Trustwave SpiderLabs Uncovers Unique Cybersecurity Risks in Today's Tech Landscape. Learn More

Trustwave SpiderLabs Uncovers Unique Cybersecurity Risks in Today's Tech Landscape. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Dissecting a Phishing Campaign with a Captcha-based URL

In today’s environment, much of the population are doing their banking or financial transactions online with online banking and wire transfers have become a huge necessity. Recently, we received a phishing email that is targeting PayPal accounts that uses a captcha to avoid detection.

The email header contains an alarming subject and the From: address is a spoofed PayPal-like domain.


The Message-Id is also highly suspicious as it uses web hosting site DreamHost which is not related to PayPal.

18511_picture1

The body of the email explains that there is a report of an unauthorized activity linked to the PayPal account that has caused PayPal to limit use of the account.

18512_picture2

At the end of the email body, it asks the victim to log-in to their Paypal account with a clickable link that leads to a phishing site hxxps://mbj[.]unimap[.]edu[.]my/wp-includes/css/dist/ppllll/

18513_picture3
Upon clicking the link in the email, the browser is redirected to an initial page that uses a captcha before proceeding to the final phishing page.

18514_picture4

Looking at the source-code of the phishing captcha page, it was inserted with French folklore ‘Bluebeard’ to make the code longer and not get easily detected.

18515_picture5

Moreover, the captcha checking in the phishing page is done in the script ‘signin.js’.

18516_picture6

This JavaScript file contains several functions dedicated to captcha checking that includes using predefined math methods for checking the length of the string and character matching of the captcha or even to produce a new captcha.

18517_picture7

Finally, there is a malicious ‘xscex.js’ that is responsible for the captcha submission.

18518_picture8

The id ‘xyssubmitsecx’ under the button tag will trigger the execution of the ‘xscex.js’ which eventually redirects to the actual PayPal phishing site. The button tag also has a value that contains German words “Ich bin kein Roboter” and when translated in English means “I am not a robot”.

18519_picture9

Using the Fiddler tool, we can also see the exact resource URL of the malicious js file.

18520_picture10

Once the correct captcha has been entered, it will proceed to the final phishing URL redirection that uses the same domain, yet a different path:

hxxps://mbj[.]unimap[.]edu[.]my/wp-includes/css/dist/ppllll/app/signin

18521_picture11

Looking closer at the source-code of the actual “log-in” page of PayPal phishing site, we see it also contains some useless salad words. Interestingly, the code indicates an author named ‘morpheous’. We can also see a hex value at the top or beginning of the source-code of the redirected page.

18522_picture12

Upon further analysis, we found another file ‘xappx.css’ that checks for hex value in the content of a file that serves as an indicator if the character input or log-in was a success or failure.

18523_picture13

Complete infection chain:

hxxps://mbj[.]unimap[.]edu[.]my/wp-content/ppllll/app/

 ->  https://mbj[.]unimap[.]edu[.]my/wp-content/ppllll/app/index

                ->  https://mbj[.]unimap[.]edu[.]my/wp-content/ppllll/app/captcha

                                -> hxxps://mbj[.]unimap[.]edu[.]my/wp-includes/css/dist/ppllll/app/signin

Upon investigating the domain hxxps://mbj[.]unimap[.]edu[.]my/, we found that it is a compromised blog site. Using a compromised URLs is a common technique in phishing attacks.

At the time of analysis, we saw about a dozen samples of the PayPal phishing email that contains the same email subject “Your PayPal account is temporarily limited” and contains links to the captcha-based phishing pages. A large number of samples were seen in January and another one sample was spotted in February.

18524_picture14

To wrap up, this analysis outlines an example of captcha-based phishing. While using captcha in phishing is not new, there has been a recent uptick in its use. The phishers are gravitating towards captchas to avoid automated phishing page discovery tools. While Trustwave MailMarshal defends against this phishing campaign, this type of obfuscation and evasion to prevent detection has a long tradition among cybercriminals. This is why “defense in depth” and layered security controls are essential.

In the end, our last line of defense is often the user behind the keyboard, which is why ongoing Security Awareness training that includes phishing identification is an essential component for any information security program.

Latest SpiderLabs Blogs

Why We Should Probably Stop Visually Verifying Checksums

Hello there! Thanks for stopping by. Let me get straight into it and start things off with what a checksum is to be inclusive of all audiences here, from Wikipedia [1]:

Read More

Agent Tesla's New Ride: The Rise of a Novel Loader

Malware loaders, critical for deploying malware, enable threat actors to deliver and execute malicious payloads, facilitating criminal activities like data theft and ransomware. Utilizing advanced...

Read More

Evaluating Your Security Posture: Security Assessment Basics

This is Part 4 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More