Phishing in a Nutshell: January – March 2018

Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email


Phishing remains one of the most dangerous threat vectors of cyberattacks. Even though Exploit Kits are on the decline overall, as we outlined in our posting Rig EK One Year Later: From Ransomware to Coin Miners and Information Stealers, phishing itself is not on the decline. Unit 42 recently has done research on phishing attacks and phishing URLs. In this blog, we will show some statistical phishing results from the first quarter of 2018, January through March, especially for HTTPS phishing URLs.

Phishing URLs Statistics

In the first quarter of 2018, we found 4,213 URLs from 262 unique domains used in phishing attacks. On average, we found one domain serving 16 different phishing URLs. The heat map below shows the geographic distribution of these 262 domains.


Figure 1 Phishing domains geographic heat map

Over half of these phishing domains were hosted in the United States. There was then sharp drop to the two next highest countries: Germany with 28 domains and Poland with 13, as shown below in Figure 2.


Figure 2 Phishing domains countries/zones and numbers


We also found several phishing domains hosted in Africa and South America.

Among the 4,213 phishing URLs, there are 2,066 using a generic phishing template which can target multiple different companies or organizations; for example, attackers used “next1.php” with the name and id “chalbhai” in a form to target Bank of America customers as shown in Figure 2. We also observed that this similar template targeted DropBox customers and was used for IRS tax fraud schemes.



Figure 3. chalbhai phishing page source code example


In addition to the generic phishing templates, there were 1404 URLs with phishing spoof pages targeting Adobe customers, 155 URLs targeting DropBox customers, 18 URLs targeting Facebook users, 442 URLs targeting Google Doc users, 108 URLs targeting Google Drive users and 20 URLs targeting Office 365 customers. There is a histogram below in Figure 4 showing the phishing URL distribution by targets. From the histogram, we can see the generic phishing URLs account for almost 50% of the total 4213 URLs, followed by the URLs targeting Adobe and Google accounts, accounting for 33% and 13% respectively. In addition to the top 3, there are also a few URLs targeting Office 365 and Facebook accounts..


Figure 4. Phishing spoof page distribution

HTTPS Phishing URLs

HTTPS phishing URLs are more difficult to identify. Therefore, we put additional effort into identifying and analyzing them. Of the 4,213 phishing URLs, 1,010 are for HTTPS URLs from 46 unique domains. On average, one domain served 21 different phishing URLs. Figure 5 shows the comparison between HTTP and HTTPS phishing URLs and domains.


Figure 5. HTTP and HTTPS comparison

We also investigated the certificate issuers of the 46 domains. We found “cPanel” issued certs for 31 phishing domains, “COMODO” and “Let’s Encrypt” each respectively issued certs for 6 different phishing domains, “Go Daddy Secure” issued one, and also there are 2 domains no longer in use as shown in Figure 6.


Figure 6. Cert Issuer Distribution

Unit 42 has contacted all hosters and issuers. The “Comodo” certs have been distrusted by Google and there is only one from “Go Daddy Secure”. A complete list of domains and certs are included below. We highly recommend they be added into suspicious certificate lists.


Figure 7. Phishing domains’ cert issuers

Phishing Kits

To make phishing attacks more effective, attackers usually clone and pack the modified files of one website (intended to be used in a phishing campaign) into a zip file and upload it to multiple hacked websites. This zip file can be considered a part of phishing kit. After unpacking the zip files and deploying the phishing site, some attackers fail to remove the zip file leaving it openly accessible to researchers to analyze its contents. During our research, we collected phishing zip file samples. Below is a phishing example meant to target Outlook/Office365 accounts as shown in Figure 8 and Figure 9.


Figure 8. Directories of a phishing kit


Figure 9. Contents of CSS directory in a phishing kit


In this blog we showed some phishing statistics from the first quarter of 2018 that demonstrates phishing targets distribution, general phishing templates and phishing kits. In particular, we showed HTTPS phishing URLs and the distribution of certificate issuers with certs being used maliciously. HTTPS phishing URLs are worth noting, because HTTPS is thought by many to be more trustworthy and malicious links are harder to detect.  Palo Alto Networks has the ability to deal with HTTPS phishing URLs and will continue to ensure that our customers can be protected from HTTPS phishing attacks. We also have IPS signatures to detect phishing kits. All Palo Alto Networks customers with a valid threat prevention subscription are protected from all phishing attacks mentioned in this blog.



Carrentalahmedabad[.]info (dead) (dead)
Sdlfkjttq[.]tk (dead) (dead)
ana-ero[.]bid COMODO ECC Domain Validation Secure Server CA 2  sni50732.cloudflaressl[.]com
www.discoverdiva[.]com COMODO ECC Domain Validation Secure Server CA 2  sni222615.cloudflaressl[.]com
biomedics.000webhostapp[.]com COMODO RSA Domain Validation Secure Server CA  *.000webhostapp[.]com
clements.000webhostapp[.]com COMODO RSA Domain Validation Secure Server CA  *.000webhostapp[.]com
offiicceeeedrop.000webhostapp[.]com COMODO RSA Domain Validation Secure Server CA  *.000webhostapp[.]com
re-fb.000webhostapp[.]com COMODO RSA Domain Validation Secure Server CA  *.000webhostapp[.]com
Allamericantrade[.]eu cPanel, Inc. Certification Authority  Allamericantrade[.]eu
Allamericantrade[.]pl cPanel, Inc. Certification Authority  Allamericantrade[.]pl
Azadtehsil[.]ml cPanel, Inc. Certification Authority  Azadtehsil[.]ml
Bectronix[.]tech cPanel, Inc. Certification Authority  Bectronix[.]tech
Clearwaterfiles[.]ml cPanel, Inc. Certification Authority  Clearwaterfiles[.]ml
Clearwaterfiles[.]tk cPanel, Inc. Certification Authority  Clearwaterfiles[.]tk
Cloudhsh[.]com cPanel, Inc. Certification Authority  Cloudhsh[.]com
Cristaleriags[.]es cPanel, Inc. Certification Authority  Cristaleriags[.]es[.]pl cPanel, Inc. Certification Authority[.]pl
cuh-dubai[.]com cPanel, Inc. Certification Authority  cuh-dubai[.]comcom[.]br cPanel, Inc. Certification Authority[.]br
Dunkelbergerz[.]ga cPanel, Inc. Certification Authority  Dunkelbergerz[.]ga
ea23travel[.]com cPanel, Inc. Certification Authority  ea23travel[.]com
Filtrao[.]org cPanel, Inc. Certification Authority  Filtrao[.]org
Footworkapp[.]ga cPanel, Inc. Certification Authority  Footworkapp[.]ga
Hentoshphotography[.]com cPanel, Inc. Certification Authority  Hentoshphotography[.]com
mail.allamericantrade[.]eu cPanel, Inc. Certification Authority  Allamericantrade[.]eu[.]pl cPanel, Inc. Certification Authority[.]pl[.]ve cPanel, Inc. Certification Authority[.]ve
mic-office[.]cf cPanel, Inc. Certification Authority  mic-office[.]cf
mic-office[.]ga cPanel, Inc. Certification Authority  mic-office[.]ga
richbtc4u[.]com cPanel, Inc. Certification Authority  richbtc4u[.]com
Servicenterelectronic[.]com cPanel, Inc. Certification Authority  Servicenterelectronic[.]com
Theaafiz[.]com cPanel, Inc. Certification Authority  Theaafiz[.]com
vweds.usa[.]cc cPanel, Inc. Certification Authority  vweds.usa[.]cccc
www.allamericantrade[.]eu cPanel, Inc. Certification Authority  Allamericantrade[.]eu[.]pl cPanel, Inc. Certification Authority[.]pl
www.manglammilk[.]com cPanel, Inc. Certification Authority  Manglammilk[.]com
www.servicenterelectronic[.]com cPanel, Inc. Certification Authority  Servicenterelectronic[.]com
www.upperdelawarescenicbyway[.]org cPanel, Inc. Certification Authority  Upperdelawarescenicbyway[.]org
Zyaviv[.]com cPanel, Inc. Certification Authority  Zyaviv[.]com
Getwealthi[.]com Go Daddy Secure Certificate Authority – G2  Chasethepaper[.]com
Farmking[.]in Let’s Encrypt Authority X3  Farmking[.]in
Cabinetdetectivi[.]ro Let’s Encrypt Authority X3  Cabinetdetectivi[.]ro
Stiesdal[.]com Let’s Encrypt Authority X3  Stiesdal[.]com
Stingereincendiu[.]ro Let’s Encrypt Authority X3  Stingereincendiu[.]ro[.]ke Let’s Encrypt Authority X3[.]ke[.]vn Let’s Encrypt Authority X3[.]vn

The post Phishing in a Nutshell: January – March 2018 appeared first on Palo Alto Networks Blog.

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
About Palo Alto Networks
Palo Alto Networks is the next-generation security company maintaining trust in the digital age by helping tens of thousands of organizations worldwide prevent cyber breaches. With our deep cybersecurity expertise, commitment to innovation, and game-changing Next-Generation Security Platform, customers can confidently pursue a digital-first strategy and embark on new technology initiatives, such as cloud and mobility. This kind of thinking and know-how helps customer organizations grow their business and empower employees all while maintaining complete visibility and the control needed to protect their critical control systems and most valued data assets. Our platform was built from the ground up for breach prevention, with threat information shared across security functions system-wide, and designed to operate in increasingly mobile, modern networks. By combining network, cloud and endpoint security with advanced threat intelligence in a natively integrated security platform, we safely enable all applications and deliver highly automated, preventive protection against cyberthreats at all stages in the attack lifecycle without compromising performance. Customers benefit from superior security to what legacy or point products provide and realize a better total cost of ownership.
Promoted Content
Unit 42 Report - Ransomware: Unlocking the Lucrative Criminal Business Model
Ransomware, specifically cryptographic ransomware, has quickly become one of the greatest cyber threats facing organizations around the world. This criminal business model has proven to be highly effective in generating revenue for cyber criminals in addition to causing significant operational impact to affected organizations. It is largely victim agnostic, spanning across the globe and affecting all major industry verticals. Small organizations, large enterprises, individual home users – everyone is a potential target. Ransomware has existed in various forms for decades, but in the last several years criminals have perfected the key components of these attacks. This has led to an explosion of new malware families and has drawn new actors into participating in these lucrative schemes.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?