Phishing at a new level: Cloudflare + Protonmail + Unvalidated Redirects - a set of young phisher

"... you come and ask for something from me, but you ask without respect ..."
Vito Corleone

Phishing is still the most popular and most successful type of hacker attack. It's simple, it is not the software, not the server, not the network that is attacked, but the most vulnerable components of the information systems - users. I often meet with phishing, as a single, aimed at personal addresses, and massive attacks. In most cases, these are clumsily composed letters and sloppy phishing pages. Until recently, most of these attacks broke down at the user level: emails were immediately ignored (since the signs of phishing were very obvious) or, in the worst case, emails were redirected to the support service with the question “Is it safe to enter a password on this page?”. Of course, some of the users still came across, but in percentage terms it was really the minimum. But just last week I was faced with a phishing attack, the level of which surprised me. I did a little analysis and found out exactly how it was organized and what tools were used.

I hope it will not look like instructions for preparing phishing attacks, in fact, the purpose of the article is to talk about a specific case from practice. I will also share the results of a small analysis of the actions of intruders.

Phishing page

I will not observe the sequence (as already mentioned, this is not a guide to action), and I will begin with what surprised me the most, namely, the fake page where the victims of the attack went. The page was an exact copy of the victim's ADFS page. In addition to visual similarity, the page was on a domain of the same level and the URL differed only in one letter: the real address of the ADFS portal was

  https://login.contoso.ch/ 

, the address of the phishing page -

  https://login.contoso.cf/ 

(hereinafter the company name is replaced by contoso). And yes, the protocol was the same, the phishing page used SSL with a full certificate from COMODO! .. Of course, without Extended Validation, but nevertheless, Chrome displayed the address “green”.

"Investigation"

How so? Very stupid "hackers"! Second-level domains and certificates do not give COMODO to anyone, they will be easy to calculate! But it is at first glance ...
')

Domain

Google suggested that .cf domains are distributed free of charge. In this case, it’s not the price that is important, but the ability to purchase a domain, without leaving a trace in the form of a credit card (or other payment method). That is, the usual (left) email address is more than enough. One of the registrars, Freenom, besides cf, also offers tk, ml, ga. The only inconvenience is that when registering it is impossible to specify some free email addresses (mail.ru, yandex.ru, yahoo.com), but with most other addresses you can register a domain.

Email

We couldn’t find out what mail our phisher used for registering a domain, since the whois server issued the following message: However, it can be assumed that protonmail, since phishing messages themselves were sent using this service. This is not surprising, since on protonmail you can register absolutely anonymously, and even if you involve the relevant authorities for investigation, it will not be easy to force protonmail to cooperate, as practice shows.

SSL certificate and hosting

Prior to this incident, we naively thought that it was impossible to raise a web server with a valid ssl certificate from COMODO, without leaving any traces. As it turned out, it is not. In our case, the attackers took advantage of Cloudflare. A small analysis of the proposed features of the free package from Cloudflare revealed a wealth of opportunities for phishing:
- Completely anonymous registration. Mail addresses (from the same protonmail) are more than enough. Theoretically, they can find out from what IP address registration / login was, but I am more than confident that our attackers could easily hide the real address.
- Free certificate from COMODO. It is not only free, but also issued in a few minutes without any additional verification.
- Hiding the real IP address of the web server. All traffic goes through Cloudflare (this is primarily a CDN service)
- SSL offloading. A real web server can work via unprotected http, using Cloudflare, all traffic will go through SSL. This is important because it is real to find free hosting with HTTP, and you need to pay for SSL hosting (leaving traces).

And one more fact: with rare exceptions, CA services for domains ga, cf, tk do not sign certificates. In this case (even if you are not a phisher) Cloudflare solves the problem, through them a certificate is issued without problems.

Unvalidated Redirects in Phishing Service

Now the fun part. The phishing letter, which itself was a masterpiece of social engineering, naturally contained a link, but not a phishing page. The link was to the company's website, to a page with a Unvalidated Redirects vulnerability. This may have been one of the reasons why the letter went through all the anti-spam filters. In the letter to user@contoso.ch there was only one link to

  http://contoso.ch/vulnerable.php?url=https://login.contoso.cf/ 

Is it possible to find them?

Without a doubt, we ourselves will not be able to find them. Can they find the "organs"? You can try to request data from the registrar or Cloudflare and go to the same protonmail. If they cooperate, the maximum that can be obtained is the IP address. Is it possible to “calculate” a criminal by IP address? I doubt it.

Total

We do not know how many users "bought" - they themselves will not be recognized. Just in case, we advised everyone to change AD passwords. The company itself was strongly recommended to enable two-factor authentication on ADFS using Custom Authentication.

PS And yet, I'm not sure that I myself would not fall for it - the level impressed me.