Friday, March 22, 2013

You Just Won A MEGA DISCOUNT!!!! (no you didn't)


You are an infosec geek when you receive a call that you know is a scam but you pick it up anyway to hear the recording. You then do some internet recon on the domain they tell you to go to and find that it was registered very recently. Next you pull up your sandbox system, load up BurpSuite and proceed to visit the very obvious phishing site to see what happens.
Fake AT&T Phishing Site

So random pre-recorded call from a bogus 800 number.
"You just won the AT&T Mega Discount for $555 dollars off your next AT&T bill. You just need to visit att555.com to claim your discount."
So you go to this site and say "Hey this looks legit, all the logos are there and such. Let me just log in and get my reward!"

Real AT&T Account Site
And now you just gave some guy in Germany your AT&T Account creds and your last 4 digits of your Social. Notice the attached images? The first is the phishing site, it has all the logos and looks very similar to the real AT&T Account site (next image). But, the bogus site has an extra field for "Last 4 of SSN." In most cases AT&T will never require this unless you forgot your password or they need to verify your account when you call them.

With BurpSuite running in intercept mode, you can watch the activity as you throw in the fake information in the site. It took whatever I submitted with no validation (another sign it is a bogus site). When I hit "log in", a ton of stuff happens in the background. It sends the data you entered to an web address in Germany:
hxxp:[85.25.17.164]kingpin/deduct2.php. 
This happens in clear text as well, with no SSL anywhere to be seen.  This is just one more thing to add to the list of suspicious activity.  If they phisher was more creative, they would have at least used a bogus SSL Cert to add more realism to the ruse.

So moral of the story, think before you click! Be aware of your surroundings. If something is too good to be true... it probably is.