Phishing in a Nutshell: January – March 2018

This post is also available in: 日本語 (Japanese)

Summary
Phishing remains one of the most dangerous threat vectors of cyberattacks. Even though Exploit Kits are on the decline overall, as we outlined in our posting Rig EK One Year Later: From Ransomware to Coin Miners and Information Stealers, phishing itself is not on the decline. Unit 42 recently has done research on phishing attacks and phishing URLs. In this blog, we will show some statistical phishing results from the first quarter of 2018, January through March, especially for HTTPS phishing URLs.

Phishing URLs Statistics
In the first quarter of 2018, we found 4,213 URLs from 262 unique domains used in phishing attacks. On average, we found one domain serving 16 different phishing URLs. The heat map below shows the geographic distribution of these 262 domains.

Figure 1 Phishing domains geographic heat map

Over half of these phishing domains were hosted in the United States. There was then sharp drop to the two next highest countries: Germany with 28 domains and Poland with 13, as shown below in Figure 2.

Figure 2 Phishing domains countries/zones and numbers

We also found several phishing domains hosted in Africa and South America.
Among the 4,213 phishing URLs, there are 2,066 using a generic phishing template which can target multiple different companies or organizations; for example, attackers used “next1.php” with the name and id “chalbhai” in a form to target Bank of America customers as shown in Figure 2. We also observed that this similar template targeted DropBox customers and was used for IRS tax fraud schemes.

Figure 3. chalbhai phishing page source code example

[subscribe]

In addition to the generic phishing templates, there were 1404 URLs with phishing spoof pages targeting Adobe customers, 155 URLs targeting DropBox customers, 18 URLs targeting Facebook users, 442 URLs targeting Google Doc users, 108 URLs targeting Google Drive users and 20 URLs targeting Office 365 customers. There is a histogram below in Figure 4 showing the phishing URL distribution by targets. From the histogram, we can see the generic phishing URLs account for almost 50% of the total 4213 URLs, followed by the URLs targeting Adobe and Google accounts, accounting for 33% and 13% respectively. In addition to the top 3, there are also a few URLs targeting Office 365 and Facebook accounts..

Figure 4. Phishing spoof page distribution

HTTPS Phishing URLs
HTTPS phishing URLs are more difficult to identify. Therefore, we put additional effort into identifying and analyzing them. Of the 4,213 phishing URLs, 1,010 are for HTTPS URLs from 46 unique domains. On average, one domain served 21 different phishing URLs. Figure 5 shows the comparison between HTTP and HTTPS phishing URLs and domains.

Figure 5. HTTP and HTTPS comparison

We also investigated the certificate issuers of the 46 domains. We found “cPanel” issued certs for 31 phishing domains, “COMODO” and “Let’s Encrypt” each respectively issued certs for 6 different phishing domains, “Go Daddy Secure” issued one, and also there are 2 domains no longer in use as shown in Figure 6.

Figure 6. Cert Issuer Distribution

Unit 42 has contacted all hosters and issuers. The “Comodo” certs have been distrusted by Google and there is only one from “Go Daddy Secure”. A complete list of domains and certs are included below. We highly recommend they be added into suspicious certificate lists.

Figure 7. Phishing domains’ cert issuers

Phishing Kits
To make phishing attacks more effective, attackers usually clone and pack the modified files of one website (intended to be used in a phishing campaign) into a zip file and upload it to multiple hacked websites. This zip file can be considered a part of phishing kit. After unpacking the zip files and deploying the phishing site, some attackers fail to remove the zip file leaving it openly accessible to researchers to analyze its contents. During our research, we collected phishing zip file samples. Below is a phishing example meant to target Outlook/Office365 accounts as shown in Figure 8 and Figure 9.

Figure 8. Directories of a phishing kit

Figure 9. Contents of CSS directory in a phishing kit

Summary
In this blog we showed some phishing statistics from the first quarter of 2018 that demonstrates phishing targets distribution, general phishing templates and phishing kits. In particular, we showed HTTPS phishing URLs and the distribution of certificate issuers with certs being used maliciously. HTTPS phishing URLs are worth noting, because HTTPS is thought by many to be more trustworthy and malicious links are harder to detect.  Palo Alto Networks has the ability to deal with HTTPS phishing URLs and will continue to ensure that our customers can be protected from HTTPS phishing attacks. We also have IPS signatures to detect phishing kits. All Palo Alto Networks customers with a valid threat prevention subscription are protected from all phishing attacks mentioned in this blog.

IOCs