Threat actors use a wide selection of strategies in order to limit researchers and automatic crawlers from discovering their hosted phishing web sites. The earlier a phishing web site is discovered and flagged as malicious by varied scan engines like VirusTotal, and Google Safe Browsing, the earlier that web site goes down.
A phishing web site is rendered virtually ineffective as soon as browsers begin displaying the malicious web site warning earlier than visiting that web site. To forestall early detection, and shield their cowl from blowing up, risk actors use all kinds of TTP (Tactics, Techniques, and Procedures), from geo limiting customers primarily based on the browser time zone to filtering particular IP ranges and User Agents.
Different TTP Used by Threat Actors for Restricting Access to Their Phishing Pages
- Filtering User Agents: User-agent is a string that’s despatched with request headers to let the server know, which browser, and working system the request is coming from. So that server can serve the content material accordingly. This function can be abused by phishing equipment builders to selectively permit entry to their phishing pages solely when the person’s browser has a selected user-agent string. For e.g. a phishing equipment would possibly solely present the phishing web page to a person when their browser is Chrome operating on Android OS in any other case the person is proven some random clear web page.
- Filtering IPs, IP ranges: Threat actors normally block IPs or whole IP ranges from particular knowledge facilities, organizations, Threat intel providers, or ISPs to keep away from their phishing web sites being discovered. They use varied strategies for blocking the IP ranges, the most typical being explicitly defining the IPs, and IP ranges in the .htaccess file’s deny record.
What is .htaccess File
.htaccess file is a high-level configuration file used in apache servers. It permits you to arrange entry guidelines at listing ranges. It’s generally used in web sites hosted on shared internet hosting servers the place the worldwide rule file for the server cannot be accessed. Shared internet hosting suppliers are additionally very generally utilized by phishing risk actors.
The best strategy to discovering blocked IPs/IP ranges from phishing kits can be to scan the deny record in the .htaccess file of the phishing equipment.
Bolster Phishing Kit Collection
At Bolster, we actively scan & acquire phishing kits from risk actors-owned infrastructure.
For this evaluation, we took essentially the most not too long ago collected 19000 phishing kits and scanned them for .htaccess recordsdata for the denied IPs, and IP ranges. A complete of 3926 collected phishing kits have been using .htaccess recordsdata utilizing deny guidelines for filtering guests. Total 74257 distinctive IPs & IP ranges have been discovered to be on deny record from all scanned .htaccess recordsdata.
Blocked Organizations & ISPs
From the information in our dataset mostly blocked IPs/IP ranges have been from Amazon AWS, adopted by the Microsoft knowledge middle IP ranges.
For the complete record see the uncooked knowledge in the GitHub repo.
- As talked about earlier than utilizing .htaccess is not the one methodology that’s utilized by risk actors for geo-blocking guests. There are different more practical and stealthy methods as effectively which can be more durable to detect & scan for.
- Each phishing equipment has a unique target market, so risk actors will use the block lists accordingly. For e.g. if risk actors are concentrating on banking clients in the US they’d attempt to block entry to the positioning from IPs outdoors of the US. But if risk actors are concentrating on banking clients of a financial institution in Malaysia, then they’d solely whitelist Malaysian IPs.
At Bolster, we’re conscious of such blocking TTP utilized by risk actors and we use residential IP scanners and provide to scan utilizing varied user-agents of assorted browsers and gadgets to keep away from such blockers.
Get your free trial for Bolster Platform here
This weblog is printed by Bolster Research Labs. We are additionally creators of https://checkphish.ai – a free URL scanner to detect phishing and rip-off websites in real-time.
*** This is a Security Bloggers Network syndicated weblog from Bolster Blog authored by Nikhil Panwar. Read the unique put up at: https://bolster.ai/blog/phishing-kits-htaccess-deny-list-analysis/