All security companies and researchers spend a massive amount of time documenting and alerting about phishing scams, malware attacks and delivery methods. It is a constant catch up where the “good guys” are 1 or 2 steps behind the “bad guys” and unlike the movies, the guy in the white hat doesn’t always come out the winner.
The bad actors always find a way to stay one step ahead. This is especially true with phishing and they continually innovate and find methods to deliver their “product ” to you.
A phishing attack needs an initial approach to the victim, normally an email saying something like ” update your bank or PayPal account” like these examples:
That email will lead to a website set up by the phisher, that is designed to steal your information.
Until now that has needed a phisher to either compromise an existing website, through exploits or getting access via a previous phishing attack and add his web page to that site. Or to set up a website of his own. Both of these are relatively easy for law enforcement, a security company, researcher or affected company like PayPal, Apple, Microsoft or a bank to report to the web hosting company or domain name registrar and get the sites blocked or taken down. Antivirus companies can also block access via their firewalls or other web filtering software as can anti-phishing organisations like Netcraft.
It has been a constant Cat and Mouse game as the phishers try to find new ways to disguise and route the victim to the website. A typical method will be to use an URL shortening service like https://goo.gl/ or bit.ly or any one of the thousands of similar services. Many phishers will use an URL shortening service to redirect to an innocent compromised site with no visible content, which in turn redirects to the phishing site, frequently using 3 or 4 redirects on route.
Then we have the abuse of the open redirect service that Google allows that lets a phisher or malware spreader use Google search or many other Google service to mask the eventual site. This blog post on stop malvertising explains that.
All of these are relatively easy to block or take down, because they all end up on an actual website that a researcher, security company, law enforcement body or affected company can identify and report or have access blocked via a firewall /web filtering service or anti-virus on a company network or victim’s computer/phone/tablet etc.
Over the last couple of days we have seen a new and novel approach that allows a phisher to use his or her own computer and not a hosted website to host the phishing sites. This abuses the very useful service from https://forwardhq.com/ who have set up an SSL tunnelling service that is intended for testing of websites and associated services on a computer and let external users test it. This service is frequently used by web developers so they can show a client the work in progress and the client can ask for changes or point out faults etc.
Their help pages say:
Forward allows you to easily make a webserver running on any port on your computer accessible to anyone you’d like. When you run Forward, you get a unique URL, viewable over the internet from anywhere with just a web browser. All requests to that URL are tunneled to the webserver running on your computer.
A few common uses:
- Share your Forward URL with clients or coworkers to get quick feedback on your local development site
- Test your locally-run development server with a real SSL certificate (great for pesky IE SSL bugs)
- Develop and test against APIs that require callback URLs that are accessible on the public Internet
- Develop and test mobile applications against locally run servers
To encourage clients and new users https://forwardhq.com/ offer a free 7 day trial without needing to give credit card or other billing details. This is the service that is open to abuse and is being actively abused, with a currently running PayPal phishing scam.
The only way to block this sort of attack is for the web filtering software to block the entire fwd.wf/ domain ( which is totally impractical and would be like blocking the entire Microsoft, google or Amazon domains because a user is abusing their services) , unlike other redirect services where blocking the domain at the end of the redirect chain is possible as well as every redirect on route.
As soon as a new and valuable service comes on line, the bad guys will find a way to abuse it to perform phishing attacks and spread malware. Lets all keep our ears and eyes open and do our utmost to help victims and spread the word.