Tuesday, October 24, 2017

Cleaning and Gutting Phish for Beginners

To start with, beginners don’t usually clean phish but anyone can help to get the cleaning process started. Admitting that someone else has a problem is the first step toward fixing the problem! If it is your own website that is hosting a phish then it is up to you to clean it, or get help cleaning it.

Phishing links can be dangerous to click on as they make take you to a site with exploits. If you have a safe environment, such as a virtual machine or sandbox, then it is typically ok to follow the link, but be sure to replace the VM with a pristine copy or delete the contents of the sandbox.

When you receive an email that you suspect or know is a phish, before you delete it share it with Phishtank. The easiest way to get it to PhishTank is to forward the email to  phish@phishtank.com. PhishTank make phish available for people to validate. Security companies can also pull information so as to more quickly block the phishing attacks. It is a great idea to sign up for an account at PhishTank. If you have the know-how to tell a phish from spam you can help by logging into PhishTank and evaluating some phish.


If the phish is attacking customers of a financial institution you might be able to contact the institution, but frequently it is hard to find a way to report the phish to. Sometimes you can message the affected company on social media and find out where they would like the phish forwarded to.
Sometimes you can let website owners know when their websites are being used to host the phishing pictures and kits.

Now let’s move along to gutting a phish. We will start with the small phish.




We’ve all seen these before. I particularly like the professional touches on this one such as To: Undisclosed-Recipients and “This message was sent to “”.” I right-clicked on the email so I could view the source text. On the lower right you can see the context menu. Here are the entire contents of the body (guts) of the phish.

<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body>
<p><a href="http://bit.ly/2QKGRFNGDBF"><img alt="Mountain View" src="http://bit.ly/TGFDCYTHGRFDHGF" style="width: 592px; height: 473px;" /></a></p>
</body>
</html>

There are two significant things going on here. src="hxxp://bit.ly/TGFDCYTHGRFDHGF"   is where the picture in the email is coming from. This is the second link above. The first link is the smelly part of the phish. hxxp://bit.ly/TGFDCYTHGRFDHGF is where the phishing kit used to be located. It was replaced with a 404.
These links happen to be bit.ly shortened URLs, but there are many sites that provide URL shortening services. You really want to know where you are going before you go there, so expand the URL back to the full version before you decide to click. The JoshMeister has some great tips for decoding links that have been shortened by using a variety of services.

Since this URL is shortened by bit.ly we just add a + sign to the link and hit enter. This takes us to the bit.ly site where we are shown the full URL. In this case hxxp://bit.ly/TGFDCYTHGRFDHGF+


hxxps://s1.postimg.org/1smpducc3j/boaaaaaaaaaaa_NEW.png is not the link that matters. That one has advertising that would give the phish away. The one you want is the smaller one in orange. hxxp://bitly.com/TGFDCYTHGRFDHGF leads us to the plain picture shown at the beginning of the gutting section of this blog.

When you click on the picture in the Phishing email you would have been taken to the phishing kit which asked for your login information and many other details. It even asked you to create 5 challenge questions that are commonly used. I liked the one that asked “What is your father’s middle name?” I answered “The one between his first name and his last name.” I do not suggest that you visit the phishing sites though. I was using my wife’s computer so I was never at risk.

So how did I help to clean this phish? First I admitted that someone else had a problem and then I let them know that there was a problem.

I wrote up more about this specific incident in a blog titled “Phishing for a Gold Medal” at Quttera. I am now a Senior Security Analyst at Quttera. I included a couple of more shots of this particular phish and a tiny bit of biographical information about the gold medal winning Olympic athlete.
In addition to my personal blogs here, I hope you will follow me at Quttera as well!

Randy Abrams
Independent Security Analyst by night and
Senior Security Analyst at Quttera Labs

No comments:

Post a Comment