It’s easy to believe that phishing only happens to people who aren’t smart enough to detect it. This simply isn’t true. As the tech-savvy developers at software company a9t9 have indicated in their statement about a phishing incident last week, even smart developers can be fooled with a phish.
As reported by Tripwire, a Chrome plugin developer fell for a phishing attack that allowed the threat actor to take control of a9t9’s account in the Chrome Store. This means that the Copyfish plugin built by a9t9 was no longer under its control. Meanwhile, the plugin has already been used to “insert ads/spam into websites” according to the statement by a9t9.
The original phishing message that lured the developer carried a link on the URL shortening service called Bit.ly. As Tripwire explained, the victim did not notice the odd link because he was viewing the message in webmail. However, in the screenshot of the message in its text format, the Bit.ly link is clearly-visible. One of the great features of Bit.ly for those creating “bitlinks” is that you can view statistics about the locations and user agents of who clicks on your link. Others can also see a few stats by appending a plus (+) sign to the end of the URL. Below is what we saw when we did this:
The stats tell us that the bitlink was created on July 28th and leads to a URL on rdr11.top, a domain first registered on that same day via NameCheap but under privacy protection. Once the victim clicked on the link, he was redirected to the rdr11.top URL which itself then redirected to a URL on chrome-extensions.top, to the page seen below:
The domain chrome-extensions.top was also registered via NameCheap using privacy protection on July 28th.
The rdr11.top and chrome-extensions.top hosts resolve to Saint Petersburg, Russia, IP address 220.127.116.11, part of a /23 net block owned by Moscow Selectel Service.
Also known to resolve to have resolved to 18.104.22.168 is the domain chrome-extensions.pro, registered July 21st with NameCheap, using privacy protection.
A third resolution to the same IP, 22.214.171.124, was the phishy-sounding domain cloudflaresupport.site, also registered via NameCheap under privacy protection, on July 18th. A similar domain, cloudflaresupport.info, was registered with NameCheap on June 21st and even used the Cloudflare service for phishing Cloudflare accounts, but it is now under Cloudflare’s control. See the tweet below that included screenshots of the phishing message and spoofed Cloudflare login page:
— Lawrence Abrams (@LawrenceAbrams) June 21, 2017
In the Comments of that tweet are screenshots showing further redirection to a Google login phishing page on webstoresupport.top, registered with NameCheap using privacy protection on June 20th. Other comments reveal that on June 21st CloudFlare actively engaged the customer support software ticketing service being used by the threat actor to send the phishing messages, FreshDesk. However, a9t9’s statement mentions that FreshDesk was still being used on July 28th when the a9t9 developer was lured in by a phishing email message.
There are some lessons that can be learned about two factor authentication for such important accounts as your Chrome Store or Cloudflare logins; however, the main issue here is that the victim was not even thinking about the possibility of phishing while responding to his email messages. Phishing, now commonly used against all types of accounts and for increasingly-creative purposes, is known to be the number one way that attackers breach our critical processes, steal our intellectual property, and bring businesses to a screeching halt. We can also thank a9t9 for owning up to its mistakes so that we can all learn from them. Their share helps us to connect the dots and discover more about the phisher and his methods and infrastructure.
You can use PhishMe to make sure your employees know how to recognize, report, and respond to these growing threats.