Expire Phishing Links with Apache RewriteMap

On more than a few occasions phishing recipients have forwarded my phish to IT. The first indication is usually when I’m watching the access logs like a hawk and see multiple GET requests with a user’s token, yet haven’t received any credentials or beacon sessions. Sometimes it turns out the user is being blocked by a technical control after the initial request, but other times we are told that the user did what their security training suggested and forwarded the email. Yay. I don’t like the thought of being one email forward away from IR having free reign to peruse my phishing site in a sandbox. For a while I’ve wanted to limit this ability, allowing users to navigate to the malicious website or payload... [Read More]

Combatting Incident Responders with Apache mod_rewrite

Any phishing campaign involving an active incident response element usually requires some evasive steps to prolong its longevity. This often includes being stealthier, performing anti-forensics actions, or avoiding certain tradecraft altogether. Phishing is no different, and is often the most ‘vulnerable’ part of a campaign from an active IR perspective. Using a distributed infrastructure built with independent components helps reduce the risk of the overall architecture being blocked, but individual phishing campaigns are likely to be caught and blocked throughout the duration. The longer we can stretch out the usability of each of those campaigns, the better our chances of gaining access. Using Apache mod_rewrite rules, we can rewrite potential incident responder or security appliance requests to an innocuous website or the target’s real... [Read More]

Operating System Based Redirection with Apache mod_rewrite

At times you may find yourself testing an environment comprised of a fair mix of operating systems. Maybe the marketing department is half Windows and half Mac OS X. In these cases, it may not be feasible to determine users’ operating systems via a preliminary phish. OS detection is nothing new. The goal of this method is to allow us to perform detection and proxying in one place while looking as legitimate as possible to the phish victim. No URL changing, no excessive page reloads and refreshes. This detection method is similar to my previous post about redirecting mobile users; however, leveraging JavaScript provides a more reliable method of operating system detection. OS Detector Page The HTML... [Read More]

Invalid URI Redirection with Apache mod_rewrite

There have been times when a curious phish recipient or a zealous help desk staff has loaded the phishing link in their browser and decided to take a peek at a higher directory or the root domain. Of course, most times there isn’t much else site to see. In those cases, the chances of being reported to IR went up significantly, sometimes leading to a phishing campaign being blocked. This is where invalid URI redirection comes in handy. We can whitelist resources the Apache server will proxy for the targets and redirect any other requests to the target’s real domain or another page of our choosing. In the demo below, the user navigates to and is served a page; however, when the user navigates... [Read More]

Strengthen Your Phishing with Apache mod_rewrite and Mobile User Redirection

Often times a corporate internal network is heavily locked down. Workstations are restricted with limited internet access. These controls are often less strict on mobile devices (or sometimes not present), especially with BYOD being implemented more and more. While phishing, Apache access logs often show mobile devices accessing the malicious page, yet no sessions are established. I investigated a number of ways to solve the problem and ultimately landed on using Apache’s Rewrite module. The more I learned about mod_rewrite’s abilities, the more benefit I saw in using Apache redirectors for phishing. This post is the first in a series of posts about solving common problems that plague phishing including users visiting a malicious website on their mobile device, users visiting non-existent resources on our... [Read More]