Protecting Phishing Pages via .htaccess

Labs Note

Phishers usually want to protect their pages from being detected by search engines and security companies. To achieve that, they add .htaccess files that deny access to their phishing directories from known IP addresses and networks. Depending on the scenario, if they are targeting a specific type of service (online banking for instance) attackers may allow only a set of visitors from a specific country to see that phishing page.

Though  attacker’s skillset may vary, some will just try to customize third-party scripts they find online and it’s not uncommon when they do it poorly. For example, one phishing campaign uses a bot blocking .htaccess file that can be easily found on the Internet. It really protects sites from unwanted bots, but has very little to do with search engines, security companies, and geographic regions (although it blocks some of them) – it just saves bandwidth.

deny from 216.163.255.1 # rpa.metlife.com bored employees
deny from 67.127.164.125 # DSL bandwidth waster
deny from 193.253.199. # france SE art-online.com bandwidth waster
deny from 80.179.254. # clown from Israel using downloader
deny from 64.37.103. # spambots and other non customers
deny from 69.61.12.100 # spambot from servershost.net

Along with the .htaccess file, there may be other files within the phishing structure, such as:

  • Image directories (img/images) – These directories may contain logo, header/footer images & others related to phishing (Paypal, Banks, etc.).
You May Also Like