Here's something I hear quite a bit when talking about security things:
Our site isn't a target, it doesn't have anything valuable on it
This is usually the retort that comes back in defence of some pretty shady practices and in the mind of the defendant, it's a perfectly reasonable position. They don't collect any credentials, they don't have any payment info and in many cases, the site is simply a static representation of content that rarely changes. So what upside is there for an attacker?
Reputation. More specifically, a non-negative reputation because that's a valuable thing to attackers wanting to mount a phishing campaign. This happens on an alarmingly regular basis and there was a perfect illustration of precisely this when it was discovered that spammers were hosting files on Equifax's website (every time we thought it couldn't get any worse...). This subheading within the piece describes precisely what the attraction is:
Spammers Crave Legitimate Domains
I'll come back to illustrating the value proposition of this a little later on but for now, I want to share a collection of examples I've been saving over the last few months. What follows are all phishing emails which made their way through Microsoft's Outlook.com filters and landed in my inbox. For example, this one suggesting that I needed to upgrade my account:
Looks legit, nice work on the "Microsof" spelling too guys! Ok, it actually looks terrible but the phishing page it then links to is pretty convincing:
Here's the real point of this post though: note the domain in the image above now look at the actual legitimate website it sits within:
It's a normal, garden variety website. Pretty rudimentary, running on WordPress and very possibly using any number of plugins which have had serious security risks in the past. It's the sort of site people think doesn't pose any upside to an attacker, yet here we are.
Another phish for Microsoft credentials which again, made it directly into my inbox was this one:
It displays many of the hallmarks of a phishing attack including establishing a sense of urgency, providing a call to action and attempting to create an air of authenticity. The text "This message is from a trusted sender" you see in the header is the name of the recipient and that same text in the body of the email is nothing more than stylised HTML.
It links through to a similarly convincing phishing page:
This page happily loaded through my ISP and through Chrome's anti-phishing protection because the site was yet to be flagged as malicious. Once I stripped off the path, here's what was on the site:
Nobody ever suspects daffodils! Chrome certainly didn't but if you try going to that site now, you'll have a very different experience. Now I doubt the Daffodil Excursion website ever had much going on for it traffic wise, but it's value proposition was that it didn't have a negative reputation!
Another Microsoft phish came through which looked particularly convincing:
And once again, served up a pretty slick looking phishing page:
Which, per the theme of this post, is actually a perfectly legitimate website for a club in Northern Ireland:
For a change of pace from Microsoft phishes, a Netflix one came through:
This eventually bounced me over to this page:
You'll see this is on the domain awpaugp250.siterubix.com which is now disabled and would originally have been provisioned as a site built on the SiteRubix service. That's not the interesting bit here, it's that the original email click went through to customers.easy.net.gr/xad/:
Which did a 302 to 2no.co/3YR3B3 which then did a 301 to awpaugp250.siterubix.com/nfx/5x5wcTcHOGEkq6p2a/aswpt/AynkJ/4ZgadQb/ which then did a 302 to the 1931f0840cfa5b56436809863fc47c2d path which did a 301 to awpaugp250.siterubix.com/nfx/5x5wcTcHOGEkq6p2a/aswpt/AynkJ/4ZgadQb/1931f0840cfa5b56436809863fc47c2d/ which was the final destination. It bounced through multiple legitimate hosts before arriving at the destination. But that was just the beginning...
That final page then contained the following script which uses this implementation of AES in JavaScript to decrypt an encrypted payload:
Once decrypted, it's written out to the page like this:
And there's your phishing page which all began with that one little hop through a compromised site.
Now compare the experience in the images above - namely the fact that I could load the sites without warning - to the following experiences. For example, if I attempt to load the aforementioned daffodil site in Chrome today:
This is simply a matter of sufficient time having passed that Google has now classified the site as malicious and placed a rather unmissable warning on it.
Here's what happens if I try and hit a site that Freedome VPN recognises as malicious:
Turn the VPN off and that same site is flagged my ISP:
Then there's Microsoft's safe links implementation which intervenes when accessing a malicious URL sent by email:
So, you see the pattern: domains with non-negative reputations are valuable - that's the attraction here and it's just as attractive whether a site is collecting valuable user credentials or posting photos of daffodils! Every site has something valuable they need to protect and that's their reputation. Let that go, and the only thing you're left with is those last 4 screen shots above.