Phish Bait - The discovery of a massive multi-bank Phishing as a Service platform

A CC ND image by Bankenverband - Bundesverband deutscher Banken
The investigation
On the 26th of October 2016, the Schuberg Philis CSIRT team received three consecutive phishing alerts. We have configured out security monitoring systems to alert us when certain hit on websites of our customers, especially the online banks we manage, exhibit signs of potential phishing.
 
Getting three alerts within 10 minutes is not unusual, certainly not if the url of the, potentially, malicious site and the client are the same. However, in this case the first alert originated from the logs of an Australian online bank, while the second and third alert were generated from the logs of an online bank in New Zealand. We found this very odd, usually a phishing campaign only targets a single bank or it targets different banks for different users. Getting hits for banks in two different countries of the same malicious site and client is just weird.
 
The alerts in question looked like this:

 
Since security people are by nature curious we decided to take a peek and found this login screen.
 
 
To avoid legal complications and in order not to tip the owner of the site off we did not attempt to break this login screen. However when we looked into the source code for this login screen we found an embedded javascript fragment that made us do a double take. This Javascript code contained over 1200 urls of online banks.
 
var URLS = {
      "12081": "https://cashproonline.bankofamerica.com/AuthenticationFrameworkWeb/cpo/login/public/loginMain.faces",
      "12181": "https://businessaccess.citibank.citigroup.com/cbusol/signon.do",
      "12281": "https://www.bankline.natwest.com/CWSLogon/logon.do?CTAuthMode=RBSG_CORP4P\u0026domain=.bankline.natwest.com\u0026ct-web-server-id=Internet\u0026CT_ORIG_URL=%2Fbankline%2Fnatwest%2Fdefault.jsp\u0026ct_orig_uri=https%3A%2F%2Fwww.bankline.natwest.com%3A443%2Fbankline%2Fnatwest%2Fdefault.jsp",
      "12381": "https://www.bankline.rbs.com/CWSLogon/logon.do?CTAuthMode=RBSG_CORP4P\u0026domain=.bankline.rbs.com\u0026ct-web-server-id=Internet\u0026CT_ORIG_URL=%2Fbankline%2Frbs%2Fdefault.jsp\u0026ct_orig_uri=https%3A%2F%2Fwww.bankline.rbs.com%3A443%2Fbankline%2Frbs%2Fdefault.jsp",
      "12481": "https://www.bankline.ulsterbank.ie/CWSLogon/logon.do?CTAuthMode=RBSG_CORP4P\u0026domain=.bankline.ulsterbank.ie\u0026ct-web-server-id=Internet\u0026CT_ORIG_URL=%2Fbankline%2Fubr%2Fdefault.jsp\u0026ct_orig_uri=https%3A%2F%2Fwww.bankline.ulsterbank.ie%3A443%2Fbankline%2Fubr%2Fdefault.jsp",
      "12581": "https://www.business.hsbc.co.uk/1/2/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gDgzAfSycDUy8LAzNDbz8vbzMDKADKR2LKuyHkgbotDB1dDZyDDTwMzM0sDTy93B1dnXz8DN0tTCC6nd0dPUzMfYCqwzxdDTxNnEwMTH3dDA08jQnoLsgNDQUAO-nOhw!!/?IDV_URL=B2G_CAM40_PERSONAL_PAGE\u0026CANCEL_CUN=hsbc.business.home_home_noMenu",
      "12681": "https://www.nwolb.com/default.aspx",
      "12781": "https://www6.rbc.com/webapp/ukv0/signin/logon.xhtml",
 
And not only that, but also matching messages for ‘login failed’:
var INCORRECT_LOGIN_ERRORS = {
      "12081": "Logon unsuccessful because Company ID, User ID, and/or Password was incorrect. If you believe your account is locked, please use the \u003ca href id=\"login.forgotPassword.link.error\" class=\"cm-slink cm-txtB11Bl\"\u003eReset my Password\u003c/a\u003e process to verify your identity or contact your admin for further assistance.",
      "12181": "You cannot sign on using the data you entered.\u003cbr\u003ePlease make corrections and try again.\u003cbr\u003eIf you need assistance call customer service at (800) 285 1709.\u003cbr\u003eFor hearing impaired call 1 (800) 788 0002.",
      "12281": "You have entered incorrect credentials, please try again",
      "12381": "You have entered incorrect credentials, please try again",
      "12481": "You have entered incorrect credentials, please try again",
      "12581": "Your Username is invalid. Please try again. (LOG_0002)",
      "12681": "Customer advice, please address the following issues:\u003cul\u003e\u003cli\u003eYour Customer Number is made up of your date of birth (ddmmyy) and up to 4 other numbers as advised when you joined the service.\u003c/li\u003e\u003c/ul\u003e",
 
For ‘please wait’:
var COUNTDOWN_MESSAGES = {
      "12081": null,
      "12181": null,
      "12281": null,
      "12381": null,
      "12481": null,
      "12581": null,
      "12681": null,
      "30081": "Connexion en cours, merci de patienter.",
      "48481": "\u003cspan class=\"plwt\"\u003eOperazione in corso.\u003c/span\u003e\u003cbr\u003eLa preghiamo di attendere...",
      "38582": "Vennligst vent...",
      "38682": "Olkaa hyvä ja odottakaa...",
      "31083": "Παρακαλώ περιμένετε...",
      "31883": "請稍候...",
      "31983": "系統處理中...",
 
And for ‘sorry this site is unavailable’:
var BLOCK_MESSAGES = {
      "12081": "Service temporarily unavailable due to maintenance. We apologize for any inconvenience this may cause you.",
      "12181": "Service temporarily unavailable due to maintenance. We apologize for any inconvenience this may cause you.",
      "12281": "Service temporarily unavailable due to maintenance. We apologize for any inconvenience this may cause you.",
      "12381": "Service temporarily unavailable due to maintenance. We apologize for any inconvenience this may cause you.",
      "12481": "Service temporarily unavailable due to maintenance. We apologize for any inconvenience this may cause you.",
      "12581": "Service temporarily unavailable due to maintenance. We apologize for any inconvenience this may cause you.",
      "12681": "Service temporarily unavailable due to maintenance. We apologize for any inconvenience this may cause you.",
      "24381": "Serviciul temporar unavailable",
      "22881": "Sorry we cannot action your request at the moment. Please try again later.",
      "24181": "Serviciu temporar indisponibil din cauza unor lucrări de întreținere. Ne cerem scuze pentru orice neplăcere acest lucru poate provoca.",
      "24281": "Serviciul temporar unavailable",
      "36081": "\u003ch3 style=\"color:rgb(173, 172, 144)\"\u003eAccess Denied\u003c/h3\u003e\u003cp\u003eYour access to this service has been denied.\u003c/p\u003e\u003cp\u003ePlease contact your Administrator for assistance.\u003c/p\u003e",
      "30883": "The code you have entered is incorrect. Please check your Digipass and try again",
      "54482": "- Sorry, we cannot verify the account information you have entered. Should you have any queries, please contact our Customer Service department on 02 518 0000. ",
      "60581": "서비스 유지 보수로 인해 일시적으로 사용할 수 없습니다. 우리는이 불편을 끼쳐 드려 죄송합니다.",
      "64081": "Vanwege onderhoud of storing is de website niet beschikbaar. Onze excuses voor het ongemak dat kan ertoe leiden dat aan u en dank u voor uw understanding.",
      "55082": "ขออภัยค่ะ ท่านไม่สามารถเข้าสู่บริการได้เนื่องจากระบุข้อมูลการเข้าสู่ระบบไม่ถูกต้อง กรุณาระบุใหม่อีกครั้ง ถ้าต้องการสอบถามเพิ่มเติม โปรดติดต่อเจ้าหน้าที่บัวหลวงโฟน โทร. 1333 หรือ 0-2645-5555 (-30)",
 
This really made us speculate what we found. We were having a hard time thinking of a legitimate use for such a collection. The only other reason we could think of is phishing, especially since there are not strings for successful login.

About the site

When we look at the malicious url we see that it takes two parameters:
https://xx.xx.237.228:12000/services_group_list?server=cashpro1ssl&group=12
 
The parameter group seems to control which banking URL is the target. The alert that originated in the Australian bank’s logs has the url with group set to 11, and the url with group set to 12 triggered alerts based on the logs of the bank in New Zealand.
 
The other parameter required some Googling. However when we discovered that cashpro appears to be the name of the online banking software used by Bank of America, it is very likely that this parameter drives the ‘skin’ that is applied to the fake login page. ‘cashpro1ssl’ might means as much as Cashpro skin version 1 over SSL.
 
We believe that the alerts we received were triggered by a coder/administrator testing an early version of a ‘Phishing as a Service’ platform. Intended to provide those that are willing to pay an easy way of mimicking the login page one or more banks of your liking.
 
Since this discovery we worked with the Dutch National Cyber Security Center as well as the Dutch Police and one of our clients to see what else we could learn about this site. Unfortunately given the complexities involved with an international investigations and the legal limits we are bound too we have not been able to get the source code of the site. When we ran out of options to get more information a Notice and Takedown (NTD) process was started and the site was taken offline on the 1st of November.
 
What does this mean?
 
To us it looks like the phishing industry is coming of age. Like many other things on the internet, Phishing is moving from something you have to do yourself to something you can consume as a service. While to site we found is still of low quality (e.g. some Dutch strings seem to be bad machine translations of English sentences) it is only a matter of time until this service becomes good enough to lead to an increased flood of phishing emails. Many banks do not make their own software, but rely on commercially made banking software, which more or less looks alike. While we have seen cases before where phishing sites contained fake login screens for multiple banks, seeing a site that seems to target approximately 1200 urls is new to us.
 
What is next?
 
We have published an advisory here. We are working with the NCSC to get it to all Dutch banks and are still investigating how to get this to the other banks implied by the URL list. Hence the public release of this advisory. The site is offline as of the evening of the 1st of November.
 
FAQ
 
Why was it decided not to initiate a Notice and Takedown procedure immediately?
After discussions with NCSC, the Police and our customer we decided that there was no immediate threat from this phishing site and that it was more important to learn as much as possible from it.
 
Why did you call this one Phish Bait?
We deem it highly likely that this is a Phishing as a Service (Phishing aaS) platform. ‘Aas’ is the Dutch word for bait.
 
Why did you mask the ip address of the malicious site?
The provider hosting this page is likely not to blame, since the notice and takedown process is in progress the actual address is not relevant.
 
Were you able to hack into the phishing site?
For legal reasons and in order not to raise suspicion with the owner of the site the analysis was limited to the main page and OSINT intelligence collected without direct access to the platform.
 
Can I get the full URL list?
It is in the advisory.
 
Can I get more information?
Contact our Security Officer: Frank Breedijk. Phone: +31 20 750 6500 Email: fbreedijk@schubergphilis.com

1 Comments

Mike Wilkes
Thanks for the write up. This is an interesting development to document and follow.

Not Published

0/1000 characters
Go Top