Hacktivists Turn to Phishing to Fund Their Causes

At Intel Security we recently observed a phishing campaign targeting Apple account holders.

1403_od001

The link directed the user to a compromised WordPress site used to serve the fake Apple ID login page.

1403_od043

Users are asked to log in with their Apple IDs, and then are requested to update billing information and credit card details. In the following images we have highlighted some indicators that the site is not legitimate.

e1403_od063

Users are then redirected to the official Apple page.

1403_od073

The phishers usually create a local .zip file that contains all of their scripts to create the phishing page. They upload this file to a compromised server, extract it, and delete the file. On this occasion, the phisher appears to have forgotten to perform this last step.

1403_od003

This oversight enabled us to see how the website code worked; we found some interesting comments.

The .zip file contained a readme that states the results would be stored locally, although this was not the case.

1403_od005

We also found some .htaccess files. These are used to block access to the site by checking the originating IP of the connection. This is done to prevent the site’s being accessed and analyzed by robot scrapers.

1403_od004

Depending on the page a user lands on—credit card, Apple login, or address change—a .php script generates an email and sends it to [email protected].

1403_od006

In one of the .php files we found a reference a hacktivist group. We did some investigating and found this name had been associated with several website defacings. The group’s activities promote a set of political views, so we suspect that the group was funding its operations through this new phishing scam.

We received another phishing email that was identical to the original one apart from the URL it linked to. It served the same fake Apple page but this time it did not contain the .zip file. We went to the homepage of the compromised site and found it had also been defaced.

This confirmed our view that the original phishing site was hacked by the hacktivist group. It seems that political hackers are now using their skills to generate income to aid their causes.

Intel Security customers are protected from this campaign through heuristic definitions and McAfee Global Threat Intelligence reputation.

The post Hacktivists Turn to Phishing to Fund Their Causes appeared first on McAfee.