Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Phishing

Campaign Leverages RFI Attacks to Deploy Phishing Kits

A recently detected series of targeted attacks is attempting to exploit Remote File Inclusion (RFI) vulnerabilities to deploy phishing kits, Akamai has discovered. 

A recently detected series of targeted attacks is attempting to exploit Remote File Inclusion (RFI) vulnerabilities to deploy phishing kits, Akamai has discovered. 

RFI attacks attempt to exploit unchecked or improperly validated inclusion functions within vulnerable applications or websites. Most of these attacks target PHP, but these vulnerabilities can also be found in Java, ASP, and elsewhere.

Once an RFI attack is successful, the server would deliver the content of the attacker-controlled externally-called file, and this is what was happening as part of the recently discovered attacks as well, Akamai’s Larry Cashdollar reveals

RFI attacks, the security researcher explains, could also lead to code execution, Cross Site Scripting (XSS), Denial of Service (DoS), or sensitive information disclosure.

The security researcher observed the attack on his own website, where server logs revealed GET requests linking to a text file, along with requests attempting to include a remote shell into the application running on the website. 

The code in the text file was designed to check whether the server was vulnerable to RFI. If so, the context of the $SERVER_ADMIN variable would be sent back to the attacker.

The file also included a call to another external txt file, which included some information about the attacker, such as their email address, the fact they favor Portuguese for variable names ($assunto), and confirmation that they are profiling servers (it would gather information on what user HTTP is running under on the server, such as Apache or Root). 

The researcher also noticed a request to a different text file from the same domain, which contained the necessary code to generate a phishing website targeting a well-known bank in the European Union.

Advertisement. Scroll to continue reading.

“The reason for [using] text files is due to their ease of use. The text files can be remotely included into vulnerable PHP web pages via RFI and executed. However, they’re also easy to edit and manage, which gives the attacker a bit of flexibility,” the researcher notes. 

If the phishing kit is successfully deployed and users fall victim to it, harvested credentials are sent back to the attacker via email, as revealed by a configuration file that also included code for basic logging (counting the number of successful attacks vs. the number of page visits).

The investigation also led to the discovery of an html file used as a landing page, to initiate the final step in the phishing campaign and redirect the victim to a secondary domain where the phishing kit targeting the EU bank is hosted.

“The RFI attempts recorded in my logs were tailored to the page being tested. If the website being targeted uses form_id= for example, then the requests will match that instead of the generic (and commonly used) page_id= or page=. This tells us the attacker is likely parsing the HTML, and examining the variables being sent to via form to the backend,” Cashdollar notes. 

The use of RFI allows the attacker to remain undetected, as there are tools to scan for websites that could be vulnerable, record them to a list, and then work off that list, at a slow pace. Unless the server admin is watching logs, a successful attack could remain undetected for long. The attacker could also install a crypto miner or other means to monetize their access to the system, instead of a phishing kit. 

Related: Cybercriminals Using GitHub to Host Phishing Kits

Related: Phishers Serve Fake Login Pages via Google Translate

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Phishing

The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Fraud & Identity Theft

Famed hacker Kevin Mitnick has died after a battle with pancreatic cancer.  At the time of his death, he was Chief Hacking Officer at...

Cybercrime

Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...

Phishing

The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Cybercrime

A threat actor tracked as ‘Scattered Spider’ is targeting telecommunications and business process outsourcing (BPO) companies in an effort to gain access to mobile...

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...