Phishing & Malspam with Leaf PHPMailer
2021-01-27 04:36:34 Author: blog.sucuri.net(查看原文) 阅读量:560 收藏

It’s common knowledge that attackers often use email as a delivery mechanism for their malicious activity — which can range from enticing victims to click a phishing URL or download a malicious attachment.

To support these activities, attackers seek out tools that assist in the mass sending of malspam (malicious spam) emails from a compromised website. PHP scripts like Leaf PHPMailer are well suited for this task.

Leaf PHPMailer UI

Hacktool Analysis: Leaf PHPMailer

Leaf PHPMailer is a PHP mailer hacktool that lets an attacker send out large amounts of malspam emails from a compromised website’s web server.

When the tool is loaded, it leverages the LeafPHP mailer library to distribute the spam. It contains various text fields that allow the attacker to input custom data for important email fields:

Email = The email address that will be forged as the “From:” address
Sender Name = The name of the forged sender Email address – for example, this fake Amazon Support name in this screenshot:

Fake Sender Name in Phishing

Reply-to = The email address that will receive any replies to the sent email, may be left blank if no reply expected
Subject = String of text used to capture attention
Message Letter = Body content of the email
Email List = A list of recipient email addresses

These fields make it easy for the attacker to forge email headers to manipulate the appearance of the sender and deceive recipients, masking the true source of the email.

UI Analysis for PHP Mailer

Malspam Transmission

After inputting the desired values for the text fields, the attacker hits Send to dispatch the emails to the recipients. If the email successfully reaches their inbox, the email contents look similar to the following:

Fake Amazon Phishing

Leaf PHPMailer also has a Blacklist Checker feature that is used to query common blacklists for the hosting server’s IP address, allowing an attacker to determine whether it is listed or not:

Blacklist Checker

This feature makes it easy for a bad actor to identify the viability of their campaign and pinpoint issues with mail deliverability.

Conclusion & Mitigation Steps

Email phishing and malspam campaigns are commonly used by bad actors because they make it incredibly easy to harvest personal data, banking, and other sensitive account information.

Attackers simply need to invest a bit of time into designing or emulating a convincing message from a known brand before sending to a stolen or purchased list of email addresses — if even only 1% of users actually fall for the campaign, the results can still be rewarding.

What’s more, an infection of this variety can have serious repercussions for website owners. If your site is compromised and begins to send out email spam, your hosting provider may suspend your account for spam. Any legitimate emails that are sent from your web server may be redirected to spam folders. Your domain may also be blacklisted by Google or other notable authorities.

In general, the best solutions to mitigate risk is to harden your website’s environment, keep your software and plugins updated with the latest security patches, and use a web application firewall to protect your site from bad actors.

If you think your website has already been compromised is sending malspam, we can help clean up the malware infection and remove your site from blacklists.

Luke Leal is a member of the Malware Research team and joined the company in 2015. Luke's main responsibilities include threat research and malware analysis, which is used to improve our tools. His professional experience covers over eight years of deobfuscating malware code and using unique data from it to help in correlating patterns. When he’s not researching infosec issues or working on websites, you might find Luke traveling and learning about new things. Connect with him on Twitter.

Reader Interactions


文章来源: https://blog.sucuri.net/2021/01/phishing-malspam-with-leaf-phpmailer.html
如有侵权请联系:admin#unsafe.sh