Phishing Campaigns Use Free Online Resources

Published: 2022-09-21. Last Updated: 2022-09-21 05:59:53 UTC
by Xavier Mertens (Version: 1)
1 comment(s)

A phishing campaign needs some resources: bandwidth, CPU, storage, … For a very long time, a lot of phishing kits have been hosted on compromised servers. The most popular are CMS with weak configurations or outdated. I think that Wordpress is the number one in this category. By careful, it does not mean that Wordpress is a bad CMS. Most vulnerabilities are introduced through plugins. Once compromised, the phishing kit files are copied on the server and usually are reachable via the /wp-content/ or /wp-plugin/ directories.

I’m receiving daily a lot of phishing emails, via my own platform or submitted by readers and I see that there is slightly move to leave compromised servers to free online services. Internet is full of “*aaS” websites, "Something as a Service" (Forms, Storage, …). Many platforms offer a free subscription to attract customers. Most of the time, these free accounts allow attackers to upload malicious content.

Compromised CMS have issues:

  1. You need to search and compromise new servers constantly
  2. Those servers IP addresses or domains are quickly indexed in block lists
  3. If a server has been compromised once, it may be compromised again by a competitor
  4. Servers might be limited in resources (bandwidth, CPU, …)
  5. The server might be cleaned by the owner or admin (or not ;-)

At the opposite, free services have huge advantages:

  1. They can’t be easily blocked (IP & domains can be added to block lists)
  2. They offer plenty of resources, are reliable
  3. Malicious traffic might remain below the radar for a while

Let review some examples. If you need to host files (logos, scripts, ...), files.catbox.moe will be helpful:

If you search to host a form and get data delivered straight in your mailbox, formsubmit.co will be helpful:

Other services look more "technical" but can be also abused by attackers lile ipfs.io:

Here is an example of link found in the wild:

https://ipfs.io/ipfs/bafkreialspsmcfrukiforbhy4onop7yasjotzehubagyuxhw5rpcafsxmm#xavier@<domain>

(The link is gone now)

The web is full of motivated people that offer some resources for free (I remember when I was offering free Linux shells in the years 2000). Be careful, if you offer a free service, they are chances that it will be discovered and abused by attackers!

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

1 comment(s)
ISC Stormcast For Wednesday, September 21st, 2022 https://isc.sans.edu/podcastdetail.html?id=8182

Comments


Diary Archives