Phishing can come in a couple different forms. It can be an email campaign where the sender spoofs the from address to look like that of a company’s CEO. The unsuspecting administrative staff receives an urgent request to go to the nearest Apple store and purchase thousands of dollars worth of iTunes gift cards for a prospective new client.  They are then instructed to send the iTunes codes to the fake CEO via email. The executive is in a meeting with the prospective client and quickly need gifts to entice the potential new business partners.  This is an act I’ve seen happen first hand and is, of course, fraudulent.

Another way of getting a user’s login information is to set up a fake website that looks identical to a real website. The difference here being that the fake website is operated by a no-goodnik. The user is tricked into logging in to the fake site via an email link and the malicious actor now has the login credentials for the user’s bank, email account, Facebook or whatever site has been emulated.

Many SOCs will rely on intrusion detection signatures as a form of alerting on when something is amiss in the network. At ElevatedPrompt our Blue Team doesn’t just rely on IDS. We conduct daily advanced threat hunts to monitor networks and safeguard our clients.  It was during one of these hunts that I located this phishing website:

After ensuring that the site never made it across the user’s screen I started to investigate further. The site is meant to emulate the Bank Of Montreal’s website except it won’t log you in to your bank account. Far from it. It’ll take your credentials and pass them on to the phishing site creator.  You’ll then, most likely have your bank account drained. Let’s have a look at how it works.

After downloading the site contents we see some files of interest.

Index.html is the site we see when the page is loaded. The only live button that does anything is the Continue button. The intention is for the victim to enter their card number and password and click Continue. Reviewing the index.html file we see that the card number field is called formtext1 and the password field is called formtext2:

These form field names will come into play when the form is submitted. Once the user enters their information into the fake website they would click Continue at which point we see another script called:

Email1.php will complete when the user clicks Continue.

The ‘Created BY’ line and helpful Change Your Email comment line are obvious indicators that this fake site was created using a phishing kit. After the user clicks Continue the supplied credentials (formtext1 is the card number and formtext2 is the password as we saw above) are sent to the attacker’s email addresses listed.  The email sent to the criminal will display the user’s credentials, IP address that the user was accessing the fake site from and the geolocation of the victim.  All very handy information for the attacker.

There are some ways that you can prevent yourself from being phished. Be very careful when reviewing emails. If you’re not familiar with a sending address be wary of any links within the message. Even if you are familiar with the sender it doesn’t hurt to be extra cautious by asking them if they purposefully sent a link. Get in the habit of always checking the URL of the site being visited. In this case that would be a very red flag as BMO does not operate using ubarce(.)gq/BMO as one of their website addresses.