Yes! It’s that time of the year again! The time for celebrating our traditions, a time of giving, and unfortunately, a time for phishing as well. In time with the holiday season, instead of wrapping our gifts, we have seen a very interesting way bad guys despicably steal email addresses, passwords, and telephone numbers from their victims for their own personal gain.
Take a look at the email example below, posing as an email from Woolworths, an Australian supermarket. It states the recipient won a $2,000 Gift Card. Although it did not clearly state which specific country, it was clearly intended for the people of Australia since it was addressed to the .au top-level-domain. There is a sense of urgency where the author wants the victim to act before the gift expires. The URL link provided leads to the legitimate site of Woolworths Australia. Noticeably the attachment is named “$2000.html” wherein lies the culprit.
Below is an overview of how the phishing routine was carried out from winning a $2000 Gift Card to stealing email credentials and telephone numbers.
Figure 2. How Phishing was executed
During our analysis, we opened the HTML attachment with a text editor and found out that it has javascript code and by the looks of it, it was URL Encoded. A way to make it human-readable is to decode it using CyberChef’s URL Decode function.
Figure 3. URL Decoding the script to make readable
Opening the email attachment locally with a browser shows the webpage below, with all of the instructions to get a $2000 Gift Card. To get the E-Gift Card, all the victim needs to do is select an email provider and key in their credentials. Simple!
Figure 4. Yes, I wanted a gift card! Show me how?
Clicking each email provider button pops up a different window with each respective email provider logo. Clearly, the bad guys aim to steal email credentials from Outlook, Office365, and Yahoo users. Should you have no account with these email providers, you may opt to click on the Others button. It is a two-step process in keying in information. At the first form, an email address and password is entered, then “Continue” is clicked, then a second form provides a place to key in a telephone number, and “Sign-in”. The hyperlinks below the button do nothing.
Digging deeper into the decoded HTML script, we find an interesting technique. The HTML incorporates JavaScript hosted at a remote location at “yourjavascript.com”. As of this writing, we were able to download the hosted script. The script contains two important validation functions.
Figure 6. JS Script hosted at a remote website
We looked into the hosting site of the file JavaScript referenced in the decoded HTML file. Around late 2017, this blog about Spider Ransomware mentions that the same site hosted one of its Base64 encoded payloads. But still, they are offering free hosting for the time being. Optional if you donate for their service.
One way to find where the stolen information goes is to look for anything with http or to look for the name or id submit button. In the script below, the Continue button triggers ValidateField() function, which is referenced on the hosted script. The ValidateField() function checks the email address and password entries of the victim using Regular Expressions. Entries that fail the validation yields specific errors: incorrect format, or can’t be empty.
Figure 7. Validation for Email and Password
The Sign in button triggers the second function ValidateTel() in the hosted file JavaScript. The ValidateTel() function checks the telephone number entry of the victim using Regular Expressions to validate if it is empty or blank.
All entered information: email address, password, telephone number, and the selected email provider in the webpage are validated. This stolen information from the victim will be used as parameters in a site hosted at a free web hosting provider (000webhostapp.com).
Figure 8. The free web hosting site
At the time of this writing, the free web hosting site is still accessible, we used dummy information to replicate how stolen info was sent.
Figure 9. Using dummy information to POST to PHP
Finally, the user will be redirected to a legitimate website, as illustrated below.
Figure 12. And they got away with your credentials.
It was interesting to figure out that malware authors are again abusing free hosting sites once more to carry out their malicious activities, which is almost becoming the norm. In this case, the phishing attempt used an encoded HTML attachment, that incorporated JavaScript code hosted at a third party free JavaScript hosting site, along with another site hosted on a free web hosting site.
Trustwave Secure Email Gateway (SEG) detects these phishing messages.
URLs:
hxxp://yourjavascript[.]com/72261021022/script[.]js
hxxps://wltv[.]000webhostapp.com/wvoucher/web-form[.]php
Files:
Filename: $2000.html
MD5: 2149f65f1e13e680fc35b05c70dd600e
SHA1: 24e5fdfa1488698ca72bc130074d8f12dbbc8c79
Filename: script.js
MD5: 5096b6c04a5b8f4c9e7188d276d4e69a
SHA1: ca30238bd610adbbd3902a5a29391a93ca20bb03