Hacktivists Turn to Phishing to Fund Their Causes

By and on

At McAfee we recently observed a phishing campaign targeting Apple account holders.

1403_od001

The link directed the user to a compromised WordPress site used to serve the fake Apple ID login page.

1403_od043

Users are asked to log in with their Apple IDs, and then are requested to update billing information and credit card details. In the following images we have highlighted some indicators that the site is not legitimate.

e1403_od063

Users are then redirected to the official Apple page.

1403_od073

The phishers usually create a local .zip file that contains all of their scripts to create the phishing page. They upload this file to a compromised server, extract it, and delete the file. On this occasion, the phisher appears to have forgotten to perform this last step.

1403_od003

This oversight enabled us to see how the website code worked; we found some interesting comments.

The .zip file contained a readme that states the results would be stored locally, although this was not the case.

1403_od005

We also found some .htaccess files. These are used to block access to the site by checking the originating IP of the connection. This is done to prevent the site’s being accessed and analyzed by robot scrapers.

1403_od004

Depending on the page a user lands on—credit card, Apple login, or address change—a .php script generates an email and sends it to bayremking0@gmail.com.

1403_od006

In one of the .php files we found a reference a hacktivist group. We did some investigating and found this name had been associated with several website defacings. The group’s activities promote a set of political views, so we suspect that the group was funding its operations through this new phishing scam.

We received another phishing email that was identical to the original one apart from the URL it linked to. It served the same fake Apple page but this time it did not contain the .zip file. We went to the homepage of the compromised site and found it had also been defaced.

This confirmed our view that the original phishing site was hacked by the hacktivist group. It seems that political hackers are now using their skills to generate income to aid their causes.

McAfee customers are protected from this campaign through heuristic definitions and McAfee Global Threat Intelligence reputation.

Leave a Comment

Similar articles

Messaging apps are a common form of digital communication these days, with Facebook’s WhatsApp being one of the most popular options out there. The communication platform boasts over 1.5 billion users – who now need to immediately update the app due to a new security threat. In fact, WhatsApp just announced a recently discovered security ...
Read Blog
Many of us use social media to keep our family and friends up-to-date on our everyday lives. We don’t typically expect social media companies to keep their partners updated on our every move as well. But for some Twitter users, this is exactly the situation they’ve found themselves in. On Monday afternoon, the social media ...
Read Blog