Today I received an interesting phishing email.
I did the research and found out it's actually a good learning opportunity, since attacker's server demonstrates excellent practice in network security.
Today's goal is to attack phishing server by mimicking victims.
TITLE: RE: Wrn ,protect your sensitive data from unauthorized access
As you can see, the attacker just attached a copy image to mimic Amazon site.
By clicking 'log in', the victim would be navigated to "http://karet1nagut4zinat2a.myvnc.com/Lzmvejr9/9VRl0.email@example.com&A3zj864z4g4h=Yku8nhrrI24"
P.S. Before doing this, we need to set up proxies on Chrome and Postman since attacker's server will block client by IP address.
This process seems redundant. Why does the server need an extra redirect logic ?
Once you look at the redirect URL, you would find out the server is a microservice with auto-generated host name.
Such a beautiful design !!
The attacker leveraged 'serverless' concept and used that to avoid direct attack. I guess the domain name would switch time to time within a sub-net system.
After making GET request to the redirect server, I received an empty response. But, I got 'Set-Cookie' key in the response header.
OK, I guess this is a typical security practice. Good Job, attacker.
Then we need to use this cookie to personate the victim in later requests.
By using 'Link Redirect Trace' Chrome extension, I found there should be one more redirect.
One GET request to
And then the response was
<meta HTTP-EQUIV='REFRESH' content='0; url=/XIUKBYXj/6bdP07fjlZU/slsE7oEhpngamqHFQpNhvh7HJSAASj/do.html?id=FVtbYxvrAkxwH8DUr4b5ml5gCTccpJkrP6NlJxDo'>
Hmmm...using meta tag to redirect to target URL
After redirect, I got
<title>Amazon</title> <link rel="shortcut icon" href="files-aws/favicon.ico" type="image/x-icon"> <frameset> <frame src="/2VC1vaJC/6bdP07fjlZU/F7QCiIcGJe85mphq3T0hQb2gETrByt/iframe.php"> </frameset>
Making one more GET request to 'http://lertamer1iutyvab3kibratec2.hindusa7lozqebc4orbc.dynu.net/2VC1vaJC/6bdP07fjlZU/F7QCiIcGJe85mphq3T0hQb2gETrByt/iframe.php'
and I got
I was thrilled by this result. Its about to make login request
CPP is one type of protocol which fights against DDoS / DoS attacks
Then I stopped from this point since I didn't wanna spend more time on this puzzle script. I saw a function called 'AES' and it could possibly a [proof of work] kind of puzzle, in which clients need to guess the token by hashing the key again and again until it matches.
From this research, I found I have more things to learn and somehow respect those hackers who sent phishing mails and had set up these amazing security layers to protect themselves from another hackers.