Microsoft recently warned of custom 404 pages being used in phishing attempts. Their security researches discovered the interesting phishing campaign which uses custom 404 error pages to trick victims into handing out their Microsoft credentials.
The hackers do this by registering an entire domain as you would for a normal website. Normally, phishing attackers create a single landing page that they redirect their unassuming victims to. In this case, they configure a fake 404 page which shoes the fake Microsoft Login form.
What’s unfortunately clever about this technique is that it allows phishers to have an infinite amount of landing page URLs generated with the help of a single domain.
A 404 page serves the purpose of telling a user that they have hit a broken or dead link. For example, if you go to http://www.cloudgate.co.za/fxcvt you will get our standard 404 error as the page does not exist. Anything after the last “/” in the URL that is not a page on our website will serve the user this “404 error”. This can be customised to be quite fun, this website has a great one.
The problem with the customisation ability is that you can make it anything, and that’s exactly what the phishing attackers have done. Even scarier is the fact is that any string of digits after the URL of the domain will probably guide you to the fake site that is attempting to get your details.
The phishers are targeting Microsoft users and have an incredibly uncanny ability to duplicate the look and feel of Microsoft to the point that the fake site looks legitimate, down to the smallest details. Example below:
All the links on the phishing page, including the ones at the bottom and the ones used to access one’s Microsoft account and to create a new one, are directing straight to official Microsoft login forms to make targets less suspicious.
“Because the malformed 404 page is served to any non-existent URL in an attacker-controlled domain, the phishers can use random URLs for their campaigns,” adds Microsoft. “We also found that the attackers randomize domains, exponentially increasing the number of phishing URLs.”