The market for pre-made phishing kits is thriving. Think of a financial institution, email provider, or e-commerce site and someone somewhere has undoubtedly created a pre-packaged collection of the files necessary to create a fictitious site designed to obtain personal and financial information from unsuspecting victims. These kits are often sold in Dark Web marketplaces or underground hacking forums, but they are also commonly distributed for free on various social media sites.

Because the ultimate motive for the creators of these kits is financial gain, many of these phishers insert hidden backdoors in their kits which, in addition to sending information to the kit’s users, will forward the compromised data to other email accounts controlled by them. This is how they make their money. By freely distributing their kits with hidden backdoors, they are able to greatly increase the amount of compromised information they are able to collect by essentially getting others to do the work for them.

The idea of backdoors in phishing kits is not a new one. Many times, kit creators will obfuscate their backdoors to keep them from being removed by phishers that use their kits. Phish kit creators are always looking for innovative ways to disguise their backdoors and protect their financial gain.

Recently, while analyzing a collection of kits, I discovered two new ways phishers are hiding their backdoors. I call these techniques the Dufresne Backdoor and the Vizzini Backdoor.

The Dufresne Backdoor

If you’ve ever watched The Shawshank Redemption, you probably remember how wrongly-convicted prisoner Andy Dufresne slowly dug his way to freedom using a small geologist’s tool called a rock hammer. He concealed this rock hammer in a bible, which was a gift from the sanctimonious (and hypocritical) warden. In the wake of his escape from Shawshank State Prison, Andy leaves the bible for the warden. A hammer-shaped cut-out was in the bible along with a note that said, “Dear Warden, you were right. Salvation lay within.”

In the Dufresne backdoor technique, the phish kit creator takes a similar approach by hiding the backdoor code in the middle of the legitimate open source jQuery library. The phishing kit author inserts a PHP file into the kit that would indicate to unsophisticated scammers that it contains JavaScript needed for the kit to function properly. In some kits, the scammer even socially engineers the kit’s user by alleging that the file is actually used to help protect the scam.

When you look at the PHP file more closely, though, you can see that things are not what they appear to be.

The script begins with what looks like a copy of the legitimate open source jQuery library, which, on its own, is benign. However, why would someone copy this library into a PHP file? Why wouldn’t this just be contained within an actual JavaScript file? The reason is because hidden within the thousands of lines of arbitrary code lies the backdoor of this kit that requires PHP to execute.

At this point, we can see that what actually executes is an obfuscated PHP script. After deobfuscating the script, the kit’s backdoor becomes readable:

As you can see, the kit’s backdoor sends all of the information submitted to phishing sites that use the kit to a webmail account controlled by the kit creator. This includes:

Emails

Passwords

IP addresses and geolocation

Card data (numbers, expiration dates, CVV)

PII (Social Security numbers, addresses, birthdays)

The Vizzini Backdoor

In another classic movie, The Princess Bride, Princess Buttercup is kidnapped by a trio of outlaws being led by a Sicilian named Vizzini. Shortly after kidnapping the princess, they are pursued by a man who turns out to be Westley, Buttercup’s long lost love. As Westley overcomes numerous obstacles during the pursuit, Vizzini repeatedly exclaims, “INCONCEIVABLE!” which leads a confused Inigo Montoya to eventually respond, in one of the most memorable quotes in the movie, “You keep using that word. I do not think it means what you think it means.”

In the Vizzini backdoor technique, the phishing kit author attempts to cause the same type of confusion by disguising the backdoor code in a file that isn’t what it seems. Instead of inserting the obfuscated backdoor within the contents of a misleading jQuery library, the author adds an additional layer of deception and inserts the backdoor into what would look like a PNG image file to a passive observer.

This technique of embedding PHP scripts within PNG files was previously seen in the CryptoPHP malware, which compromised webservers beginning in 2013 using a malicious PHP script hidden in a file named “social.png.”

Upon opening the PNG file, you can see that its contents have been obfuscated with FOPO (a free PHP obfuscation tool).

After decoding the contents, you find that the script has been obfuscated yet again.

One more round of de-obfuscation reveals the plaintext of the backdoor. Like the backdoor hidden in fake JavaScript, it sends information stolen with phishing sites using the kit back to a webmail account controlled by the kit creator.



Evolving Phish Kits

In conclusion, one of the most interesting aspects of these backdoor techniques is they demonstrate the way phish kits evolve over time. Apart from the variation of backdoor methods, the remaining contents of the two kits where these backdoors were recovered were the same. This is a novel aspect of freely distributed phish kits. Phish kit authors can easily take a kit developed by others and modify its contents to enhance functionality. In this instance, a phish kit author took the concept of a misleading JavaScript file and added another layer of obfuscation (the fake PNG) to better protect their backdoor.

From a researcher’s perspective, being able to observe this evolution in kits allows us to analyze the lineage of a kit to determine its ultimate source and original creator. Using this type of genealogical analysis, researchers can identify the primary and most reputable distributors in the phishing kit industry.