Yes! It’s that time of the year again! The time for celebrating our traditions, a time of giving, and unfortunately, a time for phishing as well. In time with the holiday season, instead of wrapping our gifts, we have seen a very interesting way bad guys despicably steal email addresses, passwords, and telephone numbers from their victims for their own personal gain.
Take a look at the email example below, posing as an email from Woolworths, an Australian supermarket. It states the recipient won a $2,000 Gift Card. Although it did not clearly state which specific country, it was clearly intended for the people of Australia since it was addressed to the .au top-level-domain. There is a sense of urgency where the author wants the victim to act before the gift expires. The URL link provided leads to the legitimate site of Woolworths Australia. Noticeably the attachment is named “$2000.html” wherein lies the culprit.
Below is an overview of how the phishing routine was carried out from winning a $2000 Gift Card to stealing email credentials and telephone numbers.
Figure 2. How Phishing was executed
Figure 3. URL Decoding the script to make readable
Opening the email attachment locally with a browser shows the webpage below, with all of the instructions to get a $2000 Gift Card. To get the E-Gift Card, all the victim needs to do is select an email provider and key in their credentials. Simple!
Figure 4. Yes, I wanted a gift card! Show me how?
Clicking each email provider button pops up a different window with each respective email provider logo. Clearly, the bad guys aim to steal email credentials from Outlook, Office365, and Yahoo users. Should you have no account with these email providers, you may opt to click on the Others button. It is a two-step process in keying in information. At the first form, an email address and password is entered, then “Continue” is clicked, then a second form provides a place to key in a telephone number, and “Sign-in”. The hyperlinks below the button do nothing.
Figure 5. All you need are email address, password and telephone number? That’s easy!
Figure 6. JS Script hosted at a remote website
Figure 7. The website that hosted the JS Script
One way to find where the stolen information goes is to look for anything with http or to look for the name or id submit button. In the script below, the Continue button triggers ValidateField() function, which is referenced on the hosted script. The ValidateField() function checks the email address and password entries of the victim using Regular Expressions. Entries that fail the validation yields specific errors: incorrect format, or can’t be empty.
Figure 8. Validation for Email and Password
Figure 9. Validation for Telephone Number
All entered information: email address, password, telephone number, and the selected email provider in the webpage are validated. This stolen information from the victim will be used as parameters in a site hosted at a free web hosting provider (000webhostapp.com).
Figure 10. The free web hosting site
At the time of this writing, the free web hosting site is still accessible, we used dummy information to replicate how stolen info was sent.
Figure 11. Using dummy information to POST to PHP
Finally, the user will be redirected to a legitimate website, as illustrated below.
Figure 12. And they got away with your credentials.
Trustwave Secure Email Gateway (SEG) detects these phishing messages.