• The attackers have hosted two different phishing kits for Amazon and PayPal, although the tactics and techniques used are the same.
  • The stolen credentials are transferred to an email address using steganography, a popular method used for hiding or embedding data into an image.

A sophisticated multistage phishing campaign dubbed as “Heatstroke” was recently identified by security researchers. The phishing technique was identified to employee more sophisticated methods apart from classic techniques such as hiding malicious URLs inside legitimate website address and using diverse social engineering techniques. The threat actors behind this campaign are found to target and steal PayPal and Credit Card information.

The campaign was named “Heatstroke” after a variable found inside the phishing kit’s malicious code.

Who discovered this phishing campaign?

Security researchers from Trend Micro discovered this sophisticated phishing campaign and made it public via a detailed technical analysis report. The report also includes a deep dive into the different methods used by the malicious payload that steals information from victims.

Heatstroke’s operators appear to have used these countermeasures to hide their trails:

  • Multistage phishing attack. To avoid suspicion, the attackers do not hurry or spread their attack over multiple screens/pages. Compared to a usual phishing attack that would employ a single landing page, Heatstroke’s multistage approach tries to mimic what a legitimate website would do to lull the potential victim into thinking nothing is amiss.
  • Obfuscated trails. The phishing kit’s content is forwarded from another location but masked to appear as if it was on the landing page itself. The landing page also constantly changes to bypass content filters. The phishing kit can also block certain IP ranges, crawling services, and even security tools such as vulnerability scanners. If a user tries to connect from a location, browser, IP address, or country that the attackers blacklisted, the page will not show the content (serving an HTTP 404 error) or the content is forwarded from somewhere else. The first page of the phishing kit is generated by PHP script encoded in Base64 to avoid or bypass firewalls.
  • Phishing as a service. We saw a different group purchase the kit for their own phishing attacks. The kit’s developer even assigned his own API key to this group. This suggests that these activities have customer, operator, and developer roles.
  • Self-aware phishing kit. The whole phishing page’s content is generated dynamically based on user/visitor properties. The site’s source code contains a fairy-tale story. This could be the developer showing that he knows researchers look at his source code.
  • Attempts to appear legitimate. A phishing attack will be sent from the domain based on the victim’s country of origin. In some of the cases that we analyzed, the domain used for the attack used to belong to a legitimate business that was later put up for sale.

The stolen credentials are sent to an email address using steganography (hiding or embedding data into an image). Over the course of our research, we were able to capture two similar phishing kits one for Amazon users and the second for stealing PayPal credentials. Our analysis in this post delves into the latter, as we were able to capture most of its components.

The two kits’ tactics and techniques were similar, from the website hosting the phishing kit and the type of information they stole to the masking techniques used. Both kits also seemingly end in the same user verification phase. These similarities could mean that they have the same origin. The similarity could also be buoyed by the timing and scope of the attacks that used these kits, as they were delivered to the same victim.

Multistage attack

  • Heatstroke uses a multistage approach as contrary to other typical phishing attacks that use a single landing page.
  • The attackers make all efforts to hide their trails such as masking the source location of the phishing kit, constantly changing bypass filters and provides feasibility to block certain IP ranges, crawling service, vulnerability scanners, and more.
  • The attackers seem to provide this phishing kit as “phishing-as-a-service” and may even have customers, operators, and even developers.
  • The phishing attack will be generated based on the victim’s country of origin.

For more Cyber Security Information Contact us at help@theweborion.com.