Analysis of a phishing attack

I spotted and reported a Twitter phishing attack on 14th of July. It was quite similar to many previous ones, but the attackers did one mistake. The collected usernames and passwords were visible to public. I was able to see all data collected by the attackers. End result: a text file with 21943 possible usernames and passwords.

Attack tools and estimated cost

  • Thousand compromised Twitter accounts for spreading links (2 USD)
  • Phishing website(s) hosted by Google App Engine (0 USD)
  • Phishing script and data storage on a separate website: mkson.s-z1.com (0 USD)

Attack details

Compromised Twitter accounts spread links to the phishing site using keywords such as “this entry by you is crazy”, “this blog by you is so funny” and “lol this was used by you?”. Many accounts posted diet spam links during the attack, too:

Example tweets

Attackers used Google App Engine as the phishing front-end. Example domains: session-timedout.appsot.com and validation-915.appspot.com. Attackers used one appspot website at a time: when Twitter blocked one site as malicious, another one was taken into use. Example phishing site:

Twitter phishing site

If user entered data using this form, it was sent to a script in mkson.s-sz1.com. The directory listing of this domain was visible most likely by mistake. User data was collected into a text file called twit.txt:

Phishing data collector

I tested this functionality by entering fake credentials into the phishing site. They appeared in the text file immediately.

Aftermath

The attack lasted about 36-48 hours. Attackers collected most of the data during the first 24 hours.

Analysis of the collected data reveals that the attackers managed to get about 12000 Twitter credentials. Note that this is a rough estimate: I didn’t test any usernames or passwords. I only checked if the given email address or username was technically correct.

The text file contains almost 22000 lines so why only 12000 valid credentials? Top three reasons:

  • Duplicates: many users entered the data multiple times (2-9 times)
  • Username vs e-mail: many users tried to login with both username and e-mail address
  • Typos: some users entered wrongly formatted email addresses or usernames

Why would anyone return to the phishing site and re-enter his username and password? If user trusts the site, he will act as it if was a real login. Not all users know about phishing threats. Checking the browser address-bar can be difficult. This is why phishing attacks are often successful.

How to avoid getting hacked on Twitter?

Rule of thumb:

 if any link takes you to a Twitter login site, don’t enter your username or password. Just close the browser or browser window.

Read about Safe Tweeting: https://support.twitter.com/articles/76036-safety-keeping-your-account-secure#

If your account has been compromised: https://support.twitter.com/articles/31796-my-account-has-been-compromised#

 

One thought on “Analysis of a phishing attack

  1. Pingback: A Week in Security (Jul 13 – 19) | Malwarebytes Unpacked

Leave a Reply

Your email address will not be published. Required fields are marked *