Incident Response, TDR

Massive phishing campaign targets hundreds of online dating websites

Online daters beware: credentials for dating websites – including Match.com, Christian Mingle, PlentyOfFish, eHarmony, Zoosk, Lavalife and SeniorPeopleMeet – are being targeted in a massive campaign that makes use of a phishing kit featuring hundreds of fraudulent PHP scripts.

Although the operation ultimately involves attackers using established online dating accounts to build trust with other users – who are later hit up for money and even extorted – it all begins with attaining credentials via phishing emails, Paul Mutton, a security analyst with Netcraft, told SCMagazine.com on Monday.

Most recently, the attackers were observed using a single compromised website to host 862 fraudulent PHP scripts, according to a Wednesday post by Mutton, who added that eight of the scripts targeted banking credentials, some targeted webmail accounts, and others targeted Photobucket users.

“The dropsite scripts are hosted on compromised web servers,” Mutton said. “Victims would typically receive a phishing email [that] contains an HTML file as an attachment, which asks them to enter their username [and] password before submitting them to one of the dropsite scripts.”

For those that fall victim to the phish, the stolen credentials are sent to at least two of more than 300 email addresses – the majority are Yahoo addresses, with several others being Gmail accounts – and the victim is redirected to the legitimate target website, according to the post.

“It is unusual to see a single phishing kit targeting so many different sites, and it is equally interesting that most of the targets are online dating sites,” Mutton said.

Using a phishing kit with a large number of PHP scripts offers numerous benefits, Ronnie Tokazowski, a senior researcher with PhishMe, told SCMagazine.com on Friday. He said the method enables obfuscation, as well as makes the kit harder to clean from the infected system.

“Metasploit, one of the best-known exploitation frameworks, uses the Social Engineering Toolkit for sending weaponized emails; mostly for penetration testing purposes[, but] both can be used with malicious intent,” Tokazowski said. “With the collection of PHP scripts and the correct exploit, an attacker could massively infect websites and use them to serve malware or steal credentials.”

These types of attacks serve as a reminder to never open unsolicited email attachments, Mutton said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.