonly used CMS, or a buffer overflow in a web service which applies to more than one version can all prove to be a good opportunity for people with malicious cyber-intentions to make money.

By leveraging just one particular vulnerability these people can break into thousands of systems in one go!

Uses for compromised systems

A vulnerable, exploitable system can be compromised in more than one way. The system could be:

1] Transmogrified into a bot, or part of a large botnet.

2] Converted into a command and control server for other bots.

3] Misused as a drop point for confidential files extracted from other infected computers and corporate systems. These files could be documents, banking details, passwords, etc.

4] Turned into a host for serving phishing pages.

5] Misused as a drive-by download page which serves other client-side (browser) exploits. It could carry malicious PDFs, malicious eval() JavaScripts, Java class files, exploit potent media files, etc. etc.

6] Used to crunch bitcoins.

7] Configured to gather the passwords of banking accounts, social networking websites, email accounts, etc.

The list of ways to compromise a system is not endless, but it is quickly growing as malevolent people are finding newer uses for compromised systems. The screenshot of a phishing setup below clearly shows cc99.php (a variant or a renamed form of C99 PHP Web Shell Script that is often used by attackers to maintain access to a compromised server supporting PHP scripts).

Quite recently I had been keeping an eye on a lot of phishing websites and pages which pop up all over the Internet. Out of the thousands of phishing pages which pop up daily, only a few of these get reported to PhishTank and other phish-tracking systems. These services are used by many browsers, ISPs and companies with assets to protect. PhishTank itself can be a really good place for cybercrooks, or anybody, to earn some extra money. It is quite simple.

For example, you visit and rip-off a recently discovered phishing page which has been hosted on someone else’s website, and not as a stand-alone website, made especially to phish. The reason being that phishing pages hosted on hacked websites are generally uploaded after hacking into the website. Which means, a weak password, a weak configuration file giving away a password or hash, or a direct exploitable vulnerability could get you in.

Most phishers are only interested in planting phishing pages on as many websites as they can, so that even if one of them gets shut down or deleted they can change the dynamic DNS or their domain to point to some other place. If they are using a direct link in the emails then they just craft one more with a new URL containing the same page content. Very few phishers go out of their way to patch the hacked website to disallow others from gaining access. But sometimes even breaking in is not required (as the screenshot below demonstrates).

Crackers who attack and break into massive numbers of IP addresses/websites often run automated or batch scripts. These scripts include resolving IPs rights, carrying out SQL injections, database dumping, and uploading the phishing page. These pages are often zipped and uploaded many times and the offending cracker forgets to delete the original zip file.

If you are lucky, the directory listing will be enabled and you can directly view and download the original zip file with the phishing website pages in it, along with the PHP source which contains the email addresses.

Retrieving the data

So if you come across a phishing page then there is a high probability that breaking into it would not require much effort. But what do you do after you break in?

Every phishing page aims to retrieve usernames, account numbers, transactions and login passwords. Hence they either save the gathered data on a local or remote disk or they email the data back to themselves.

Two scenarios:

1] Saves the data to a local or remote location.

2] Emails the data back to the attacker’s email address.

Saving to a local disk is too risky and requires the attacker to revisit the website again and again. This leaves more traces and hence more time is needed to remove evidence of the attacker’s activity. Saving on a remote disk requires passing credentials.

Email on the other end is more convenient, but equally risky. A network sniffer on the website’s end and the risk of having that system hacked or taken down must be taken into consideration by the would-be attacker.

It is worth noting that live monitoring at a security operations center will instantly give away the malicious intents of the phisher, as phishers generally do not encrypt the information they are emailing back to themselves.

Another constraint to emailing is that the server should have a mailer-daemon, i.e., sendmail, qmail, running if it’s a *nix system. For a compromised windows with PHP, running a host mailing agent has to be installed, hence they either push the details to a MySQL database or a preferred website with ASP running to make emailing easier. Very few phishers use FTP as a method to upload the information from a remote server.

Despite all of this, phishers prefer to use the emailing method.

Screenshots shown below contain the source code for two separate phishing pages for NEDBANK Online banking:

The pictures clearly show that the recipient’s addresses are stored on the compromised systems in plain-text.

A funny incident happened once where the host server didn’t have PHP enabled. On hitting “Login” after entering the credentials on the phishing page, instead of the PHP file getting processed, its source code got echoed out onto the screen – clearly displaying the email addresses to which the credentials were meant to be sent.

Types of phishing attacks

The follow are four kinds of phishing attacks that crackers can take advantage of:

1] Fruit Sucker: When another attacker breaks into a hacked, vulnerable website with an existing phishing page and changes the email address. Often since the attacker can see where the data is being emailed to he/she will keep the original email addresses intact and merely add his/her own email address in the BCC field. This is a very easy way for an attacker to make extra money. All passwords and account numbers keyed in reach his inbox directly without tipping off the original phishers. If the phishers are rookies and lack automated money transferring scripts, are too lazy to keep a watchful eye on their victims or are situated in a different time zone, then these advantages can help the fruit sucker withdraw a large amount of data (or other assets) from the compromised accounts before they do.

2] Spear Sucker: An attack against the original crackers. For example, a good guy who breaks into the phishing websites and changes the email address to the NEDBANK’s CSO’s or CEO’s email address. After this he contacts the bank to make them aware of the security breach.

3] Haxtortionist: When an attacker patches the system, pulls down the phishing page and emails the attackers threatening them that he/she will report the crime and inform NEDBANK of their malicious activity. Reporting such abuse to email servers hosted by Google, Yahoo and similarly large companies in the United States is easy. In this way the attacker may extort a small share of money from the original crackers in return for keeping silent.

4] Robin-HAT: Here the attacker, after collecting a lot of passwords, changes the recipient’s email address for the purpose of redistributing wealth. He/She withdraws money from the accounts and donates a significant portion to charity. Such individuals cannot be called grey hats because they are criminals robbing from other criminals. They are Robin-HATS, those who steal from rich victims and their attackers and redistribute the wealth to the poor and needy.

Another version on this above type of attack: the Robin-HATs uniformly redistributed the assets from the richer compromised accounts to the compromised accounts which had lower funds; especially if particular attention was paid to those accounts with low balances for a prolonged period of time.

A fifth term might be – a good guy robbing from a Robin-HAT – that could be called a Bat-HAT.

Ghosts in the phishplex

One strange thing I noticed was located at the end of a index.php file from one of the phishing pages I found.

The content is shown below:

The content of .htaccess, or maybe the php.ini file, was found in the index.php.

[sourcecode] anonymizer2.blutmagie.de. fe22.hc.ru. tor-exit-router45-readme.formlessnetworking.net


The presence of the IPs may be the result of a clipboard action malfunction. On the other hand, it could be a deliberate ploy by a counter-attacker. Another logical reason could be that they intended to block visitors who know the page is a phishing trap. This would also deny access to the few individuals who are on their own blacklist.

I also randomly stumbled across a website hosting a VISA credit card phishing page. The directory listing shows ‘visa.zip’. No obscure naming convention was used.

On opening this file I found another innocent looking JPEG file called ‘visa.jpg’. As seen in the screenshot, it’s actually a compressed archive and not just a JPEG image file.

The PHP file is using fopen() and fwrite() to save the contents to a file locally, as opposed to emailing it (another option we discussed earlier).

The phishing website with the visa.zip file performed both actions; it saved the contents locally and then emailed them.

Another dual-action scenario was evident in a phishing setup for Halifax Online Banking.

The screenshot below demonstrates how the phishers are emailing themselves the hijacked data and aren’t very creative when it comes to writing PHP and Perl scripts.

As a backup, another PHP file emails the stolen data and deletes the log file so as to disallow it from being read by others. On every POST the PHP file extracts the requested data, emails it to the phishers and then deletes the log file.

Phishers and page tracking

Workarounds for phishers to avoid having their pages detected by potential victims:

Just like a malicious packet hitting an IDS or a computer virus, unless there is a presence of the signature in the blacklist, it doesn’t get detected. The same logic applies to phishing pages. Unless a phishing page has been reported as a scam page, it won’t get detected by your browser – which relies on blacklists. Regular and automated checks can help the phisher to keep tabs on the anti-phishing services. He/She can be alerted when the real cause of how the page was exposed becomes publicly known. Thus, a phisher can track when their page gets blacklisted.

Staying safe from phishers

The following information applies to functions available in browsers such as Opera, Internet Explorer, Chrome and Microsoft Firefox.

Opera relies on blacklists from Netcraft and calls the feature a ‘Fraud and Malware Protection.’

Every URL you visit first goes to sitecheck2.opera.com (one of the noted IP is

Microsoft Internet Explorer calls its feature to detect and report malicious websites a ‘SmartScreen Filter.’

It can be enabled as shown in the screenshot above or go to Tools / Internet Options/ <Navigate to the ‘Security level for this zone’ area> / Click on Custom level… / Miscellaneous/ Use SmartScreen Filter / Enabled.

Similar checks are done by Microsoft Internet Explorer, Chrome and Firefox.

Alternatively you can use OpenDNS as your DNS on your Ethernet and wireless cards IP configuration.

Although from personal observations, using OpenDNS takes you to a search engine (possibly powered by Google) on every website which fails to get resolved – and it might miss resolving a website hosting a phishing page.

Still it is quite good at maintaining uncorrupted, un-poisoned DNS records. It’s reliable when you suspect your ISP of injecting iframes, redirecting you and tracking your visits.

OpenDNS can be set by filing the DNS as and (as an alternative or vice-versa)

Such features greatly reduce the chances of a person falling prey to phishing websites if it has been reported. On an average it takes no more than 8 hours of hosting a phishing page before somebody reports it. This is a very long gap when you consider that in Asia banks are provided phishing alerts by third-parties who sign an SLA stating that they have to inform the bank within 5 minutes of a phishing page popping up on the Internet. The third-party will report the page to the banks and maybe even inform PhishTank, Netcraft, Haute Security, etc.

Searching for phishers

Phishers host banking and other phishing pages, then write socially engineered emails and send them to users across the globe. Most often they have a massive list of email addresses and names. They also regularly buy and sell such information, including full names, birthdates, email addresses, age, gender, phone numbers, etc. This type of information can also be used for identity theft.

What’s important here is that during this filtration process, the phishers try to leave out suspicious emails which could belong to people in the Internet security domain. Most of the emails are sent to addresses which do not end with a corporate or company domain name. So only expect your Yahoo! spam folder, or other public email hosting services, to be filled with phishing emails.

If you are interested in starting your own research into phishing or building a company similar to PhishTank, you can begin by signing up a dummy email address onto a lot of questionable websites – especially porn and warez websites. Just give out your email address freely and the URIs for recently hosted phishing pages and scam emails will start pouring in.

Despite all of the efforts by phishers to avoid sending emails to antivirus/anti-phishing companies and other information security domains, a dummy email (similar to the type previously mentioned whose sole intention is to infiltrate would-be phishers) may be included on their massive email list. That’s all it takes. Once he/she reports the page, the browsers become aware of the malicious nature of the page. And once that happens the scale of users that will be affected by the scam goes down drastically.

Advantage Phisher

How do phishers avoid being exposed? What’s the workaround for phishers so that the websites they compromised can continue to steal data?

For this we have to go back a few lines above where we pointed out settings for browsers to detect phishing pages.

Before taking you to the page where they ask for your credentials, phishers can point you to a page which contains a shellcode to disable anti-phishing checks, change your DNS to their custom DNS Server and then redirect you (the victim) to the actual phishing page. The chances that a victim would report the page they were redirected from are slim.

To prevent being a victim in this type of attack a heuristic scan to compare the contents of pages with lists of well-known websites like PayPal, American Express Bank, CitiBank, etc. should be done. That way the browser can detect rogue pages as per the DNS and other matching checks and does not have to rely solely on the blacklists.

Defending against potential phishing attacks

How to make a phisher’s life difficult:

  • In situations where the phisher relies on gathering credentials from a file where all the data gets saved, it is easy to fill the log file with garbled text or XSS and CSRF capable code. It is not always the case, but the phisher might be capable of viewing the logs in a browser or using some client-side software. A multi-attack vector covering all possible vulnerabilities and client software might be used to view the logs and can help the victim attack the would-be attacker and possibly gain access to their command and control center too. It is definitely a long shot, but well worth the attempt.
  • Banks can deliberately visit the known phishing pages and key in a custom username and password. These credentials are called honeypots. They are not real accounts, but have been created specifically for phishers to use. When the honeypot credentials are entered into the banks actual website, a form opens up which sends browser exploits aimed at gaining a shell of the phisher’s system. This would send the bank information such as the IP address and other important system details.

There is a good chance that an attacker is behind a Privoxy, TOR, etc. Under such scenarios this specially-crafted page will have to do a name resolution of the IP, and on detection of its TOR or Privoxy would send a reply back that says “browsing using TOR is not supported.”

A desperate phisher might just switch over to his real IP and try to logon to the banking terminal, hence giving away more than just his identity and location easily.

The best bet is to redirect the attacker to a browser pwning page silently after he keys in the fake credentials.


While it is true that setting up phishing pages is a fairly easy process, it doesn’t require any huge investments. Although it is one of the simplest cybercrimes to pull off it is still one of those crimes wherein the thief himself/herself might get mugged by likeminded criminals.

Phishing is a double-edged sword and I’ll leave it at that.

Posted: February 10, 2012
Azim Poonawala
View Profile

Azim Poonawala is a security researcher for InfoSec Institute. He is the Founder of Closed Circuit Corporate Clandestine [C4] (http://www.c-4.in) and holds a Masters in Information Technology. He has has worked for companies like Hewlett Packard, Mahindra and Mahindra, the Bombay Stock Exchange, Perimeter USA and clients from the U.S. financial industry to the U.S. Government and has extensive experience in strengthening and breaking systems. Poonawala is the source craftsman of the winAUTOPWN exploit framework and the FBController. He specializes in covert red team network penetration, cyber-attacks and development of custom code aimed at special objectives. In addition, he crafts tools contributing to the industry via his blog Moving Towards Normality (http://my.opera.com/quakerdoomer) and his website (http://solidmecca.co.nr).