Loading...
Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Phishing the Holiday Season

Yes! It’s that time of the year again! The time for celebrating our traditions, a time of giving, and unfortunately, a time for phishing as well. In time with the holiday season, instead of wrapping our gifts, we have seen a very interesting way bad guys despicably steal email addresses, passwords, and telephone numbers from their victims for their own personal gain.

Take a look at the email example below, posing as an email from Woolworths, an Australian supermarket. It states the recipient won a $2,000 Gift Card. Although it did not clearly state which specific country, it was clearly intended for the people of Australia since it was addressed to the .au top-level-domain. There is a sense of urgency where the author wants the victim to act before the gift expires. The URL link provided leads to the legitimate site of Woolworths Australia. Noticeably the attachment is named “$2000.html” wherein lies the culprit.

FIG01
Figure 1. Who doesn’t want $2000 this holiday season

 

Below is an overview of how the phishing routine was carried out from winning a $2000 Gift Card to stealing email credentials and telephone numbers.

FIG02

Figure 2. How Phishing was executed

 

During our analysis, we opened the HTML attachment with a text editor and found out that it has javascript code and by the looks of it, it was URL Encoded. A way to make it human-readable is to decode it using CyberChef’s URL Decode function.

FIG03

Figure 3. URL Decoding the script to make readable

 

Opening the email attachment locally with a browser shows the webpage below, with all of the instructions to get a $2000 Gift Card. To get the E-Gift Card, all the victim needs to do is select an email provider and key in their credentials. Simple!

FIG04

Figure 4. Yes, I wanted a gift card! Show me how?

 

Clicking each email provider button pops up a different window with each respective email provider logo. Clearly, the bad guys aim to steal email credentials from Outlook, Office365, and Yahoo users. Should you have no account with these email providers, you may opt to click on the Others button. It is a two-step process in keying in information. At the first form, an email address and password is entered, then “Continue” is clicked, then a second form provides a place to key in a telephone number, and  “Sign-in”. The hyperlinks below the button do nothing.

FIG05

Figure 5. All you need are email address, password and telephone number? That’s easy!

 

 

Digging deeper into the decoded HTML script, we find an interesting technique. The HTML incorporates JavaScript hosted at a remote location at “yourjavascript.com”. As of this writing, we were able to download the hosted script. The script contains two important validation functions.

FIG06

Figure 6. JS Script hosted at a remote  website

 

We looked into the hosting site of the file JavaScript referenced in the decoded HTML file. Around late 2017, this blog about Spider Ransomware mentions that the same site hosted one of its Base64 encoded payloads. But still, they are offering free hosting for the time being. Optional if you donate for their service.

FIG07

Figure 7. The website that hosted the JS Script

 

One way to find where the stolen information goes is to look for anything with http or to look for the name or id submit button. In the script below, the Continue button triggers ValidateField() function, which is referenced on the hosted script. The ValidateField() function checks the email address and password entries of the victim using Regular Expressions. Entries that fail the validation yields specific errors: incorrect format, or can’t be empty.

FIG08

Figure 8. Validation for Email and Password

 

The Sign in button triggers the second function ValidateTel() in the hosted file JavaScript. The ValidateTel() function checks the telephone number entry of the victim using Regular Expressions to validate if it is empty or blank.

FIG09

Figure 9. Validation for Telephone Number

 

All entered information: email address, password, telephone number, and the selected email provider in the webpage are validated. This stolen information from the victim will be used as parameters in a site hosted at a free web hosting provider (000webhostapp.com).

FIG10

Figure 10. The free web hosting site

 

At the time of this writing, the free web hosting site is still accessible, we used dummy information to replicate how stolen info was sent.

Param02

Figure 11. Using dummy information to POST to PHP

 

Finally, the user will be redirected to a legitimate website, as illustrated below.

FIG12

Figure 12. And they got away with your credentials.

 

It was interesting to figure out that malware authors are again abusing free hosting sites once more to carry out their malicious activities, which is almost becoming the norm. In this case, the phishing attempt used an encoded HTML attachment, that incorporated JavaScript code hosted at a third party free JavaScript hosting site, along with another site hosted on a free web hosting site.

Trustwave Secure Email Gateway (SEG) detects these phishing messages.

IOCs:

URLs:

hxxp://yourjavascript[.]com/72261021022/script[.]js
hxxps://wltv[.]000webhostapp.com/wvoucher/web-form[.]php

Files:

                Filename:            $2000.html    
                MD5:                     2149f65f1e13e680fc35b05c70dd600e
                SHA1:                    24e5fdfa1488698ca72bc130074d8f12dbbc8c79

 

                Filename:            script.js
                MD5:                     5096b6c04a5b8f4c9e7188d276d4e69a
                SHA1:                    ca30238bd610adbbd3902a5a29391a93ca20bb03