Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Phishing the Holiday Season

Yes! It’s that time of the year again! The time for celebrating our traditions, a time of giving, and unfortunately, a time for phishing as well. In time with the holiday season, instead of wrapping our gifts, we have seen a very interesting way bad guys despicably steal email addresses, passwords, and telephone numbers from their victims for their own personal gain.

Take a look at the email example below, posing as an email from Woolworths, an Australian supermarket. It states the recipient won a $2,000 Gift Card. Although it did not clearly state which specific country, it was clearly intended for the people of Australia since it was addressed to the .au top-level-domain. There is a sense of urgency where the author wants the victim to act before the gift expires. The URL link provided leads to the legitimate site of Woolworths Australia. Noticeably the attachment is named “$2000.html” wherein lies the culprit.

FIG01Figure 1. Who doesn’t want $2000 this holiday season

 

Below is an overview of how the phishing routine was carried out from winning a $2000 Gift Card to stealing email credentials and telephone numbers.

FIG02

Figure 2. How Phishing was executed

 

During our analysis, we opened the HTML attachment with a text editor and found out that it has javascript code and by the looks of it, it was URL Encoded. A way to make it human-readable is to decode it using CyberChef’s URL Decode function.

FIG03

Figure 3. URL Decoding the script to make readable

 

Opening the email attachment locally with a browser shows the webpage below, with all of the instructions to get a $2000 Gift Card. To get the E-Gift Card, all the victim needs to do is select an email provider and key in their credentials. Simple!

FIG04

Figure 4. Yes, I wanted a gift card! Show me how?

 

Clicking each email provider button pops up a different window with each respective email provider logo. Clearly, the bad guys aim to steal email credentials from Outlook, Office365, and Yahoo users. Should you have no account with these email providers, you may opt to click on the Others button. It is a two-step process in keying in information. At the first form, an email address and password is entered, then “Continue” is clicked, then a second form provides a place to key in a telephone number, and  “Sign-in”. The hyperlinks below the button do nothing.

Digging deeper into the decoded HTML script, we find an interesting technique. The HTML incorporates JavaScript hosted at a remote location at “yourjavascript.com”. As of this writing, we were able to download the hosted script. The script contains two important validation functions.

FIG06

Figure 6. JS Script hosted at a remote  website

 

We looked into the hosting site of the file JavaScript referenced in the decoded HTML file. Around late 2017, this blog about Spider Ransomware mentions that the same site hosted one of its Base64 encoded payloads. But still, they are offering free hosting for the time being. Optional if you donate for their service.

One way to find where the stolen information goes is to look for anything with http or to look for the name or id submit button. In the script below, the Continue button triggers ValidateField() function, which is referenced on the hosted script. The ValidateField() function checks the email address and password entries of the victim using Regular Expressions. Entries that fail the validation yields specific errors: incorrect format, or can’t be empty.

FIG08

Figure 7. Validation for Email and Password

 

The Sign in button triggers the second function ValidateTel() in the hosted file JavaScript. The ValidateTel() function checks the telephone number entry of the victim using Regular Expressions to validate if it is empty or blank.

All entered information: email address, password, telephone number, and the selected email provider in the webpage are validated. This stolen information from the victim will be used as parameters in a site hosted at a free web hosting provider (000webhostapp.com).

FIG10

Figure 8. The free web hosting site

 

At the time of this writing, the free web hosting site is still accessible, we used dummy information to replicate how stolen info was sent.

Param02

Figure 9. Using dummy information to POST to PHP

 

Finally, the user will be redirected to a legitimate website, as illustrated below.

FIG12

Figure 12. And they got away with your credentials.

 

It was interesting to figure out that malware authors are again abusing free hosting sites once more to carry out their malicious activities, which is almost becoming the norm. In this case, the phishing attempt used an encoded HTML attachment, that incorporated JavaScript code hosted at a third party free JavaScript hosting site, along with another site hosted on a free web hosting site.

Trustwave Secure Email Gateway (SEG) detects these phishing messages.

IOCs:

URLs:

hxxp://yourjavascript[.]com/72261021022/script[.]js
hxxps://wltv[.]000webhostapp.com/wvoucher/web-form[.]php

Files:

                Filename:            $2000.html    
                MD5:                     2149f65f1e13e680fc35b05c70dd600e
                SHA1:                    24e5fdfa1488698ca72bc130074d8f12dbbc8c79

 

                Filename:            script.js
                MD5:                     5096b6c04a5b8f4c9e7188d276d4e69a
                SHA1:                    ca30238bd610adbbd3902a5a29391a93ca20bb03

Latest SpiderLabs Blogs

Hunting For Integer Overflows In Web Servers

Allow me to set the scene and start proceedings off with a definition of an integer overflow, according to Wikipedia:

Read More

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More