Diverting the Analysts
If we have used the steps in sections before to create a unique link for each user, we can divert the analysts atention.
To prevent any suspicious analysts from seeing our site and blowing our cover, we will add a small diversion: bootstrap code that follows some basic logic to decide whether or not to display the phishing page.
Each user who gets the phishing email, by design, gets a unique URL to our secret page thanks to the encrypted name incorporated in the utm_term parameter, so the URL will only be viewed once by each user.
To carry off this ruse, we first create a SQL table with four columns: a row ID; the utm_term token's value, which is the encrypted target name; a counter to track visits; and finally the date of the first visit.
Here is the SQL code to create the table schema and load the encrypted tokens:
root@Phishing:~# mysql -u root -p
mysql> CREATE TABLE tokens (
id INT(6) UNSIGNED AUTO_INCREMENT PRIMARY KEY,
utmterm VARCHAR(100) NOT NULL,
counter smallint,
updated_at datetime
);
mysql> INSERT into tokens values (null, "FAgUHRNXNjo6FjtM", 0, null);
mysql> INSERT into tokens values (null, "AwgQFR9XITw7AyBdIQ==", 0, null);
--snip--
Next, we need some bootstrap PHP code.
If the page has already been visited by this user (counter > 0), it loads dummy content that has exactly the same length as the password- grabbing form. If the user hasn't yet visited the page, it serves the actual phishing page.
Avoid using redirections. An analyst looking at proxy data could potentially spot the discrepancy between users successfully load- ing the page the first time (HTTP code 200) and those same users failing to revisit it again (HTTP code 302).
PHP code to determine whether a user should be served the phishing page or redirected to the home page:
Last updated