Phishing, an old and traditional attack, is still a thing. Hundreds of phishing website are launched every day and it threats people around the world. Anti-Phishing Working Group (APWG) says that APWG detected 150,000+ phishing websites for the 3rd quarter of 2018. Sometimes phishing actors make OPSEC failures and, thanks to that, researchers can obtain a phishing kit (a kit to deploy a phishing website). We have collected 18,000+ phishing kits based on OSINT and analyzed mechanisms of phishing websites and phishing actors themselves. In this presentation, we will show the following findings. - How to collect phishing kits based on OSINT data. - Analysis of phishing actors: - Who develops a phishing kit, How to distribute it, etc. - Including a methodology to find out a phishing actor based on information (email, username and signature) inside a phishing kit. - We will show an analysis of Indonesian phishing actors who target Asian countries. - Especially focusing on an actor named DevilScream/Z1Coder who develops an infamous phishing kit“16shop”. Finally, we will show countermeasures we have taken against phishing websites and actors.

1. Copyright©2019 NTT corp. All Rights Reserved.
Catch Phish If You Can
A Case Study of Phishing Website and Actor
2019.05.15
Hirokazu Kodera & Manabu Niseki
Copyright(c)2019 NTT Corp. All Rights Reserved.

2. 2Copyright©2019 NTT corp. All Rights Reserved.
• Manabu Niseki:
• Researcher, NTT Secure Platform Laboratories
• NTT-CERT
• FIRST TC Bali 2018 & Internet Week 2018 speaker
• Hirokazu Kodera:
• Researcher, NTT Secure Platform Laboratories
Who Are We?

3. 3Copyright©2019 NTT corp. All Rights Reserved.
THE STATE OF PHISHING

4. 4Copyright©2019 NTT corp. All Rights Reserved.
The State of Phishing
Source: http://docs.apwg.org/reports/apwg_trends_report_q4_2018.pdf/
APWG stats: 785,920 phishing sites in 2018

5. 5Copyright©2019 NTT corp. All Rights Reserved.
How can we take
countermeasures?

6. 6Copyright©2019 NTT corp. All Rights Reserved.
知己知彼
Know yourself,
know your enemy
孫子兵法 / The Art of War

7. 7Copyright©2019 NTT corp. All Rights Reserved.
HOW TO CATCH PHISHES

8. 8Copyright©2019 NTT corp. All Rights Reserved.
• Phishing kit:
• A kit to deploy a phishing website.
• It is possible to analyze a phishing website by
obtaining a phishing kit.
How to Catch Phishes

9. 9Copyright©2019 NTT corp. All Rights Reserved.
Phishing actors make an OPSEC fail.
• e.g. paypal-support.big[.]com[.]my
How to Catch Phishes

10. 10Copyright©2019 NTT corp. All Rights Reserved.
Phishing kit collecting methods:
1. Subscribing & generating feeds
2. Enumerating phishy URLs
3. Crawling the phishy URLs
• An open directory website enables to download a
phishing kit.
How to Catch Phishes
Phishing Kits
Subscribe feeds
• OpenPhish
• PhishTank
Generate feeds
• CT logs
• New domains
Phishy URLs

11. 11Copyright©2019 NTT corp. All Rights Reserved.
INSIDE PHISHING KITS:
HOW TO STEAL CREDENTIALS

12. 12Copyright©2019 NTT corp. All Rights Reserved.
How phishing kits steal credentials?
• Two major ways:
• Writing credentials to a local file.
• Sending credentials to an actor’s email address.
Inside Phishing Kits

13. 13Copyright©2019 NTT corp. All Rights Reserved.
Inside Phishing Kits
Writing credentials to lolo.txt

14. 14Copyright©2019 NTT corp. All Rights Reserved.
Inside Phishing Kits
Sending credentials to myloginbox@protonmail.com

15. 15Copyright©2019 NTT corp. All Rights Reserved.
Stats of email providers abused by actors
Inside Phishing Kits
0 500 1000 1500 2000 2500 3000 3500 4000
mail.ru
aol.com
zoho.com
protonmail.com
mail.com
outlook.com
hotmail.com
yandex.com
yahoo.com
gmail.com
count

16. 16Copyright©2019 NTT corp. All Rights Reserved.
INSIDE PHISHING KITS:
HOW TO CLOAK

17. 17Copyright©2019 NTT corp. All Rights Reserved.
• Some of phishing sites include a cloaking
function.
• Implemented with .htaccess and PHP
• Cloaking targets:
• IP address
• User-Agent
• HTTP Referer
Cloaking Function of Phishing Kits
Phishing site
User Crawler
A Normal user can access to the phishing site, while a crawler can’t access to it.

18. 18Copyright©2019 NTT corp. All Rights Reserved.
• Implementation example with .htaccess and
PHP
Cloaking Function of Phishing Kits
RewriteEngine on
RewriteCond %{HTTP_REFERER} example¥.com [NC,OR]
RewriteCond %{HTTP_REFERER} www¥.example¥.com
RewriteRule ^.* - [F,L]
RewriteEngine on
order allow,deny
deny from 192.0.2.0/24
deny from 198.51.100.0/24
deny from example.com
deny from env=stealthed
allow from all
Implementation example with .htaccess
Access with Referer example.com or www.example.com,
then the access will be denied.
<?php
if(strops(_$SERVER[‘HTTP_USER_AGENT’],’crawler’) or
strops(_$SERVER[‘HTTP_USER_AGENT’],’bot’) ){
header(‘HTTP/1.0 404 Not Found’);
exit;
}
?>
Implementation example with PHP
Accessed with User-Agent crawler or bot,
then the access will be denied.

19. 19Copyright©2019 NTT corp. All Rights Reserved.
• How to analyze a cloaking function in a phishing
kit?
1. Deploy a phishing kit on the Web server in the closed
environment.
2. Send HTTP requests with multiple conditions of HTTP
header to a phishing kit.
• User-Agent and Referer
3. Observe HTTP responses from a phishing kit.
Dynamic Analysis Against Phishing Kits
Analysis tool
Phishing kit deployed
on Web server
User-Agent: testbot
User-Agent: Bot
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
User-Agent Referer
Closed environment

20. 20Copyright©2019 NTT corp. All Rights Reserved.
• About 12.9% of phishing kits have a cloaking
function against User-Agent or Referer.
• Analyzed phishing kits: 4,917
• Include cloaking function: 636
• Not include cloaking function: 4,281
• Respond “403 Forbidden”, “404 Not Found”.
• Redirect to a legitimate site or a search engine.
Dynamic Analysis Against Phishing Kits
12.9
%
87.1
%
No Cloaking Function
Cloaking Fucntion
Redirect to Phishing Target
google.com Dropbox, Apple
yahoo.com PayPal
www.linkedin.com LinkedIn
www.paypal.com PayPal
www.gov.uk UK Revenue
Customs Agency
www.asb.co.nz ASB Bank
Summary of redirection to legitimate sites.Ratio of cloaking function
Redirect to
search engines
Redirect to
legitimate sites

21. 21Copyright©2019 NTT corp. All Rights Reserved.
• It is identifiable whether a phishing kit has a cloaking
function or not by sending 13 patterns of HTTP
request.
• Analyzed 636 phishing kits which includes cloaking function.
• 86.6% of phishing kits block a HTTP request with "Surfbot"
User-Agent.
• The result indicates a connection of phishing actors. The
cloaking techniques may be shared with phishing actors.
Dynamic Analysis Against Phishing Kits
HTTP
Header
Parameter
User-Agent Surfbot
Referer spamcop.net
User-Agent imo-google-robot-intelink
User-Agent AdsBot-Google
Referer http://http://safebrowsing-
cache.google.com/
User-Agent ASPSeek
User-Agent HSFT - LVU Scanner
HTTP
Header
Parameter
Referer altavista.com
Referer google.com.ar
User-Agent CoolBot
User-Agent DISCo Pump 3.2
User-Agent NetZip Downloader
User-Agent tor-exit

22. 22Copyright©2019 NTT corp. All Rights Reserved.
• How to check whether a phishing site has a
cloaking function?
1. Access to a phishing site with HTTP header patterns
analyzed in the previous step.
2. Observe HTTP response from a phishing site.
Phishing Sites Including Cloaking Function
Analysis Tool Phishing Site A
GET http://example.jp/phishing.php
User-Agent: Surfbot
GET http://example.com/fake.php
User-Agent: Surfbot
HTTP/1.1 403 Forbidden
HTTP/1.1 200 OK
1. User-Agent: Surfbot
2. Referer: spamcop.net
13. User-Agent: tor-exit
HTTP Header Patterns
GET http://example.com/fake.php
Referer: spamcop.net
HTTP/1.1 200 OK
GET http://example.com/fake.php
User-Agent: tor-exit
HTTP/1.1 200 OK
Phishing Site B
Phishing Site A has
cloaking function
Phishing Site B doesn’t have
cloaking function

23. 23Copyright©2019 NTT corp. All Rights Reserved.
• 10.4% of phishing sites have a cloaking
function.
• The number of accessed phishing site URLs: 4,901
• Some phishing sites may be not enable access control
implemented with .htaccess.
Phishing Sites Including Cloaking Function
10.4
%
89.6
%
No Cloaking Function
Cloaking Fucntion
Ratio of cloaking function
Analysis Tool
Phishing Kit which
have cloaking func.
User-Agent: testbot
User-Agent: testbot
HTTP/1.1 403 Forbidden
HTTP/1.1 200 OK
Closed Environment
Phishing Site
Phishing site doesn’t deny access
though same phishing kit has cloaking function
Download Kit

24. 24Copyright©2019 NTT corp. All Rights Reserved.
• Some phishing kits have a cloaking function
which makes analysis more difficult
• IP address which connected to a phishing site is added
to .htaccess file dynamically.
• Access to the same phishing site again, the second access
is redirected to legitimate site.
Characteristic Cloaking Function
Redirect the second
connection to PayPal.
• We need to care the cloaking function when
researching phishing sites.

25. 25Copyright©2019 NTT corp. All Rights Reserved.
WHO DID IT?

26. 26Copyright©2019 NTT corp. All Rights Reserved.
Signature / Credits Analysis
Th3 Exploiter

27. 27Copyright©2019 NTT corp. All Rights Reserved.
Signature / Credits Analysis
Ak47-VbV

28. 28Copyright©2019 NTT corp. All Rights Reserved.
Signature / Credits Analysis
Shadow Z118

29. 29Copyright©2019 NTT corp. All Rights Reserved.
• Signature / credits analysis makes possible
to trace out phishing actors.
• OSINT techniques:
• Username check:
• Check User Names, Knowem, Pipl
• Domain and IP research:
• RiskIQ, SecurityTrails, VirusTotal
• Googling
Signature / Credits Analysis

30. 30Copyright©2019 NTT corp. All Rights Reserved.
• Indonesian phishing actors:
• RSJKINGDOM (a.k.a DarkLight)
• DevilScream (a.k.a Z1coder)
• Spammer ID
• Others:
• Hijaiyh(a.k.a justalinko), IDHAAM69, Indonesian Darknet
and more.
Chasing Indonesian Actors

31. 31Copyright©2019 NTT corp. All Rights Reserved.
CHASING INDONESIAN ACTORS:
RSJKINGDOM

32. 32Copyright©2019 NTT corp. All Rights Reserved.
• RSJKINGDOM:
• A developer of phishing kits targeting PayPal & Apple
RSJKINGDOM

33. 33Copyright©2019 NTT corp. All Rights Reserved.
RSJKINGDOM
RSJKINGDOM
DarkLight

34. 34Copyright©2019 NTT corp. All Rights Reserved.
RSJKINGDOM

35. 35Copyright©2019 NTT corp. All Rights Reserved.
RSJKINGDOM

36. 36Copyright©2019 NTT corp. All Rights Reserved.
RSJKINGDOM

37. 37Copyright©2019 NTT corp. All Rights Reserved.
CHASING INDONESIAN ACTORS:
DEVILSCREAM

38. 38Copyright©2019 NTT corp. All Rights Reserved.
• DevilScream:
• A developer of an infamous phishing kit “16shop”.
DevilScream

39. 39Copyright©2019 NTT corp. All Rights Reserved.
DevilScream
Riswanda
devilscream
Z1coder

40. 40Copyright©2019 NTT corp. All Rights Reserved.
DevilScream
Total: 768 domains (2019/03)

41. 41Copyright©2019 NTT corp. All Rights Reserved.
• GitHub as a C2 (since 16shop v2)
DevilScream

42. 42Copyright©2019 NTT corp. All Rights Reserved.
• Attribution by Phishing AI:
DevilScream
Source: https://twitter.com/PhishingAi/status/1011688773610979328/

43. 43Copyright©2019 NTT corp. All Rights Reserved.
CHASING INDONESIAN ACTORS:
SPAMMER ID

44. 44Copyright©2019 NTT corp. All Rights Reserved.
Spammer ID
RSJKINGDOM’s profile picture on Kongknow

45. 45Copyright©2019 NTT corp. All Rights Reserved.
Spammer ID

46. 46Copyright©2019 NTT corp. All Rights Reserved.
• Spammer ID runs various services:
• arakatestore[.]com
• HTML to PDF Converter
• Encrypt text with HTML Hidden Characters
• carder[.]io
• BIN checker
• spmr[.]us
• URL shortener
• spammer[.]me
• OCR reader, Priv8 tools and etc.
Spammer ID

47. 47Copyright©2019 NTT corp. All Rights Reserved.
COUNTERMEASURES WE’VE TAKEN

48. 48Copyright©2019 NTT corp. All Rights Reserved.
• Reporting phishing websites:
• To Google Safe Browsing
• To hosting providers
• Sharing a repot with LEAs & CSIRT/CERTs.
Countermeasures We’ve Taken

49. 49Copyright©2019 NTT corp. All Rights Reserved.
CONCLUSIONS

50. 50Copyright©2019 NTT corp. All Rights Reserved.
• You can get phishing kits by leveraging
OSINT.
• The cloaking function in phishing kits makes
it difficult to analyze.
• But you can bypass it by knowing how it works.
• You can take practical countermeasures
against phishing attacks by analyzing
phishing kits.
Conclusions

51. 51Copyright©2019 NTT corp. All Rights Reserved.
ANY QUESTIONS?

52. 52Copyright©2019 NTT corp. All Rights Reserved.
• References:
• DeepEnd Research: Indonesian Spam Communities
• http://www.deependresearch.org/2018/09/indonesian-
spam-communities.html
• NetSecOps: Analysis of Phishing mail. Drone bought
from Apple
• http://netsecops.info/bought-a-drone-from-apple-really/
References