A recently detected series of targeted attacks is attempting to exploit Remote File Inclusion (RFI) vulnerabilities to deploy phishing kits, Akamai has discovered.
RFI attacks attempt to exploit unchecked or improperly validated inclusion functions within vulnerable applications or websites. Most of these attacks target PHP, but these vulnerabilities can also be found in Java, ASP, and elsewhere.
Once an RFI attack is successful, the server would deliver the content of the attacker-controlled externally-called file, and this is what was happening as part of the recently discovered attacks as well, Akamai’s Larry Cashdollar reveals.
RFI attacks, the security researcher explains, could also lead to code execution, Cross Site Scripting (XSS), Denial of Service (DoS), or sensitive information disclosure.
The security researcher observed the attack on his own website, where server logs revealed GET requests linking to a text file, along with requests attempting to include a remote shell into the application running on the website.
The code in the text file was designed to check whether the server was vulnerable to RFI. If so, the context of the $SERVER_ADMIN variable would be sent back to the attacker.
The file also included a call to another external txt file, which included some information about the attacker, such as their email address, the fact they favor Portuguese for variable names ($assunto), and confirmation that they are profiling servers (it would gather information on what user HTTP is running under on the server, such as Apache or Root).
The researcher also noticed a request to a different text file from the same domain, which contained the necessary code to generate a phishing website targeting a well-known bank in the European Union.
“The reason for [using] text files is due to their ease of use. The text files can be remotely included into vulnerable PHP web pages via RFI and executed. However, they’re also easy to edit and manage, which gives the attacker a bit of flexibility,” the researcher notes.
If the phishing kit is successfully deployed and users fall victim to it, harvested credentials are sent back to the attacker via email, as revealed by a configuration file that also included code for basic logging (counting the number of successful attacks vs. the number of page visits).
The investigation also led to the discovery of an html file used as a landing page, to initiate the final step in the phishing campaign and redirect the victim to a secondary domain where the phishing kit targeting the EU bank is hosted.
“The RFI attempts recorded in my logs were tailored to the page being tested. If the website being targeted uses form_id= for example, then the requests will match that instead of the generic (and commonly used) page_id= or page=. This tells us the attacker is likely parsing the HTML, and examining the variables being sent to via form to the backend,” Cashdollar notes.
The use of RFI allows the attacker to remain undetected, as there are tools to scan for websites that could be vulnerable, record them to a list, and then work off that list, at a slow pace. Unless the server admin is watching logs, a successful attack could remain undetected for long. The attacker could also install a crypto miner or other means to monetize their access to the system, instead of a phishing kit.
Related: Cybercriminals Using GitHub to Host Phishing Kits
Related: Phishers Serve Fake Login Pages via Google Translate