Ports for RDP
A recent wave of phishing attacks reveal that attackers are now installing web server software on home computers and uploading numerous phishing pages that they link to in spam emails targeting financial institutions and payment services.
But why? According to extensive research by Phishlabs, when phishing sites are identified, the hosting providers are often contacted to quickly take them down. With direct control over their servers and the power to shut them down over a breach of their terms of contract, hosts can curtail a phisher’s attempts at stealing credentials.
So by finding unsuspecting PC hosts, attackers can easily prolong the lifespan of their phishing operations. That’s called working smarter!
So how do they even go about finding random home computers to install their software on? By scanning residential service IP addresses for open Microsoft RDP (Remote Desktop Protocol) ports, attackers are able to brute-force passwords to get remote access to their computers. Typically, the passwords are either defaults, commonly used or otherwise weak passwords, as Phishlabs reports.
What kind of software enables these spoofed sites? Attackers install PHP Triad, a free Windows-based open-source software stack that allows them to host/serve web pages on the default port 80/tcp, or another port if blocked by the ISP. As a complete development and server environment, PHP Triad sets up and installs PHP, Apache, MySQL, and PHPMyAdmin on the computer, in addition to giving attackers an administration panel to control each component.
While hosting providers are bound by contract to terminate phishing sites, ISPs (Internet Service Providers) don’t have much control over the personal computers of their customers, making it difficult for them to eradicate phishing sites and malicious web server software. While ISPs can threaten to cut off their service if they don’t get rid of the software, there’s not much else they can do to ensure their customers are taking action.
According to PhishLabs’ Director of Threat Intelligence Don Jackson as interviewed by DarkReading.com, phishers had been scanning at least 1.5 million computers on affected networks each month. Of the 180k hosts examined by PhishLab researchers, approximately 1.5 percent of them had their RDP port open to the Internet. While only 1-2 percent of users actually have RDP turned on, attackers are still readily exploiting that fact for fraudulent means.
Getting hacked via RDP isn’t particularly new, as Brian Krebs reported in an article from December 2013. In the article, he describes how Makost[dot]net sold access to hacked RDPs that have been configured to accept connections from the Internet. These RDPs were found by scanning blocks of Internet addresses and waiting for hosts that responded to queries on one of these ports. Then they’d have to find a valid username and password to match, which often was actually one in the same.
As Krebs puts it at the end of his article:
If you’ve read this far, I hope it’s clear by now that the easiest way to get your systems hacked using RDP is to pick crappy credentials. Unfortunately, far too many organizations that end up for sale on services like this one are there because they outsourced their tech support to some third-party company that engages in this sort of sloppy security.
And disturbingly enough, about 25 percent of the hacked RDPs belonged to businesses while the other 75 percent were residential. Those businesses spanned many different industries, from healthcare to education to government agencies, but the highest rates of open RDP ports were found primarily in the manufacturing and retail services industries.
For personal PC users and potentially business users as well, securing user accounts on remote access systems like RDP can be made more secure with two-factor authentication, protecting against phishers attempting to access and install software.
To find out more about how two-factor can be integrated to protect Microsoft remote access points, read Two-factor Authentication for Microsoft Products and Duo Security’s documentation for Remote Desktop Protocol (RDP) integration.
And for those of us trying to protect against a successful phishing attempt, employing two-factor authentication for your logins to your company’s network can stop an attacker in his/her tracks. To get tips on RDP security, administrators can read this great resource linked by Krebs, a best practice document on, which, incidentally, also recommends using two-factor authentication on ‘highly sensitive systems.’