• A recent RFI attack campaign that deployed phishing kits has targeted a bank in the European Union.
  • The attackers abused RFI flaws to upload phishing landing pages in order to steal credentials from victims.

A campaign that leverages Remote File Inclusion (RFI) vulnerabilities for deploying phishing kits has been identified. The campaign was identified by security researcher Larry Cashdollar of Akamai. According to Cashdollar, a server was reported to output a file crafted by the attackers in this attack.

RFI attacks are carried out by exploiting faulty inclusion functions within a website or an application. These can also lead to other attacks such as cross-site scripting (XSS), denial-of-service (DoS) or information disclosure.

The big picture

  • Cashdollar came across the attack through his website when he analyzed server logs that had RFI attempts. These were GET requests that were linked to a text file.
  • The GET requests tried to inject a remote shell on his site, which could subsequently take over the site.
  • After examining the text file, Cashdollar indicates that it was used to check servers vulnerable to RFI. If found, a variable ‘$SERVER_ADMIN’ would be sent to the attacker.
  • The file also included the attacker’s email address, variable names in Portuguese and information about server profiling.
  • Two more text files encountered by the researcher contained code for generating phishing sites for a bank in the European Union. This is possibly used in creating phishing landing pages.

Tailored attacks

Cashdollar mentions that the RFI attempts were modified according to the target.

“The RFI attempts recorded in my logs were tailored to the page being tested. If the website being targeted uses form_id= for example, then the requests will match that instead of the generic (and commonly used) page_id= or page=. This tells us the attacker is likely parsing the HTML, and examining the variables being sent to via form to the backend,” said Cashdollar.

Cyware Publisher