Contact
Trust Amongst Thieves - Talion

A story of paranoia, poor code knowledge and DROP TABLES

It was a standard day of projects and calls when I was passed a phishing URL from our Chief Operating Officer which he had received via SMS.

“Ahh you’ve registered a new PAYE, click below to verify”.

My first thoughts were, of course this is just a standard SMS phishing scam – we see these all the time, but there was a small compelling feeling that it is not every day that the COO sends you a link to evaluate, so I humored the request and got on with trying to dig out more information about what was going on.

Phishing

The domain attached the phishing link was: hXXps://secure-remove-payee.com and it was simulating a HSBC login page. Phishing kit templates are pretty good these days, so it was no surprise it handled both mobile and desktop browsers with ease. As I was trawling the site, however, I noticed there were some similar named files, “idv.Log.php”, “idv.Process.php”, and I wanted to know if these files are seen anywhere else in the wild. A quick glance around VirusTotal led me to the hash which was linked with a multitude of different domains all following similar naming conventions:

hXXps://resolve-newpayee.co.uk
hXXps://cancel-myhsbc-payees.com

The list goes on. It was the related files which caught my eye.

A zip folder named HSBC – surely not. Has someone uploaded the entire source code for the panel? It seems that people who purchase these panels for use are quite paranoid about anything which could be “malicious” hidden within – so what better way than to upload the full source set to our friendly neighbourhood VirusTotal to make sure the operators selling the panel have not stuck anything untoward in the source code.
The full source code which was uploaded also included configuration settings which looked to have been previously used in a phishing panel, alongside database credentials.

It’s at this point, I was laughing, had lockdown finally got to me, was I finding config files a source of humour? Or, was it that I was pre-empting what I found in the source code next?
I continued to evaluate the source code, I broke up my day and it was at the point that I was quite happy with what I had already found that I noticed a file – “installerdb.php”. Amateur operators of panels typically leave installation artifacts lying around mainly because they do not like removing things they don’t understand. Installerdb.php was the Ronseal of files:

It’s the first step which drew my attention.

If the table exists, delete it, and make a fresh table.

Now the coder behind this script has made a very fatal flaw. Although the script resides in the admin folder on the website – it does not have session checks to ensure that the person who is running it – is meant to.

Theoretically – Every website setup with this phishing kit could have all the victims’ entries removed from the database and replaced with a blank slate- by anyone. Nullifying attempts at retrieving banking information from victims.
This served a very inciteful message for me – it may not have been APT “sexy” malware, but it was indeed an interesting journey of discovery, giving a glimpse into the world of Phishing panels.

Indicators of Compromise

Below is a list of the domains I found while investigating, which can be blocked at proxy level, and hashes of files I found to be related to the phishing panel.

Domain:
hXXps://resolve-newpayee.co.uk
hXXps://cancel-myhsbc-payees.com
hXXps://secure-remove-payee.com
hXXps://verifymy-payees-issues.live
hXXps://security.hs-paymreview.com
hXXps://cancel-myhsbc-payees.com
hXXps://hs-securityauth-verify.com
hXXps://secured-onlinebanking.com
hXXps://hsbc.payee-reviews.com
SHA256: f8a2abc587fc2c04bd2adef6c9b0e4f4227c7b0ca87756e6c4c629d83c87e91c
177ffa1d35bbd3b93aa60a41cf5f0d28c50d8f933fd008490b368a2812815849

 
Watch demo video
We’re a tight-knit, highly skilled operation, so when a threat arises, we move quickly.
Talion
Watch demo video
We’re a tight-knit, highly skilled operation, so when a threat arises, we move quickly.
Talion
24x7x365 UK-based Security Operations Centre
Talion
Service underpinned by market leading threat intelligence team
Talion
Continually developed threat relevant content, backed by SLAs
Talion
MDR service has featured in the Gartner Magic Quadrant for 6 consecutive years
Talion
Experts in SIEM and SOAR technology
Talion
UK-based Senior Leadership
Looking to maximise value and flexibility?
Learn how Talion and DEVO partner to achieve this.
Discuss your cyber security needs
Contact us below and one of our team will be in touch to answer your questions.

Call us on 0800 048 5775

Call us directly and we’ll put you in touch with the most relevant cyber expert.

Get In Touch With Us

Not currently free to call? Give us a brief description of what you’re looking for by filling out our form and we’ll email you as soon as we can.

CISO Cyber Dinner – Register Your Interest!

Thought-provoking cyber security discussion at Michelin-star restaurants across the UK.