This article is more than 1 year old
Crime doesn't pay? Crime doesn't do secure coding, either: Akamai bug-hunters find hijack hole in bank phishing kit
Absolutely criminal behavior – unrestricted file upload, really?
Exclusive Phishing kits – used by miscreants to build webpages that steal victims' personal information and money by masquerading as legit websites – harbor vulnerabilities that can be exploited by other miscreants to pilfer freshly stolen data.
It's not far off burglars breaking into a mafia den to steal loot swiped just hours earlier from a jewelry store.
And while it's not unknown for software developed by criminals for criminals to be buggy and exploitable, proof of such bungling comes this week from researchers at Akamai who have been studying crimeware for vulnerabilities. They've found holes in installations of phishing kits that allow other hackers to sneak in and commandeer operations.
Phishing kits are typically bought or otherwise obtained by criminals to build webpages that are designed to look and function exactly like a legit website, such as a bank, in order to fool marks into typing in their usernames and passwords to login or hand over personal information, such as driving license or passport scans.
These bogus webpages collect this cyber-booty and pass it along to its masters, and are usually installed on hacked websites for a while, with links spammed out to victims as phishing emails. The key thing, for the crooks, is that the emails and webpages look as genuine as possible.
Akamai senior security researcher Larry Cashdollar, with the help of colleague and researcher Steve Ragan, have found a bunch of phishing kits – particularly those that invite victims to upload files – with classic security vulnerabilities that can be exploited by hackers to take over the installation. That means sites belonging to small businesses, government departments, and so on, that have been compromised to host these phishing pages can wind up being hacked a second time by opportunist thieves seeking to swipe victims' information for themselves once all the luring emails have been sent out.
"The real risk and concern in this situation goes to the victims: the server administrators, bloggers, and small business owners whose websites are where phishing kits like these are uploaded," said Cashdollar in a research memo shared with The Register ahead of publication.
"They're getting hit twice and completely unaware of the serious risk these phishing kits represent.
"While Akamai hasn't determined if there have been successful secondary attacks due to these vulnerabilities, it's a real possibility. Many phishing kit developers have a background in application security, and chase bugs like these for money and notoriety. The idea that they would search for, discover, and exploit such flaws for their own gain isn't a stretch."
Hacker dishes advanced phishing kit to hook clever staff in 10 minsREAD MORE
Ragan told El Reg the vulnerable kits studied were observed being used by miscreants to impersonate "two known commercial banks, a file storage and sharing service, and one online company that deals with payments," with at least one of them promoted via phishing emails.
These kits used insecure 2017-era source code lifted from a GitHub repository to implement file uploads: people would be enticed into handing over to fraudsters scans of sensitive documents and similar data via these web forms. However, the code behind the forms performed no security checks nor input sanitization, meaning it is possible to upload code to the web server hosting the phishing kit via these forms, such as a PHP webshell, and then open it in your browser to start running it. To open it, you'll need to figure out the resulting URL for the uploaded file, which shouldn't be too hard.
At that point, you now, hopefully, have code execution within the phishing site's environment, with no authentication or passwords needed, and you can launch whatever commands and cron-scheduled scripts you like as the web server process. From there, you can try to elevate your privileges, or simply snoop on victims hitting the phishing site. Most sites hacked to host phishing pages have lax security, making all of this possible.
"These vulnerabilities are exploitable during the upload process, which is where the kit will ask the victim to upload pictures of their IDs, bank card, etc," Ragan explained. "So if you're on a domain, find one of these kits, and get to the upload stage, you can instead send a shell as there are no checks with regard to file type."
Specifically, the kits featured insecure PHP scripts named class.uploader.php, ajax_upload_file.php, and ajax_remove_file.php.
"A user could upload executable code to the web root. If the upload path doesn't already exist, the uploader class file will create it," as Cashdollar put it in his research note.
"The code in the file remove script doesn't sanitize user input from '..' allowing directory traversal, enabling a user to delete arbitrary files from the system if they're owned by HTTPd. Code cloning and copying is as common in the criminal world as it is in traditional, legitimate application development.
"Server security configuration is rarely hardened, and often file permissions are left wide open allowing full read and write access to directories. Attackers compromising these kits using this vulnerability could gain additional footholds on the web server. One PHP shell and an improperly secured script ran by cron is all an attacker needs to take over the whole server."
By the time you read this, Akamai should have more details up online over here. ®