Phishing for OTP

Introduction

Analysis of a recently detected phishing kit, targeting a retail bank based in the Philippines and submitted to VirusTotal, led to the identification of a low-sophistication method used by threat actors in an effort to phish for usable one-time passwords (OTP) along with account credentials.

One-time passwords, as implemented by many banks within the Philippines, enhance the security of customer accounts and address common insecurities associated with passwords by requiring the customer to be in possession of a secondary factor, be that a hardware token or a mobile device upon which an OTP can be received via SMS or generated through an application.

Typical phishing sites utilize PHP-based pages that send the results to an email account and, as such, the efficacy of many campaigns would have decreased with the introduction of OTP due to them expiring in the time between submission and receipt by the threat actor

Whilst some threat actors may have ‘worked around’ this issue, such as utilizing other social engineering attempts to acquire a valid OTP through an SMS or telephone call, others may have simply resorted to abusing stolen credentials in other ways, for example, credential stuffing attacks against third-party services.

Seemingly to resolve this issue, albeit in a simplistic and somewhat labor-intensive way, this phishing kit, along with others likely associated with the same threat actor or group, have resorted to logging phished details to a ‘control panel’ page that would provide the ability for them to be viewing in near real-time.

Phishing Kit

Demonstrating that many phishing kits remain in circulation for long periods of time, often with the only modification being the email address used to collect stolen credentials, analysis of timestamps within the kit provide an indication of its initial creation as well as highlighting when a brand’s website was cloned.

In this instance, timestamps associated with core files (Figure 1), those being scripts or content providing basic functionality that remains consistent from site to site, suggest that this kit may have been originally created on 19 April 2019.

Figure 1 – Core file timestamps indicating initial creation (19 April 2019)

As is common with phishing kits of this nature, the targeted brand website will be cloned and, in doing so, many applications will add a HTML comment to the cloned pages that identify both the original source and the time at which it was downloaded.

Typically, low-sophistication threat actors will fail to remove these tell-tale signs, such as in this case, and therefore it is possible to determine that the popular free tool ‘HTTrack Website Copier’ [1] was used to clone a Philippine Retail Bank’s login page on 4 September 2019 (Figure 2).

Figure 2 – HTML comment indicating brand clone (4 September 2019)

Notably, the use of tools such as HTTrack will, in their default state, be identifiable by consistent user-agent strings and therefore offer an opportunity for defenders to block, limit or redirect access attempts, for example:

• *Mozilla/4.5 (compatible; HTTrack 3.0x; Windows 98)*
• *Mozilla/5.0 (compatible; HTTrack 3.0x; Windows 98)*

Disparity between the initial creation date and the date at which their login pages were cloned, in this case around five months, may be indicative of the kit being updated with new branding or an existing kit being modified to target a new brand.

Although many threat actors will lack the expertise to craft their own kits from ‘scratch’, modifications often only require basic web development knowledge and, as such, many kits will retain artefacts or references related to other brands, or even threat actors, as superficial changes are made without a full understanding of the kit’s structure.

Furthermore, organizations with well established branding may not update their login pages on a regular basis and, as such, negate the need for threat actors to continually update their phishing kits. Whilst this results in many phishing kits remaining useful for long periods of time, some may be distinguishable from the legitimate site due to the presence of out-dated copyright notices or content.

Finally, timestamps associated with configuration files, such as those used to define where phished credentials are sent, are typically the most recent change performed by the threat actor responsible for deploying the kit (Figure 3).

Figure 3 – Credential handling indicating most recent update

Attack Process

Figure 4 – Process/page flow

Potential victims arriving at the phishing site, likely after receiving a lure message via email or SMS to encourage them to login, are first presented with a webpage mimicking the legitimate login of a retail bank based in the Philippines as well as having their IP address logged to zerion.php, a ‘control panel’ page that can be accessed by the threat actor.

Should they fall for the ruse, entering their credentials into the fake login page, they will then have prompted for their one-time password (OTP) on a page that mimics the legitimate brand but does not appear to have been cloned from the original site.

Typically, at this point in the process, the credentials and OTP would be sent via email to a predefined threat actor email address, using the PHP mail function, before being redirected to the legitimate website, and, based on modifications observed within this phishing kit, this information is also saved to the zerion.php file.

Interestingly, and likely due to modifications being made by a threat actor that does not fully understand the phishing kit code, emails sent from this kit only include the OTP and the victim will find themselves in a loop that repeatedly prompts them for another OTP alongside an ‘error’ message.

Whilst this functionality may be somewhat intentional, in that it is beneficial to acquire multiple OTPs, it may cause the victim to become suspicious and/or contact their bank due to an apparent login failure.

Threat Actor Control Panel

Those falling victim to this phishing campaign will find that their credentials are saved to a file, zerion.php, that can be accessed by the threat actor and prompts for a password (Figure 5).

Figure 5 – Phished credentials ‘panel’ page login

Having entered the correct password, compared against a hardcoded value within the PHP source, access to this ‘panel’ is gained and any phished credentials and OTPs are displayed (Figure 6).

Figure 6 – Phished credentials ‘panel’ (top) and source code excerpt (bottom)

Demonstrating the simplicity of this page, rather than using dynamic content perhaps obtained from a database, the page is written to whenever a victim submits their details to a form and is therefore static in nature. Given this, the page automatically refreshes every five seconds to allow the threat actor to view the results of their campaign in a pseudo-real-time fashion.

Unlike receiving phished credentials via email, this simple method somewhat alleviates the problem of an OTP expiring before a threat actor has the opportunity to abuse it although this does require them to be actively monitoring the page.

Given this active monitoring requirement, the initial lure would likely include language to encourage victims to logon ‘urgently’, proving the threat actor with a window of potential activity following the delivery of their lure emails or SMS.

Recommendations

• The provision of regular security advice to customers helps them to distinguish the good from the bad, especially with examples of nefarious campaigns or websites, as well as reminding them to only make use of official sites and contact methods.
• Customers should be reminded to never divulge one-time passwords (OTP), especially in response to an unsolicited SMS or telephone call.
• OTP solutions should be configured with a short validity timespan to reduce the effectiveness of any phishing campaign that seeks to obtain these alongside a victim’s credentials.
• The use of take-down services should be considered to remove offending phishing content as well as gathering threat intelligence that can help to identify those conducting campaigns.
• In the event of perpetrators being identified, prosecutions should be sought, wherever possible, to disrupt the ongoing threat and act as a deterrent to others.