The problem with phishing, and therefore the reason so many people have trouble with it, is that the code is fairly benign and can be very difficult to spot. This is because it usually looks almost exactly like legitimate code. Oftentimes, a website owner won’t know their site is hacked with a phishing scam until visitors inform them, which is why finding phishing pages can feel like searching for a needle in a haystack.
That’s what makes the following story so instructive.
Many thanks to our own Ben Martin for walking us through the scam (and for cleaning the client’s website).
Recently, we cleared malware from a client’s website and our malware removal expert, Ben, found some interesting phishing pages.
Where Was the Injection Located?
It’s in the hacker’s best interest to hide their phishing pages and they’re often able to do so because the code is so benign. They don’t need to run malicious scripts or inject iframes. In this case, the page doesn’t contain any suspicious functions nor calls to Russian domains. It just consists of text input fields like normal code you’d see on any website. The key then is to know what you’re looking for, and to do that you have to think like a hacker.
What Are Phishing Scams Attempting?
This is where it becomes important to remember what a phishing scam is normally attempting to do. In many cases, they’re looking for bank records like credit card or debit card numbers, so we kept it simple and searched for “bank” and look what we found:
See it? The title_netbank.jpg looked suspicious and, interestingly enough, all it took was that one reference in index.htm to the JPG file to lead us to the phishing pages. We didn’t stop there though. We also dug a little deeper and found an .htaccess file in the directory.
What you’re seeing here are IP addresses that are allowed to view the phishing page. In this case, only those with Danish IP addresses are being redirected to view the page. In this way, the hackers are able to to narrow the scope of their attacks to those who are most likely to enter their bank numbers, while not showing a suspicious page to extra people who may alert the bank or our client to the scam.
Here’s what this specific page looked like. It was being used to redirect customers to something that looked like a Nordea Bank AB user page (Nordea Bank is a financial group operating in Northern Europe). Even if you’ve never heard of Nordea, potential customers based in Northern Europe would have heard of the bank and would have been put at risk.
What Did We Learn?
The hack we cleaned here isn’t extravagant. It wasn’t obfuscated behind layers and layers of code. In fact, it was relatively simple, which is instructive. Malicious code can affect your website even when its relatively easy to spot. The lesson as always is, if you have a feeling that your site has been compromised, then it probably has been.
Torben B. Sørensen
The page is indeed in Danish, but with a few grammatical errors and typos. They probably copied some of the other information directly from the official Nordea web site – Nordea is the second largest bank in Denmark. The dropdown box for selecting expiration date contains words in Dutch rather than Danish. Hopefully, this might alert some Danish users to the fraud.
Did the web server log files show whether the page had been seen by users from Denmark?