Whatsapp Web Phishing

Screenshot 2016-08-02 09.59.28

Recently we received a message from Webmaster notifying us that Malicious content was detected on our website. The link seems to be a WhatsApp phishing page that points to a folder that seems to exist on our hosting.

Screenshot 2016-08-02 10.56.40

malicious code within the page could not be isolated.
Show details
Sample URLs Last detected
http://www.mygadgets.my/~service/Web/WhatsApp/2016/
http://www.mygadgets.my/~service/Web/WhatsApp/2016/index.php
http://www.mygadgets.my/~service/Web/WhatsApp/2016/process.php
http://www.mygadgets.my/~service/Web/WhatsApp/2016/process.php
http://www.mygadgets.my/~service/Web/WhatsApp/2016/process.php

The code seems to confirm that this is a WhatsApp phising code trying to cheat unsuspecting users of their credit card numbers.

<?php
/*
WhatsApp Phisher
File : index.php
Coded by x256
Ask for updates premiumers(at)gmail.com ūüėČ
*/

@include(“send.php”);
@include(“geo.php”);
$Title = “Payment”;
$SubTitle = “PURCHASE EXTENSION FOR”;
$Year = “YEAR”;
$Years = “YEARS”;
$Price1 = “0.99”; $Price2 = “2.67”; $Price3 = “3.71”; $curr = “US$”;
$CardHolder = “Card Holder”;

 

At the first glance, it seems that it is highly possible that our web hosting account has been comprised. Upon checking many times , our engineer could not find such url and file location on the location.

http://www.mygadgets.my/~service/Web/WhatsApp/2016/index.php

The url looks a little suspicious. By using some IP reverse engineering, we found that all of the shared hosting domains will point to the same phishing url. This lead us to believe that the hosting server could have been compromised instead of our account.

Screenshot 2016-08-02 11.21.31

This confirms that such phishing web directory exists on the server. Upon some investigation we realized there is something funny with the url. The “/~service/” confirms our suspicious.

What is Temporary URL ?

Every web hosting company has a temporary url account that is allocated to each user to test a site before going live. This temporary url usually starts with http://ip-address/~username/directory. The key is the ~username. It seems my hosting company/or many hosting companies did not properly filter access to this temporary url. When a temporary url is created, it can be accessed from all the domains on the same server.

whatsapp-phising

How the attack works ?

By buying a shared hosting.¬† An attacker exploits the weaknesses of shared hosting¬†using mod_rewrite ¬†to redirect url request “~service/Web/WhatsApp/2016/index.php” to his hosting¬†account which may consist of malicious codes. By doing so, an attacker can have access to all the domain names hosted on the same server for phishing attack without actually compromising each domain name. Tracking of domain names can be done easily by using reverse IP to domain names websites. The attacker is also smart enough to use “service” or some similar unsuspecting usernames such as “web” or “webmin” to carefully make their attack looks legit.

How to prevent ?

Unfortunately, there are no real way to prevent this from happening from your side. Adding a redirect on .htaccess doesn’t work for this case presumably the temporary URL is processed first by the webserver before the .htaccess rules.

Your only choice is to raise the issues to your hosting company so they can delete the malicious account. You can also notify your web hosting company to remove this vulnerability that allows the exploitation of such attacks. This is one of the disadvantage of using shared hosting.

Comments

comments