Phishing Campaigns Use Free Online Resources
A phishing campaign needs some resources: bandwidth, CPU, storage, … For a very long time, a lot of phishing kits have been hosted on compromised servers. The most popular are CMS with weak configurations or outdated. I think that Wordpress is the number one in this category. By careful, it does not mean that Wordpress is a bad CMS. Most vulnerabilities are introduced through plugins. Once compromised, the phishing kit files are copied on the server and usually are reachable via the /wp-content/ or /wp-plugin/ directories.
I’m receiving daily a lot of phishing emails, via my own platform or submitted by readers and I see that there is slightly move to leave compromised servers to free online services. Internet is full of “*aaS” websites, "Something as a Service" (Forms, Storage, …). Many platforms offer a free subscription to attract customers. Most of the time, these free accounts allow attackers to upload malicious content.
Compromised CMS have issues:
- You need to search and compromise new servers constantly
- Those servers IP addresses or domains are quickly indexed in block lists
- If a server has been compromised once, it may be compromised again by a competitor
- Servers might be limited in resources (bandwidth, CPU, …)
- The server might be cleaned by the owner or admin (or not ;-)
At the opposite, free services have huge advantages:
- They can’t be easily blocked (IP & domains can be added to block lists)
- They offer plenty of resources, are reliable
- Malicious traffic might remain below the radar for a while
Let review some examples. If you need to host files (logos, scripts, ...), files.catbox.moe will be helpful:
If you search to host a form and get data delivered straight in your mailbox, formsubmit.co will be helpful:
Other services look more "technical" but can be also abused by attackers lile ipfs.io:
Here is an example of link found in the wild:
https://ipfs.io/ipfs/bafkreialspsmcfrukiforbhy4onop7yasjotzehubagyuxhw5rpcafsxmm#xavier@<domain>
(The link is gone now)
The web is full of motivated people that offer some resources for free (I remember when I was offering free Linux shells in the years 2000). Be careful, if you offer a free service, they are chances that it will be discovered and abused by attackers!
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Reverse-Engineering Malware: Malware Analysis Tools and Techniques | Amsterdam | Jan 20th - Jan 25th 2025 |
Comments
Anonymous
Sep 22nd 2022
2 years ago