16Shop: A Deep Dive into the Swiss Army Knife of Phishing Kits

at home so hello everybody my name is Amira and I'm going to present you the sixteen shop is a unique fishing kit that I actually did a reverse engineering it's quite interesting because we don't hear things like that on fishing and in this case I did the reverse engineering I'll explain it about it later so first of all nice to meet you I'm very passionate about computer since very early age I learned what develop I've learned web development and since then I'm trying to tackle several websites and I succeed I was in the cyber security center at 800 unit I lately finished my walk in Akamai as security data analyst and today I'm in exile Ventress we see which is

enterpreneurship program I'm trying to start my own venture so today the clicker doesn't walk alright yeah today we are going to talk about phishing and I have some questions for you how many of you did sea fishing lately raise your hand fishing page simply great how many of you click view source when they did see the fishing plans right and how many of you actually see the PHP code behind the fishing page so great it just few what in general great so today I want to talk about fishing sometimes I'll explain basic words but don't let it fool you I'll go into deeper things but the latter is the aiming to towards all the audience also the part I didn't handle

the fishing so be patient about basic things that I'll explain so what we are going to do we'll start with understanding what is fishing kids how we get it how can we explore it we will go to the features of the 16 shop fishing kit which is very fascinating and eventually we are going to do a demo kind of go through and then how we explore fishing kids when we get one and we together will reveal a hidden feature so most of us think about fishing kids as something as a simple HTML page with maybe a little bit JavaScript but nothing behind them but today were more aware of complex fishing kids they look like that they have a

good is defined structure then you were organized and probably they have some organization behind them I'm not sure about it but can be so what is the fishing kit let's explain it basically it's a convenient way for the attacker to deploy a phishing pages on a server it means that is it's a zip file that contains all the server all the server information or the server-side code behind the phishing page and once it's extracted on the dedicated Ocampo server the fishing is started starting to one so if we have a attacker and he gets some sort of communication or attached to some server he puts a zip file this zip file is been extracted to the on the

server and afterwards we're getting a live fishing page now most of the researcher so as I think and very investigate the fishing gate from this side from the front end that's what we usually see but sometimes when you are standard the code is being changing them the frozen is been changing all the time and somehow sometimes you won't be able to see this this page as it is so I'm suggesting to explore this fishing kit from the fishing from this side from the zip file on so try to understand why the explain this basic technique to understand how can we get a fishing kit basically fishing fishing hiding in nested directory within the website it's

me that if we have a long URL and mastered path the fishing kids here sometimes the attacker that put the fishing period on the on the server is forget to delete the zip file and yeah it's pretty much embarrassing and the server enables directory listing because if it's a hack server from the first place the server wasn't that good in configuration right so if you know bells enables the director I think we're actually able to see the the fishing kit a lot at the zip file alongside the fishing itself and we actually can download it simple very simple well just we can apply it so thick can shop this deficiency do are going to talk about is very interesting

basically it's a new one it has been published one months ago within Akamai blog and it target Apple users it apply it's a post also mobile and desktops together and it's probably written by this guy we'll get into it and we'll see and by the way this is the appearance of this fishing so when I rich and when I started to get this fishing kit I have more than 500 files in one zip and there was a big challenge to understand which in which way in which direction the election should like go so basically I've looked forward entry point most of the time entry point will be the index dot HTML or main dot PHP things like

that afterwards we will try to understand the flow figure out how things go it means that we usually we're going to do it using the form tag the form HTML tag it means that if we have for example if we have an HTML tag with an action and the methyl and maybe some hidden input we try to work off all that on the server side in this case this is the PHP code with the get and the view equals yahoo login and this form sends the information to this server in this way which we are actually trying to do the reverse engineer in generic process so in this case the 16 shop flow is like that the user or the

victim gets an email link afterwards he need to fill his login information his apple credentials and after he's filling his appearances information if he if he's using Yahoo Japan for example he will need to you will get a Yahoo Japan phishing page yeah and those two things on the same fishing kit afterwards he will require to fill out more more detail about himself like an address I did and even his mother's names pretty impressive so after what is getting a verified by Visa it's kind of two-step authentication for visit and that mainly apply in the Asia we're not familiar here in Israel and also in eventually he requests for uploading a photo here of him holding a

credit card holding his credit card I'm not sure who is going who is going to do it but that's what a child the dog and probably succeed in some way so this fishing kit is highly configurable this he has three different dance as you can see over here that the attacker can config for this for this fishing campaign he okay he also can configure many things as the evasion techniques and all the flow that we can see before that is actually configurable the attacker can choose which place we will be able to we will be able to see and which page we won't be able to see within the process so as I'm not zooming that you see all the

chart and the words but they can I assume that you can see the colors so the blue and the blue squares are the decision points the points that the attacker can actually get the information this is the flow of the old efficient gate so the blue points there there are eight blue points and eleven eight blue points that the attacker can decide what to do and what not there are 11 phishing pages and five points that mainly is being sent to the attacker in this way he's he's he's getting the information about his victims let's go on so now we have a video okay wait a moment

yeah yeah so actually this is the this is the configuration file of the of this fishing kit you see there are three dams three different dams the user actually fill up fill out these details in this case it's Yahoo Japan male and this password and afterwards we can see that he will be redirected from a format from an applet into UTA off into your logon page let's see that's it and this is still in the phishing page right with his is mail over here yeah

yeah so in this vision key there are several evasion techniques so let's first of all try to understand what is efficient technique it is ethically it's basically access control mechanism for the fishing kit he decides who will be able to see it and we won't be able to see the fishing page the fishing he trying to do to defend themself from unwanted visitors who are unwanted visitors the send search engines like Google there are automatic scanners like children and also like the security researchers like us so it's pretty much proven ematic to try to detect those fishy kids it's not a new thing it's not a new concept try to avoiding from security researchers and good and Google

search but in these specific fishing kids we've getting several new evasion techniques and we have a lot of variety of them that's why that's why we are going to talk about it great so there are several common is avenging techniques maybe some of some of us familiar of them I'll go through through them anyway anyhow based on the user agent that the phishing kid can understand if the user is coming from with a mobile or desktop it's coming or within Windows or Mac or kind within Chrome or Safari that's why he can target his victims in a narrow stroke very very very very carefully to understand who is going to see this and who not he can also block our using

specific IPS we can see within his list brands like northen and Kaspersky Kaspersky and more others so he did a really good job about it and also we can block specific IP IP in the can block specific IP ranges not the specific IP another common evasion technique it's the htaccess file for one of us that didn't live with apache it's the access control configuration file for for the Apache server and we think this fishing kit I'm going to see a block request from different sites like he can block people that come in from Google search in that way and they actually doing it she also block a block user a block user agent that contains specific word which

means that if you trying to access this fishing kit using crawl you won't be able to do it great the server has new evasion techniques within this fishing kit and the first one of the of the evasion technique is quite interesting he does this fishing kid can block replay attack between the sessions between each stage is sending is sending a post parameter with the I will md5 of the IP of the I victim it's mean that if someone is binding this and trying to sniff the traffic won't be able to replay it to the to the same server it won't see where we won't be able to see the same things and also he's trying

to block because it doesn't have specific app army he the attacker can easily config which get Palin it will be and he can also mark finished victims with the session variable to understand that they shouldn't do this the fishing again it's quite word right another new version techniques that this fishing kit is very surprising way using third parties API to understand more about the victim is actually accessing some is querying ISP API and check which which is P the user came from it can be basic Etienne and things like that you can block it he also using a proxy Chuck and - and he's attaching to is going to feel about the API to do that

and you can also allow only one visit per IP it's not which is not that complicated but I've never seen it before it's mean that he's logging already visited ip's right and also that I can identify the HTTP x-forwarded-for header which means that when you're using the proxy and we're trying to when you're using proxy you this letter has been added and you won't be able to solve this this fishing kit great so as we said he always using a ISP check and proxy check if you need to take a photo of the slide it's a great very easy to use api's but also he uses a girl location to customize to customize his audience and he's presenting a different

default language for each one of the of the origin countries he also checking the six first digits of the credit card and by data understand what is the vendor of the credit card and if you are enter a visa you will get a visa logo on the screen after that if you will enter a MasterCard you will get a MasterCard logo on screen after that so it pretty much impressive let's go on a this this fishing kit is also available for purchase it costs around $50 if you want to buy and don't do it but within each access he's doing a license a license check to another server it's kind of since the mechanism that the server also

allows the remote configuration it's quite interesting until and no a long time this server is still alive so it's quite impressive if you won't be if you won't buy this fishing key than the old license will be expired you will see this is log of 16 shop he expired with a link for bite if she wants up this particular also have several admin panels one of them is a remote configuration file basically uses to configure the flow and the evasion techniques and it also have local configure a local admin panel which seems like to be more the fishing statics and try to delete the logs on the local machine it looks like that the what's in controllable here that the

author has left several of the leftovers and we can see we can understand that he is in donation public is using in the Indonesian one we think this function we can see kill him remember this function carry mail it's actually sent sending Indonesian and also women jeonggi I I mean jeonggi a scam page which is enter scam page this is the log function for this is the log things that they log so we started Lee you remember there by me link so yes actually link to his Facebook accounts yeah it's impressive and if if you go to this Facebook account we actually go get a picture of him and also picture of him with his

mother I'm not sure if his mother will be very proud of his son probably if you are talking about social media this person also have a Twitter account and a YouTube channel YouTube channel it is on sting say that so we published in 1900 to this to his YouTube channel now you won't be able to do it because Akamai has published it and and only is doing is published videos for explaining yourself trying to Adele advert yourself and was actually alive several weeks ago as I said he's highly customer customized for his victims he supports ten different languages quite of impressive it changes by the victim's country as we said so it looks like that

actually 10 different languages and all the bar configured by the victim's country also the attacker has configured several logs withing this within this fishing kit it mainly to understand if he if the fishing in wok is working well or not he has nine logs we don't go through all the logs now but you can see that he is trying to be as much tight about his victims great so we finished the first part now we are going to the hidden feature and together we will feel some very cool idea within this fishing kit it's it's in process that if done try to understand things in this fishing kit so hope you enjoy as I said we try

to to understand the entry point yeah so this is the index dot PHP page and we think the index the within the index dot PHP page we can see include of main dot PHP I can see it in several places during the code it's something that developers are usually doing it nothing nothing new but here I try to dip down the it down into the main dot PHP so here is the main dot PHP page and if you will go enter it we will see several several weird lines the first one is the dollar image that equals to something like Sebastopol it's a really weird way to write it also there's a dollar value that equals g.z

try to understand what it this inflate afterwards you read a content of a file which called MX MX Basilica Siletz I'll help you it's in the Indonesian it's called tiny and iMac stands for American Express so he with some picture in that white with very weird and now I have this function this is the last web function called valid with dollar SE let's try to understand what he is doing we are actually creating we are actually creating a temp a temp file we add a PHP tag into the name to this file right the source code over here yeah you see what ouch the source code with the PHP tag close it include a temp file and then delete it

what this function does is actually returns the defined variable within the scope it's pretty much not clear why why is doing that in that way is doing kind of evil evaluation function converting string into code and it's very weird way to do it afterwards all those things that we see here come travel together to this line and this line is not that that understandable but if you try to understand it it is the more readable text so it said that we're taking the AMEX Castle this the PNG PNG file look on the earth on the byte number 5,000 126 and on do as gzm flight than the the evaluate function that we see earlier and then extract it's not

that understand not that understandable how to figure out how its works and it took me a while to understand why a fishing cadet most of the time written a very readable text put these things here so I took the picture try to I don't know print it understand what stands inside as you see it's binary code there was no no special fits special things so I'll try to do the Jesus inflate and actually God readable text what's which was very very nice we can see here there is some comment that called the validate resolved and afterwards some function declarations what what coming after the function declarations it's a whole bunch of basics before that it's unreadable so

and probably something very very special he's happening here let's try to understand it kind of tense stenography right so let's copy it into the running machine if you try to run the code and bring the variables within the code in this way and I'm not a guest assuming that you see all the other lines and we'll honeyton of sandbox we will get these suitable taxes basically we will get a lot of an understable and understandable text but we'll get also this forget content URL encode and some message and at this point understand that he's trying to do something with maybe a file or neither URL right there's a URL encode a code in a pitch

in the PNG that has some code that access well let's try to print what inside this file yet content I will get this thing which white I was shocked when I saw it it's a telegram telega bought he's doing something with a telegram but I tried to pick this telegram part and I understand that is actually alive it's a live telecom bot cool and I try to understand what what he sends after the text yeah the text equal this is the message that is being sent to the to the attacker or to someone yeah and so I looked for the message and the message that is being sent and understand it's a dollar a let's try to

understand what's the dollar a dollar a we see we seen in the Indus code that equals to a message variable and message the variable is defined as global which means in each place that we have message defined it will be equals a and this will be sent to the attacker or to someone see - probably so remember the function from earlier the killing male the one of these parameters is message dollar message and kimmel is the function that sending the mail to the attacker the original attacker so each time so each time we have and this is the the message is the example of how it looks like that the user the password and other information that may be

crucial for the attacker like the city region and time zone and every time that the this dollar message is being defined in the code there's also a validate function it's been run you see it over here yeah so this is the validate it's the same validate function that runs from the picture cool so now understand what what happens let's try to figure out altogether it means that if we have a phishing that sends a mail to an attacker we have another direction another channel that is being applied with that is actually written in the code and it's being sent to another attacker within a telegram channel telegram board it's quite oppressive think about this person he actually buy

it probably for $50 yes and there was another person maybe the author of the fishing kit that actually still his still information yes legal right so when I said I was quite shocked and very fascinating and that's it so what you are what we have gone today I've explained some of things about fishing kids how can we get him how can we look on them I've explained all the feature of the 16 shop we said it's highly configurable fishing it has several stages and variety of evasion techniques this this fishing kit is also uses a third party's API and it is a saleable one you can buy it for $50 as I said the lab the author has left several

leftovers and also is war he has a YouTube channel with nine videos for tutorial to admin panels local remote and also has he supports them available just we have magnets the try to figure out if especially if it's works or not and the space he has really nice pleasurable telegram bot so that's it it's again the same present identically for nothing but it's work yeah the next slide was thank you and if you have another process I were to answer it we have an additional five minutes one moment one moment welcome we live in Connecticut again yeah those guy over there now when I see when I see the purchase option it was using crypto

currency of course I'm not sure if it was Bitcoin or other snap the script the currency I love you are tarnishing self-aware I'm attacking the last class okay no one no actually didn't do it or whether the time working at Akamai so it's not allowed

I didn't do that um someone else yes this is the thank you slide and yeah around the month round must understand it and then nights nights yeah I figure out the the the telegram bought in 88 10 p.m. something or other yeah can you raise your voice please

so he asked how can how we make sure that this person in the picture is actually the person that stands behind the fishing kit so to be honest we know I'm not 100% sure about that but the same name is applied and it's been viewed in several places and social networks it can be also his next name right and they used some pictures but the variety of the pictures we have a picture of him riding a bike yeah so the variety of the pictures may may point on some very point that is a real guy and not a fake one but we're not sure about it I think the last question maybe anyone yeah

go ahead

excuse me yeah

okay so I need to cut you off excuse me okay so that was me and this is what the sixteen shop fishing kit I hope you enjoy it [Applause]