They say it’s a dog-eat-dog world out there, but in cybercrime terms, perhaps it should be called a “phish-eat-phish” situation. Researchers recently discovered that several widely used phishing kits harbor vulnerabilities that can be exploited by other criminals to hijack operations – and commandeer any freshly stolen data.
Worse, compromised kits can be used as a pivot point to infiltrate legitimate websites that have been compromised to host the kits in the first place.
Researchers at Akamai have found holes in the installation stage of some phishing kits that would allow a second attacker to infiltrate and upload additional files, including any sort of executable code – as well as simply take over the operations of the kit.
“The kits included basic vulnerabilities due to flimsy construction or reliance on outdated open-source code …and web application vulnerabilities,” wrote Larry Cashdollar, Akamai researcher, in a posting on Wednesday, adding that criminals can scan for and discover vulnerable kits, which are often uploaded to a compromised WordPress or Joomla blog.
Unfortunately, these buggy kits are also a perfect entry point for a hacker to gain access to the back end of an unwitting, legitimate web server.
“The real risk and concern in this situation goes to the victims – the server administrators, bloggers and small-business owners whose websites are where phishing kits like these are uploaded,” Cashdollar explained, noting that it’s a bit of double jeopardy situation; site owners may get in trouble for hosting a phishing site (even if inadvertently), and then may find their entire server infrastructure compromised on top of that.
“They’re getting hit twice and are completely unaware of the serious risk these phishing kits represent,” Cashdollar said. “Attackers compromising these kits using these vulnerabilities could gain additional footholds on the web server. One PHP shell and an improperly secured script ran by CRON is all an attacker needs to take over the whole server.”
Code Reuse Plagues the Criminal World Too
The main source of the problem is the slapdash way many of these kits are constructed, according to the firm’s research. Many of the phishing kits that Akamai looked at were found to come pre-packaged with the same types of file-upload vulnerabilities – a direct result of code-sharing.
“The common thread between each kit is the usage of class.uploader.php, ajax_upload_file.php, and ajax_remove_file.php, in a number of different naming conventions,” Cashdollar said. “The code used in these files comes from a GitHub repository that was last updated in 2017, and the project is just a collection of file upload scripts for PHP. The file names themselves are not important. The risk is the code being copied from GitHub and pasted between kits.”
The vulnerability lies in the fact that code for the uploader script and the uploader class file common across the kits don’t check for file type. So, a user could upload executable code to the web root, and if the upload path doesn’t already exist, the uploader class file will create it.
Also, “the code in the file remove script doesn’t sanitize user input from ‘..’ allowing directory traversal, enabling a user to delete arbitrary files from the system if they’re owned by HTTPd,” explained Cashdollar.
Code reuse is of course a normal part of development in both the legitimate and the cybercrime worlds, with open-source components widely adopted in an effort to not reinvent the wheel when it comes to basic functions.
The difference is that in the legitimate arena, “when problems are discovered, they’re usually quickly addressed and corrected,” Cashdollar said. “Criminals do not care, nor do they actually control their code once released, so there is no real fix for vulnerabilities like these.”
Is there no honor among phishing thieves?