Hook, Line, and Tinker: A Dive into Phishing Campaign Sites

without further Ado Rick ratti with hookline and

Tinker I had prepared my own intro so I'm just going to do it anyways because like I don't want to get off the normal vibe that I had with this so welcome everyone this is hookline and Tinker a dive into fishing sites presented by me riti so first the obligatory who am I slide I'm an ABC engineer and I work at Gemini Trust Company I've been doing ABC for about 8 years now for the first four I was a security consultant at a place called independent security evaluators and since then I've been working at Gemini one of the nice things about being able to work on an internal application security team is that I've been able to embed myself with some of

the other security teams and departments and yeah it's a that's the thing that ended up inspiring my thread hunting which is now a hobby and hopefully also part of my career for today's agenda I've split the talk up into three different stories it used to be four so if you read it description that's the difference there I didn't I couldn't do the whole thing in 30 minutes and these were instances where like I thought that looking at a fishing site and digging into how it works provided me with information that helped me improve security posture and while you're looking at all these adventures with me the focus of the talk is going to be about what I did and like

how I analyze these sites to extract information that helped me carry out some kind of security requirement before before I before we talk about any kind of like security like technical details I wanted to give you a notice so please play at your own risk remember that what I did here was interacting with adversary infrastructure which is inherently dangerous and should be done carefully in my case I may have naively done this uh in a very simple way I have a Chromebook and on that Chromebook I I'm just running burp Suite Firefox and mulad so in this case all of the instances that we're going to be looking at today involved a site and seemed like

the best beted for me was uh burp Suite and I just wanted something isolated from my normal like personal environment so I bought a Chromebook for that so now that I've given you the warning and you know who I am and all that let's talk about the first instance which I called proxy atos so I got into this because a friend hit me up and they said hey we're having we at our zenes instance we're getting a bunch of emails where users are saying that they got fished and their accounts got cleaned up so when they were look into that they looked over all of the tickets and they said hey the majority of our users that have been fished over

this time span have visited one of four fishing sites but they were all fished and in this case they were worried not because of like there was a vulnerability in their platform but because they thought that users were losing money meant bad news for their company because the users wouldn't have wouldn't trust the brand anymore they worried about their reputation they had uh pretty normally reported it to their brand protection vendor for those of you who work in internal security teams this is like usually what you do you just like engage with somebody like I don't know like zero Fox and you say like hey these are fishing sites please take them down and they just handle it for you they talk to

the registrars and all that jazz in this case they had done that but the registar wasn't responsive they had learned that the attacker bought a domain name and something called a bulletproof registar and it's like that was enough to like make this attack last a good while it had lasted weeks at this point and then the last thing was that they had reported everything to Safe browsing but it still hadn't kicked in so like safe browsing is just like that red screen that you see sometimes when you go to a site that you shouldn't they had reported everything to them but it looked like safe browsing safe browsings automation hadn't kicked in and they hadn't analyzed and identified these as

fishing sites and a couple days had gone by when um so I signed an NDA with them which is why I can't talk about their name but um they asked me to help them figure out how they can get ahead of this so these were the three questions that we started off with how do we prevent these users from getting fished how can we identify the victims more quickly and how can we accelerate the takedown time to disrupt the campaign overall the goal was reduce user losses because again it's like a huge impact on your brand and also if your brand depends on users having money with you and the money is gone they Pro like your

users are not going to engage with you you're not going to be able to make anything those three questions resulted in another three questions which was I asked them do they understand how the fish Works were there any commonalities with all the users that reported that they got fished and then the other one was do they understand the infrastructure of the fishing sites the the answer to all these was no and when I asked myself these questions I was trying to figure out how I could do that and the answer to that seemed like I just needed to get fished so I went ahead and did that on the left hand side I just like my little

hobbyist setup I have burp suite and on the right hand sign I have the fishing site and you can see that it's a fishing site it has a little skull on the corner and I just when I went there tried loading it up first thing I got was a 503 so for the first time I tried to interact with a site I was like I wonder how the users are doing it why am I getting a 503 for those of you who like typically engag with sites with burped you probably realize that it was because this was hosted behind a web application firewall AA in this case it happened to be Cloud flare what that meant is that

cloud flare was fingerprinting my client somehow and it knew that I was what appeared to be a malicious client for those of you who have done this for a while as well you probably know that it's because the built-in chromium that comes with burp suit always gets flagged by Cloud flare so the easiest thing to do is just like set Firefox up to use burp suit as a proxy and you'll get a 200 but this highlights something this highlights that automation so like in this case our brand protection vendor that they were engaging with tried to identify the site but their automation failed they also got a 503 which is why they didn't know about it

so after I got the site to load and I was using like the Firefox setup now the first thing that I got was error password incorrect so I put in credentials and I slid the little like a capture slider thing and when that happened they said password incorrect which seems very odd to me how do they know that my password is incorrect this is some random fishing site so then I went back to the real site I registered an account and I tried again and this time it said success password correct so my Spidey Sense went off here because how does the site know that the first set of CR was incorrect but the second

set of credentials that I just created were correct so after because I had fully set up the account um and it already knew that I put in my TFA code and it went all the way through so not only did this site know that the first set of credentials was incorrect it knew that the second set was correct and it knew what a valid to a F code was all of this together helped me realize that they must be forwarding my input to the real site somehow the attacker was their fishing site infrastructure somehow knew how to use the real site so through some automation which also seemed very odd to me but here's more or less what I

pictured that looking like so my in like my client hits the fishing site the fishing site hits the real site which has the cool Emoji because it's the real one and then that came back and that went back to me as well so this is why I called it proxy atos because my input was being proxied by something that I didn't know about I'll talk about that a little bit later the thing that really stuck out to me was that the site that I was helping secure was using a capture and that seems weird because I am claiming that they are using automation to interact with the site how are they solving the capture and the answer to

that was pretty simple if you just Google like I just tried solving it's like capture solving hacks and it just like things like this came up there are plenty capture solvers out there I ended up trying some out for myself and they did in fact work so in this case we were able to see that the attacker was sending my input to the real site and then after using things like capture solvers to get around their anti- automation controls the and the day in this example is the site that I was trying to help secure so I took all this information and I went back to the internal security team where we started discussing it so

typically like if you work with a trust and safety team or something like that and there's users being ated you look at all the logs and you try to see what is it that's going on so here are some simple ones that you probably ask yourself if you've looked at this in pass the IP address for every user that I tried was different every time so I said that I tried some like fake credentials and then we took those fake credentials and we looked at their back end to see like did somebody attempt to log in with these credentials and the answer was true their logs showed that somebody tried to log in with those

credentials within seconds of when I put it into the fishing site after looking at those IP addresses we um there's really no way for you to know if these things are truly associated with a provider but there's tons of telemetry Services out there that get pretty close we checked a couple of them and we learned that all the IP addresses that we had seen so far from these clients that I like I had put in effectively a Honeypot account were all from expressvpn so the other one that you probably asking yourself it's a very simple one and common and it's a user agent but the user agent was different with every request so there's not much you can go

there and the problem here was that if you're working at a more sophisticated place they might have more like fingerprints and signal that they can use to identify these things however in this case it was a very small shop and this is as much as they could do the last thing that I did with them was let's review every request that the attacker issued when they got these credentials I wanted to see everything that they did and here's what we learned once the attacker had gotten past the twoof Face Screen they would say or they would try to change the user's email address withdraw their current balance and transferring more money from the bank account that they had to the

account looking at those those are all security critical actions right I'm going to assume that you all said right and that made me think attch well what are the controls in place to prevent an attacker from taking these actions what were the fraud controls so let's look at those a little bit more closely in order to change your email address you needed to have been to a fade within the last 10 minutes but I just showed you that the attacker is just proxying the whole setup and they effectively have a session that was just to a fade within the last 10 minutes when we were looking at the logs it was within seconds that these things were

happening so of course it was within the last 10 minutes in order to withdraw your the victim's current balance the attacker needed to twoa in the last 10 minutes which as we just discussed very easy it already happened but then something else came up they needed to click on a magic link sent to the victim's email address the last thing is that in order to transferring more money again you just need to be to a fade within the last 10 minutes so reviewing all of these this one kept on sticking out to me how is the attacker clicking on a magic link sent to the victim's email address and sometimes when you're talking about this

with a group of people they just uh like you start throwing out answers like oh maybe the victim is using the same password for their email address account or maybe they're like the attacker calling them and getting this information or something like that in this casee it was a lot simpler than that a little bit more staring will help you understand that the attacker was changing the victim's email address first so that then the email address associated with the account was one the attacker had control of so what if so like thinking about that it's like all right cool like that's why these things are done always in this order and I learned that by

looking at the logs for every single victim so in order to fix this you're probably asking yourself is like what do we do to fix this what if we just require the attacker or require the user to have access to the inbox before they change their email address again the goal here is to reduce user losses if they can't click on the magic link sent to the email address they wouldn't be able to withdraw the money there would be no user losses and believe it or not that worked so like something simple as looking at the logs every single time might sound like something tedious but it's essential to understanding your attacker and understanding how you can

secure your user accounts here were the so that was like pretty much it like they wanted me specifically for that just like prevent the user losses but here were some of my takeaways review the fraud controls for every single security critical thing you're going to be the the attacker carried out because that helps you understand how those are going to be met it also learned that because their brand protection vendor hadn't detected any of these and they were having a hard time taking them down so learning about things like cloudflare and how attackers are using it to uh I guess like in deter automation efforts really ex uh helped me build a better mental model of what I

was dealing with also I learned about like things like how attackers are using features like captas so if you remember when I submitted the username and password I had to fill out one of those slide captas that was again an effort by the attacker to hinder Auto automated efforts leveraged against their fishing campaign I also learned about how like simple things like capture solvers and vpns will likely be enough to get uh like prevent a small shop from understanding what it is or prevent a small shop from being able to respond to these types of attacks and then the last thing I learned is that because this was very interesting I did a lot more reading these are not called

proxy atos these are called adversary in the- Middle attacks and I'll make the slides available at the end and you can just click on there and learn more about them cool so this this was my first time doing this work and I talked to my dear boss Dennis who is sadly not here but some of my co-workers are here and I said hey I just did some really cool work for a company I'd like to take this back to Gemini where I work and see what we can do there so if you um I'm going to have to go back so that it has a little bit more impact but um if you remember here when I put in the password

incorrectly it gave me an HTTP 301 and it redirected to the real site so that stuck with me for a while and because I was trying to figure out it's like why was it that um they were redirecting to the real site and it was again an effort to like obfuscate the existence of the real of like the fishing site but the thing about 301 redirects or just like redirects in general is that it often discloses the existence of the real site so I'm going to go back here now I started to look into that uh Denis my boss gave me a couple days and I started looking into all of the requests for our

signin page and I started seeing things like what you're seeing on the right hand here the referral header was disclosing the existence of the real fishing site and that's a pretty common uh pattern I was I spent some time trying to figure out why this was happening and it was exclusively because many fishing sites will do this redirect pattern and many of them don't know that they need to uh use the meta tag to like not disclose the referal header but all they did not do that which was good for me provided an instance for a good project so after I saw an example of like what you see on the right hand side here of app. Gemini web. one which does

not belong to Gemini I decided to like look a little bit more and see what else I could find so after doing that I found these within the first couple hours of the first day I've organized them in a way because I'd like to highlight that these are hosting providers these are all hosting providers that were hosting content that were perpetrating to be Gemini you can go um if you like to check these out for yourself you can go to URL scan or whatever and they will show up there so given that there were these many of them I decided it's like hey the first time I did I looked at a fishing site interacting with the

fishing site helped me better understand what the attacker was doing maybe I should do that again so I did that again um here you can see on starting from the left that I just had BP Firefox again and this time I just cut straight to the chase because there was an image hosted on cloud flare on one of the fishing sites so there um the way that this worked was that there were all of these fishing sites except the Azure websites one all pointed to the Azure websites we um site all the ones that aren't the Azure one were just hosting a single image that um when clicked it would redirect to the real fishing site this

was again the attacker trying to officiate the real fishing site so after I learned that I just did the click here thing landed on the real page and I put in again fake credentials to begin with the first time I put in fake credentials I got this error code which I'm not going to read out and then I tried again with a real account and I got the same error code and no matter how many times I tried it was always the same error code so sadly this time um I was really hoping for a similar adversary in the middle example because it was fun and cool um the attacker wasn't doing that I looked at over a

couple days we looked at our logs and we never saw any of the accounts that I Seated on our back end but this made me think it's like well what is it that the attackers doing and given that I have an apps a background I started to look at every single request issued by my browser to get a better understanding of what the attacker like what my interactions with the site were doing and then I saw this which thankfully looks great on this screen on the top uh top part you'll see that red arrow and it's pointing to the location header cuz that was a redirect so like I put in whatever credentials it would always say error. HTML and that's

a location header um if if you look at the rest of this it kind of just looks like nonsense but if you look a little bit more closely it probably looks like an SMTP log doesn't it I didn't hear any shock yet but the this was just a PHP web app and what was happening was that the attacker I guess like set it up very poorly and every time somebody putting their credentials into the real site their back end was sending an email with the credentials to a collection of email sorry about that to a collection of email addresses so they were harvesting the credentials and I was able to figure that out because they did a poor job of configuring their

server and yeah so over my over like the two or I think four weeks that I spent analyzing these the attacker was always sending from those two email addresses and they were always receiving at these three and you can kind of see that in here and I can't walk away from the mic but in red you can see the email addresses that are being sent from and sent to so um after I figured this out I like spent more time digging into them every single one all of the fishing sites associated with this campaign added up to like about over 200 so hundreds I could say and yeah the takeown times were often very slow because the hosting

providers weren't aware that their infrastructure was being used this way however they got a lot better over time and I don't want to shame them so good job and yeah the other thing was that safe browsing can come in handy in situations where like the regist aren't being responsive so in this case the hosting providers weren't being responsive the other thing that I wanted to highlight was that you probably wondering it's like well and you knew that these were Gmail addresses why didn't you try to work with Google on this and the thing is that we didn't really know that did we the HTTP response just says that they're sending from these email addresses and receiving

at these other email addresses there's nothing to like I can use to confirm that I would have to engage with Google and they said like hey without the email headers that's not necessarily possible however the um something that you may have noticed was that there were hundreds of these and they were always sending from the same two email addresses every single one so that made me think it's like well if I want to check up on these every day and I want to put in a couple accounts to every single one of these and they were actually using Gmail maybe I could just exhaust their ability to send emails that day so every day bright and early I

would wake up and I would seed these accounts while having some coffee which was not necessarily malicious I was just doing something and that was more than enough to slow them down and eventually between the hosting providers responding more promptly and the attacker not being able to harvest any email addresses because they no longer had the ability to send emails that was enough to stop this campaign here were my takeaways from that it was that use the HTTP referral header it's a very good way to figure out what fishing sites are pointing back to you I uh learned as well that not only the signin page often times when attackers are just mirroring your site

they won't do it for all of the links so like stuff like your registration page which is often on the login page might be a good place to look for these the other thing was that much like in the first example waps and HTTP redirects are used to evade detection and like uh this is a very good ant like their anti- automation controls seem to be enough to slow down most vendors and yeah just like look at every HTTP request and response you might get lucky and your attacker might be silly enough to disclose their SM CP logs sweet so I think I have 9 minutes I have 9 minutes left um does anyone are

there any questions in the slid so far cool I'm just going to continue going along then so after I did this work at Gemini I became the fishing guy For Better or For Worse and there was an instance where we started to receive emails to our support email people claiming that they're just not even Gemini customers why are they getting emailed about a Gemini airdrop and so yeah the uh the thing that was really hard was that again the register are unresponsive did not seem to give a damn but we knew that there were other ways to get around these things and improved the security posture of our users who are being impacted by this so let's look

a little bit into that so this was the email that people were receiving these two red arrows point to the fact that it is a domain that has nothing to do with us we don't sell Eco Motors not yet at least and the other thing that stood out to me to me was that there was that code which I did not put an error for and there is this proceed Now button so this again is an email and my specialty is a things that do HTTP not this so I decided to click on that proceed Now button and see where it would take me and it took me here and this uh you probably can't see it in the

back cuz it's kind of like white on white but it was asking me for a code which was this code that code was the same for every single person that emailed us this was just the attack trying to again hinder automated efforts cuz if you don't know the code you can't get in if you'd like to check this out for yourself again you can go to URL scan yeah so after I put in that code it just sent me to this page which looked exactly like our landing page except that withdraw button and when I clicked on that it unfolded into something that I had not seen before which you'll see in this slide to recap you click on the link

that says click here for free crypto and then they redirect you to a new site that says click on here to withdraw your free crypto and then it will prompt you if you have like this little fox head which I don't know if uh many of you know what it is this is just a web3 wallet and it's I used metamask because it's the most popular one and it would ask you to connect your wallet and after you connect it it would collect some information and if you approve the transfer it would clean you out so many users or like many people tried to and they just like connected their wallets in many cases they were just they had

nothing in there thankfully but it was a way for the attacker to exfiltrate all the credentials just like using our brand so this isn't necessarily something in our infrastructure it's not typical like username and passwords or anything like that is just somebody leveraging our brand and using the ecosystem around us to try to extort people so again reported to Safe browsing the regist and all that jazz it had taken a couple days still and I feel uneasy about that so we wanted to figure out again how to improve this impact on our brand it's not our products it's our brand so that made me think it's like well if the attacker is always uh depending on the user connecting their

wallet maybe there's something there and then I learned about this project the eth fishing detect project this is a project put together by metamask that allows you to report domains that are hosting fishing infrastructure that would allow you to more accurate or like more actively hinder their efforts and in the cases where regist aren't answering and safe browsing hasn't flagged this is honestly your best bet and it within a couple days so on the left hand side I just created a PR on the right hand side I you'll see what it looks like then it says whenever you try to visit it with your wallet it'll say this this domain has been reported for fishing please don't engage with

them so one thing that I wanted to highlight for you guys is that when I mentioned that email at the beginning it was the there wasn't a a domain associated with Gemini it was just a random domain and as I looked through all the emails there were six different brands used for it and all of those were Brazilian companies they were all happen to be Brazilian media companies that apparently had gotten hacked and you're probably asking me well how do you know that one of them responded to me and they confirmed that they had in fact been hacked by a previous employee who is leveraging their infrastructure to send out emails in this fishing campaign

So eventually we handed it over and the Lord Took the Wheel uh my takeaways for this was that pin thing at the beginning that actually that uh when I relay that to some of my other friends that have started to do this work they were like oh yeah that is also a very good tactic not only anti- automation controls but pins as well because in order to reforce them it would take some time uh and if you're working in the web 3 space and safe browsing and regist aren respond to you you should really consider uh sending domains over to metamask I sent one over this morning while sitting there while my co-worker was taking a picture of me

and lastly is like remember to imp uh inform the impacted parties in this case uh some of the Brazilian marketing teams that were that were hacked found out about this because we told them they didn't even know now for the wrap-up so if anything that you take away from this I'd like for you to consider that analyzing attacker infrastructure can really help you understand the impact that it has on your customers your security controls and how you can make the whole ecosystem better to be honest I have no idea if you should or not I'm not a thought leader I'm just doing some work that I think has improved the security posture of these companies that I've engaged

with and lastly it's like if this is the first time that you're hearing about this kind of work and you want to see other people doing it in the industry I've included a pace B bin link here with a list of blogs that I've collected over the last couple months that highlights this kind of work and I think I'm right on time so thank you for coming um my information is here on the right hand side and yeah I hope you enjoyed it thank you so much Rick thank you so much we do have one question on the slido hell yeah one question question on the slid have you tried to deploy fishing resistant MFA like pass Keys we have so

like uh there's so where I work I can't speak of the first example the company asked me to not mention them but where I do work at Gemini we do have a like we're using UB keys right now or just like there's a plain web authent setup and there's like a pass key setup and those work out great for instances where users are getting fished but there's a large ecosystem of users who don't want to use a pass key for whatever reasons and it's like uh fallbacks and stuff like that have also like extended timelines for pass keys and the other thing is that those work out really well but things like web 3 wallets are in a

very different part of this where like no amount of pass Keys is going to prevent people from having their web3 wallet cleaned out all right any more questions I can't see if you raising your hand because of the light just shout if you're raising your hand you can shout in the next minute or submit on slido or have a reach out to Rick after the session all right yeah with that thank you so much Rick