Common Themes

A number of common themes were observed during our research into phishing attacks, and it is clear that attackers are employing a blend of tools and techniques to improve their chances of success. We will now briefly review two such techniques - mass scanning and combination attacks.

Mass Scanning

Analysis of a number of compromised honeypots suggests that the systems were being attacked using automated attack scripts or exploits, often known as autorooters. In both the incidents described in phishing technique one above, once the attackers had compromised the honeypots, autorooter toolkits were uploaded to the server. The attackers then attempted to scan large ranges of IP addresses for similarly vulnerable servers (using scanners called "superwu" in the German incident and "mole" in the UK incident). Captured attacker keystrokes from the UK incident are show below, showing examples of the types of mass scanning activity attempted from compromised honeypots. Note that due to the honeynet configuration, hostile outbound traffic was blocked and these attacks did not succeed.

Attacker extracts scanner and attempts to scan class B network blocks:

[2004-07-18 15:23:31 bash 0]tar zxvf mole.tgz
[2004-07-18 15:23:33 bash 0]cd mole
[2004-07-18 15:23:38 bash 0]./mazz 63.2
[2004-07-18 15:24:04 bash 0]./mazz 207.55
[2004-07-18 15:25:13 bash 0]./scan 80.82

Attacker attempts to exploit potentially vulnerable servers:

[2004-07-19 11:56:46 bash 0]cd mole
[2004-07-19 11:56:50 bash 0]./root -b 0 -v
[2004-07-19 11:57:26 bash 0]./root -b 0 -v 66.90.NNN.NNN

Attacker returns later to check list of successfully compromised servers (the list was empty, due to the honeynet configuration):

[2004-07-23 08:13:18 bash 0]cd mole
[2004-07-23 08:13:20 bash 0]ls
[2004-07-23 08:13:25 bash 0]cat hacked.servers

Attacker attempts to scan multiple class B network blocks and then test an exploit against a selection of targets:

[2004-07-24 10:24:17 bash 0]cd mole
[2004-07-24 10:24:19 bash 0]./scan 140.130
[2004-07-24 10:24:27 bash 0]./scan 166.80
[2004-07-24 10:25:36 bash 0]./scan 166.4
[2004-07-24 10:26:23 bash 0]./scan 139.93
[2004-07-24 10:27:18 bash 0]./scan 133.200
[2004-07-24 10:36:37 bash 0]./try 202.98.XXX.XXX
[2004-07-24 10:38:17 bash 0]./try 202.98.YYY.YYY
[2004-07-24 10:38:27 bash 0]./try 202.98.YYY.YYY

In the final example above, note that the hosts that the attacker attempts to compromise are not part of the IP address ranges scanned from this honeypot, which again provides evidence of well coordinated and parallel mass scanning activity.

Further investigation of the mole.tgz file downloaded by UK attackers revealed a number of text files in the root directory of the unpacked autorooter toolkit. These files included scan configurations and logs of previous scanning activity for the "grabbb2.x and samba2.2.8 vulnerability". 42 cases of attacks against other hosts were present in these files, along with evidence of mass scanning of many class B network blocks, confirming that the observed incident was part of larger and more organised attack against similar systems. An example of the output from the mole scanning tool, viewed from an attacker's perspective, can be found here.

Finally, some of the mass scanning tools recovered from compromised honeypots do not appear to be in popular circulation, which suggests that the attackers had some level of development and tool smith capabilities beyond basic script kiddy activity, or were part of a closed community that did not share their tools in public forums. Again, this suggests more organised attackers.

Combination Attacks

In our research, we also observed that phishers are frequently combining the three attacking techniques we have observed and documented in this white paper, sometimes combining multiple methods to provide redundancy and protect their phishing infrastructure through implementation of a two-stage networking configuration. The following diagram depicts a possible phishing network topology:

[image:images/phishing-setup.png size=full]

In this example a central web server hosts the physical phishing content, often serving more then one web site (e.g. an eBay phishing-site in /ebay and a PayPal phishing-site in /paypal). Several compromised remote computers redirect incoming HTTP traffic on TCP port 80 to the central web server with the help of the redir port redirector. This has several advantages from an attacker's point of view when compared to a single phishing web site:

  • If the compromise of one of the remote redir hosts is detected, the victim will probably take the system offline and re-install it. This does not represent a major loss for the phisher because the main phishing web site is still online and several other redir hosts continue to deliver HTTP traffic to the central web server.
  • If the compromise of the central phishing server is detected, this system will also be taken offline. Now the phisher can simply set up a new phishing site on a freshly compromised system and then re-adjust the existing network of redir hosts to redirect traffic to the replacement central host. Using this technique, the whole network can be made available very quickly and the phishing attacks can soon recommence.
  • A redir host is very flexible, since it can be easily reconfigured to point to another phishing web site. This decreases the time between initial system compromise and phishing web site availability, and increases the length of the attack window in which the phishing attacks can be performed.

The use of such techniques again suggests more organised and capable attackers, rather than the work of simple script kiddies. Similar operational models are often used by major web hosting companies and high volume content providers.