So, I got sent yet another phishing email to look into to. Let's just say everything about this one had me laughing. Here is the email as it appeared:
 |
| The world's least obvious phishing email |
Of course, me, being the curious guy I am, decide to click on it. I was presented with a "[redacted]redirect.php" page, which took me to a new page that did all of the "phishing".
 |
| Boy, that's sure not obvious |
|
Right off the bat, it's pretty obvious we are dealing with an "Advanced Persistent Threat". This is not your normal script kiddie, they even included a tiled and watermarked map of the world! Impressive. In all seriousness, this was uploaded to a WordPress server under the wp-admin page, indicating that the server was compromised. The comprised server is riddled with vulnerabilities due to having an outdated version of WordPress (3.4.2) and a number of vulnerable plugins.
Clicking one of the services brings up the following:
 |
| Foolproof! |
If you notice the url, the page is running under xxxxxxxxx.com/wp-admin/css/sw/. So, if you go back a folder, you are able to list the contents of the /css directory.
 |
| Did someone say "source code"? |
|
|
MFW:
Yep, download the zip and voila, source code of everything relating to the attack page.
Open up one of the $webmail_service.php pages and we are greeted by comedy gold.
MFW:
Plug the email or name into Google and you get his twitter page. Which includes the city our ub3r1337 hacker lives in:
 |
| Everything seems to match up |
Alright, so now we have a twitter, full name, email, and city... I stopped at this point because it was getting pretty ridiculous, but you can easily see where some one could have gone with this.
Let this serve as an open letter to aspiring phishermen out there:
1. Don't do it. It's not worth it.
2. If you compromise a web server, don't be stupid enough to send emails from it to your personal email address.
3. Don't put your name in your source code.
4. Don't let people access your source code.
5. Don't do it. It's not worth it.
This goes to show that if you do not keep your WordPress server updated and patched, you are opening the gates to all kind of persons with malicious intent. Including (highly skilled) hackers like this...
