Home Testimonials Company Support 1–888–873–0817
Home Notes Malware Signatures About

Phishers usually want to protect their pages from being detected by search engines and security companies. To achieve that, they add .htaccess files that deny access to their phishing directories from known IP addresses and networks. Depending on the scenario, if they are targeting a specific type of service (online banking for instance) attackers may allow only a set of visitors from a specific country to see that phishing page.

Though  attacker’s skillset may vary, some will just try to customize third-party scripts they find online and it’s not uncommon when they do it poorly. For example, one phishing campaign uses a bot blocking .htaccess file that can be easily found on the Internet. It really protects sites from unwanted bots, but has very little to do with search engines, security companies, and geographic regions (although it blocks some of them) - it just saves bandwidth.

deny from # rpa.metlife.com bored employees
deny from # DSL bandwidth waster
deny from 193.253.199. # france SE art-online.com bandwidth waster
deny from 80.179.254. # clown from Israel using downloader
deny from 64.37.103. # spambots and other non customers
deny from # spambot from servershost.net

Along with the .htaccess file, there may be other files within the phishing structure, such as:  

  • Image directories (img/images) - These directories may contain logo, header/footer images & others related to phishing (Paypal, Banks, etc.).
  • Javascript directories (js/scripts) - The intention of this one is to reproduce the exact same behavior as if you were on the real website (email validation, functionalities).
  • PHP/ASP Mailer scripts - Depending on your environment (PHP/ASP), attackers will use a mailer script to send all sensitive information provided to one of their email accounts.
  • HTML pages - These html pages tie everything together with the files/directories above in order to create a false look and feel of a real page to trick the user.

Knowing your site’s structure and performing an active monitoring of it (being alerted whenever a file is changed or added to your site) helps you identify if your site is being used as part of a phishing campaign or if any other malware has been uploaded to it. If you identified a similar structure on your website, suspicious images and content that don’t seem to belong there, feel free to check your website against our scanner https://sitecheck.sucuri.net/.