Around July 2020 the UK has seen a rise in Smishing (SMS Phishing) scams targeting HMRC. These messages were suggesting victims were entitled to tax refunds, and to visit the websites to process the claim. What made these kits a little different from the rest I had seen, was the adoption of a geofencing technique used to evade detection and redirect any visitors that didn’t meet certain criteria. That’s not to say this technique is unusual in phish kits, just not previously observed with the HMRC pages.
Curious to know exactly what was going on under the hood, I obtained one of these kits for further analysis.
At the root of the kit, I have the above three files. Admin_Panel which is an sql file, covidBankLeadsUC which is our main scam site configuration and the README. Taking a look at the README file, the site creator has left some initial instructions on how to set up the page. Noticing the creator identifies themselves as DYNAMO00 on Telegram with HOODRICH being his brand for the kits.
I also see a list of features available to the kit user, Bank Leads, Email access and enough details to apply for Universal Credit in the name of the victim.
The Scam Page
This kit is normally observed being delivered via SMS. When the victim clicks the link they are taken to a landing page mimicking gov.co.uk on the pretence of a Covid support grant. Once the victim reads through this and clicks start they are then presented with 2 other pages, first asking for general details such as name address NI number DOB etc, the second page will then ask the victim to provide financial details. At this stage, they are presented with a fake bank check page (in reality it’s just a gif, set to run for a few seconds and does nothing). On the last page in the scam is they are presented with a random reference number, presumably to add legitimacy to the victims. There’s then a 7 second timeout before being forwarded to the official gov.uk site.
The Admin Panel
The next part I wanted to investigate was the admin panel. The admin panel interacts with a local MySQL DB with a straight forward login screen found at the root of the domain under /admin.
Once logged in, there is a range of different data points available to the user of the kit. Fullz, Leads and Universal Credit Signup details. All exportable into a .txt file.
Another option I have is to edit and configure the layout of the victim information via the edit design button.
All really straight forward and deisgned to be simple for anyone to use.
Anti Detection Techniques
Taking a deeper look into the back end of the site, I observed a number of anti-detection techniques being used. None of these techniques are exactly new and have been observed in many other phish kits however, I feel important to go through the findings on this kit as all of them together have not been previously observed in many kits targetting UK organisations previously.
The first one observed is the blacklist.dat file. This is a standard file I see in almost all kits. It’s essentially a list of known security organisations IP ranges such as McAfee, Netcraft, Microsft etc. on this one I have the addition of a list of IP’s for Completed Users. These IP’s belong to anyone that has already entered details into the site and got to the final page. This is used to minimize the risk of researchers being able to revisit the site to investigate.
I then took a look at a file called my_email.php. This file is interesting as I observe the common configuration settings but also observe an anti-detection technique employed called geofencing. This is further reducing the ability of researchers to investigate and scanning solutions to detect the suspicious page since if you do not meet certain criteria then you will be redirected to another site. In this specific case the sun newspaper site. Here I can see not only is it looking to see if the visitor IP is listed as belonging to specific UK ISP’s but also looking to see that the browser user agent is in fact a mobile phone useragent.
Here I see at the end of the my_email.php file that if this criteria is not met then to redirect to another page.
Next, is a file called antibot.php. This one is directly pulled from another phish kit creators page going by the name of Kr3pto. Rather than reinvent the wheel and go on about Kr3pto, The threat intel team at WMCGlobal have already done a fantastic blog post on them that you can find here.
The antibot script is yet another anti-detection technique used to identify and block automated tools from being able to visit the site by identifying keywords and IP addresses and presenting them with a 404 page Not found
The hoodrich kit is specifically designed to be easy to use for the scam site owner with many anti-detection techniques built-in for the purpose of increasing the uptime of the sites. None of the techniques are new, however put together in a way to specifically target the UK public via Smishing as observed by the anti-detection techniques employed. Much of the kit set up is copied from other sources, however, a large proportion of the code is unique meaning this is more of a tailored new kit creator rather than just someone that has simply changed a couple of details of existing kits and called it they’re own. By targetting the current Covid crisis as the main hook on this kit, they have highlighted they really have no limit as to how low they are willing to go in order to obtain innocent members of the public’s financial details. More often than not, these are the most vulnerable in society.