Localhost tunnellers give low-skilled attackers a bad way to set up phishing infrastructure

Phishing is the number one threat for internet users. A phishing attack aims to lure a victim to insert their login credentials or other sensitive information to a malicious site. The motivation can also be to convince the victim to download malware. A phishing message may arrive to the victim over email, SMS, social media comments or direct messages. 

Conducting phishing attacks is not difficult at all. As of August 2023, a search for free and easy to use phishing toolkits in GitHub results in over 11,000 results.  

The GitHub repositories host varying quality of scripts and tools that can be used to setup phishing infrastructure in a matter of seconds. The phishing toolkits are shared for educational purposes, and they typically have a disclaimer against illegal.  

But it is not difficult to repurpose them for malicious use. Especially when the toolkits have a selection of login pages, imitating well-known social media, email providers or gaming platforms.  

Over the past few years, an interesting new feature has been implemented in the phishing toolkits: localhost tunnellers. 

Localhost tunnellers, for good and for bad 

One key ingredient that had been missing from phishing toolkits was ease-of-use access to Internet.  

This meant an attacker would typically need a server with public or publicly routable IP-addresses. Because displaying only IP-address on the URL bar is really suspicious, a domain (or a cloud hosting provider under whose domain a subdomain cane be set up) would have to be used.  

Localhost tunnellers are familiar to developers with benign intentions. They can be used to forward the localhost of your machine to the internet directly. This means no domain names, networking configurations, nor specific cloud or firewall configuration are needed. This is very handy for debugging or demo purposes. 

 Some examples of these non-malicious services are ngrok.com, cloudflared  and beyondco.de. These services can be used for free, but some features may have an extra cost.

But as with any handy tool, there are those who are willing and eager to abuse it. 

Many of modern phishing toolkits come readily configured to do localhost tunnelling. Threat actors without much technical background can set this up relatively easily, using guided command-line setup combined with README.txt instructions. 

No knowledge of networking, or even access to a server and a domain is required. 

Example of a phishing site setup done as an experiment by F-Secure Labs using a localhost tunneller

In the example above, one of the most popular toolkits was used to deploy Facebook login credential harvesting phishing site. It automatically uses localhost tunneller to make the website available to the public internet under trycloudflare.com domain.  

In short, it is trivial to find a phishing toolkit and serve it from your own computer or a server to the internet. The site is routed to the internet under a legitimate subdomain, belonging to the localhost tunneller service.  

Furthermore, localhost tunnellers are ephemeral and require little to no monetary commitment. In contrast, obtaining a domain is typically an investment, except if the domain is registered using one of the free top-level domains (TLDs). Examples of such TLDs are .ml, .ga, .cf, .gq and .tk. 

Bad OpSec

 OpSec is short for “Operational Security”. This means tactics employed by both defenders and attackers to hide their true identity. 

Leveraging localhost tunnellers is bad OpSec for multiple reasons. However, threat actors with lower level of sophistication may not know how their identity could be compromised, or they simply may not care.   

What is most concerning is that the ease of use may encourage the less tech-savvy threat actors, who are testing the waters or may not understand the gravity of their actions.  

In such a case, better OpSec is not the answer, as that could lead to a life of crime. Instead, spreading awareness of the possible consequences of cybercrime may be far more useful. 

Phishing attempts

F-Secure has identified localhost tunnellers that have been used for phishing attacks. These include attempts at stealing login credentials to online gaming platforms such as Roblox. 

 F-Secure’s Browsing Protection automatically detects sites using localhost tunnellers. It also immediately prevents and alerts users if they are about to open a site using a localhost tunneller.