Overview
Phishing attacks use social engineering in an attempt to lure victims to fake websites. The websites could allow the attacker to retrieve sensitive or private information such as usernames, passwords, and credit card details. Attacks of this kind have been around since 1995, evolving in sophistication in order to increase their success rate. Up until now, phishing attacks were generally viewed as isolated events that were dealt with on a case-by-case basis. The dawn of big data analysis in computer security allows us to store data indefinitely and watch the changes and growth of attacks over long periods of time. In 2012, we began tracking a sophisticated phishing campaign that is still going strong.
The Target
Google, one of the largest players in the cloud business, offers dozens of free cloud services: Google Email, Google Drive, Google Docs, Google Analytics, YouTube, etc. To enable easy access across all of these properties, Google built what they call, “One account. All of Google.” Thus, with one set of authentication credentials, the user is granted access to all these services. Google Mail is just one example of a highly sensitive data store. Our email holds enough information to allow an attacker to gain access to plenty of other derivative accounts, such as our shopping or financial service accounts (with the exception of services that utilize two-factor authentication). Hence, Google accounts have been a popular phishing target due to this potential data treasure trove.
Anatomy of the Attack
The phishing attack dissected here starts like every phish, with a malicious email:
The e-mails are very plain and kept simple. Over the years they have barely changed basic structure. A short notification about a Google document followed by the link to the page is the usual payload with plenty of variations to frustrate detection.
Example subject line variants used by Google Drive Phishing Attack from mid 2014
Documents for you
Documents
Important Document
See document I uploaded for you on Google docs
You Have 1 Google Docs Message
Example URLs used by Google Drive Phishing Attack from mid 2014
www.friendsforever.ro/google/paydayadvance1.co.uk/wealth/
fullhdfilmci.net/Google/
mekansmo.com/google/
wealthdoc.x10.mx/googlefiles/
taec.com.au/newgoog/googledocs/
www.lavibroartistica.com/google/
newdoc.faa.mabushost.com/googledocs/
urbanshoes.ro/google.doc/
www.gumuskasik.com/google/
silviza.cl/Keji/googledocs/googledocs
altogradimento.it/catalogo/googledocs/googledocpheedo
www.pnteas.com/modules/googledocs/googledocs
www.pnteas.com/images/googledocs/googledocs/index.htm
extratour.by/clefty/googleDocs
mygenesisthemes.com/googledocs/index.html
www.garantipc.org/googleDocs/index.htm
promozo.com/googlefile/googleDocs
americasalud.cl/googledocs/index.htm
www.pnteas.com/images/googledocs/googledocs
pti-co.com/googleDocs
www.conexdist.ro/corporate/images/stories/steaguri/europe/newgoog2/newgoog/googledocs/in
www.mikebosch.net/wp-includes/googledocs/index.htm
ecommerce9.com/wp-includes/googledocs/index.html
casino.nsw.au/Ani/googledocs/googledocs/index.htm
energywaste.gr/images/googledocs/index.html
www.pnteas.com/googledocs/googledocs
extratour.by/escape_yesterday/googleDocs/index.html
pti-co.com/googleDocs/index.htm
mednicklabs.com/googledocs
newdoc.faa.mabushost.com/googledocs
hw.wp1teacher.blueprintcreatives.com/rowth/googledocs/googledocs/googledocs/googledocs
3seasonsplace.com/Googledocs/4191daf61189d124ad34c25f4aedd167
www.mikebosch.net/wp-includes/googledocs
plangen.cl/prince/googledocs/googledocs
creativeprograms.org/forms/googledocs/sss
3seasonsplace.com/Googledocs/e7785e27a353084f9ebbe1efb7806c46
www.pnteas.com/components/googledocs/googledocs
googledocs.quittner.nl/googledocs
amanda.ac1.com.au/Doc/Googledocs/index.htm
www.oceanrags.com/googledocs/index.htm
plangen.cl/prince/googledocs/googledocs/index.htm
casasnogeres.com/GoogleDocs/Googledrive/google/index.htm
www.pnteas.com/components/googledocs/googledocs/index.htm
eventsetcfla.com/GoogleDocs/41e1a8b5812be4cb3c01efed4dafe464
www.hydeparkmainstreets.com/newgoog/newgoog/newgoog/newgoog/googledocs/index.html
3seasonsplace.com/Googledocs/1d94f2635d85d1a8bee0bfaa5d784d7b
mygenesisthemes.com/ggledocs/ggledocs/googledocs/googledocs/index.htm
schmottlachphotography.com/templates/business3/images/ggledocs/ggledocs/ggledocs/googled
casino.nsw.au/Ani/googledocs/googledocs
rey10.com/newgoog/googledocs
extratour.by/tpl./googleDocs
www.pnteas.com/googledocs/googledocs/index.htm
www.bargain247sms.com/images/googledocs/index.htm
3seasonsplace.com/Googledocs/f1a12fc9afa84cf3382102803d0bbb4a
www.conexdist.ro/corporate/images/stories/a/src/newgoog1/newgoog/googledocs
Hacking Thousands of Servers to Host Malicious Landing Pages
The URLs lead the phishing victim to a compromised host on which the phishing attack landing-page is located. This page then collects the user credentials and emails them to an email account. Examples of these pages can be found later in this article.
But how did the bad guys get to host the malicious landing pages, especially since the rapid detection of anti-phishing and malicious websites would end the effectiveness of a few rented websites very quickly? The minds behind this steadily evolving phishing attack are, however, a little bit smarter than that; the attackers hacked a vast amount of different hosts that are hosting their malicious pages. Hosting malicious websites on known-good sites is a very effective way to bypass many reputation-based security scanners and thus very helpful for the attackers to deliver their payload to a user. Luckily our cloud web security products utilize several different detection technologies in order to successfully detect such attempts.
Our data shows at least 2000 servers that have been hacked since 2012. A quick, random sample of the compromised machines suggests that they are running Linux. However, access to the logs of the compromised servers is needed to determinate exactly how the penetration occurred.
Banner: “9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1”
Banner: “9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6”
Banner: “9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6”
Banner: “9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1”
Banner: “9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6”
Banner: “9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1”
Banner: “9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1”
Banner: 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1
Banner: “9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1”
Banner: “9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1”
Banner: 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1
Banner: “9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6”
Banner: “9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1”
Banner: “9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6”
Banner: “9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1”
Banner: “9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1”
Banner: 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1
Banner: 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1
Banner: “9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6”
Banner: “9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1”
Banner: “9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6”
Banner: “9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1”
Banner: 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4
Banner: “9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6”
Banner: “9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6”
Banner: “9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6”
Banner: “9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1”
Banner: “9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6”
Banner: “9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1”
Banner: 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1
Banner: 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1
Banner: “9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1”
Banner: “9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1”
Banner: “9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6”
Banner: “9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6”
Banner: “9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1”
Banner: “9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1”
Banner: “9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1”
Banner: “9.3.6-P1-RedHat-9.3.6-16.P1.el5”
Banner: “9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6”
Changes Throughout the Years
The first attack from these actors was observed on April 3, 2012, and targeted real-estate firm RE/MAX. But aren’t we talking about phishing attacks on Google? Yes, the interesting part is that the attackers use the same image and code for this very early attack. The RE/MAX phishing continued for months until, in 2013, we see the same image files and same source code being used for early Google Docs attacks. This could mean that the same threat actor is responsible for the attack or that another evil doer has simply copied the image source and appropriated it.
The website design is very simple and easy to distinguish from the actual Google Docs website. However, the designs improved and lately we are observing a slightly improved, version of the same attack. See below how the design slowly became closer to the authentic Google Docs website.
Scale and Timeline of the Phishing
Even though the attack has been around since April 2012 and is well understood by the security community, it does not stop the attackers from using this “old-fashioned” phishing strategy. On the contrary, more and more attacks are being blocked with record volumes being observed in February and May 2014, 2 years after first being discovered.
Conclusion
Why this phishing attack from 2012 is still alive is the elephant in the room. You would expect that once detected, the attack’s days are numbered. Not so for this one. Every month the faked email and malicious landing pages become better imitations of the real Google Docs emails and websites. The volume of this attack is steadily increasing, and these attackers hacked over 2000 servers during the course of these campaigns. Through clever randomization of their URLs and phishing emails, as well as continuously using new compromised servers, they make it hard for traditional anti-spam and web-security solutions to stop this attack. As long as many vendors and free security software can’t successfully identify and stop this phishing scheme, we probably will see even more campaigns like this in the near future. Big-data-backed machine-learning algorithms and human investigators, however, can easily catch such malicious campaigns and observe them through the years. Instead of seeing attacks as single events, we connect the dots to see the whole picture of an attack.
I am surprised that such an in-depth discussion of a phisihng campaign doesn’t mention DMARC as a solution for domain owners to stop abuse of their domain and brand. The answer to “how could a phishing campaign last so long” is quite simply: beacuse it works! DMARC is fast becoming the solution to this problem and can stop the problem at the core, as you have correctly pointed out, the email that starts it all. Please take a look at DMARC.org and Agari as we help eliminate malicious email and brand abuse from the Internet.