Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

The Attack of the Chameleon Phishing Page

Recently, we encountered an interesting phishing webpage that caught our interest because it acts like a chameleon by changing and blending its color based on its environment. In addition, the site adapts its background page and logo depending on user input to trick its victims into giving away their email credentials.

We see an email with the “initial” URLs in the example below:

 

Figure1Figure 1. The raw phishing email showing the URLs, purporting to be a fax message that needs to be accessed.

 

There are three URLs in the email. The second and third URLs are identical, which we will discuss later. To see what would happen we placed the first URL in a web browser, equating to the email’s instructions for the target to click on the provided link to access the “fax document.” Doing so brought us to the phishing site shown below. The webpage is fabricated. The victim’s email address is already provided, and the site only asks for the victim’s password.

 

Figure2

Figure 2. Obviously, a phishing website, but wait there’s more.

 

As previously noted, the second and third URLs are identical. This is where things get interesting.  When we checked out these URLs in a browser it appeared to look just like another run of the mill phishing site. The phishing URL’s format is the victim’s email address and is referenced on the fragment part (#). The fragment was used to auto-populate the email address field in the webpage. This link contains a further explanation of URL fragments.  By removing the fragment part of the URL containing the victim’s email address, most of the web graphics disappear, making the login page look rather bland.

 

Figure3

Figure 3Wait, what? Another phishing page? The original fully dressed up and a second kind of vanilla flavored.

 

Instead of using the email of the intended recipient, we played around with the URL. We crafted a dummy email address and username and used common email provider domains like gmail.com and outlook.com. The results were interesting.

 

Figure4

Figure 4. Crafted gmail.com and outlook email address domain name and the results.

 

This custom phishing site acts like a chameleon, by changing and blending its images to camouflage itself.  There were four noticeable web elements that changed whenever we tested a crafted email address in the browser:

  • The page’s background
  • A blurred logo
  • The title tab
  • The capitalized text of the domain from the email address provider.

We can dive deeper into how these changes happen on the website in the backend by viewing the source code. The site does not allow this action when we do a mouse right-click, but there’s a keyboard shortcut for this in Google Chrome’s browser, CTRL + U, which opens a new page tab containing the code.

We checked out the scripts in the source code and discovered how the threat actors created their behind-the-scenes trickery. In the JavaScript code, the declared string variable my_slice is commonly used. The supplied email address was validated with a regular expression then parsed to extract the domain name.

 

Figure5

Figure 5. One variable that rules them all – my_slice

 

The Page Background

The iframe with ID mainPage was concatenated with text protocol https:// and the variable my_slice to be its source attribute. This action pulls in content from the domain in the email address, and this helps make the webpage believable, so the victim won’t notice that an incorrect webpage is being accessed.

 

Figure6

Figure 6. The iFrame code of the unclickable background.

 

The Blurred Logo

The code sourced the logo from Google favicon API. The my_slice variable was used in the API query to find the matching logo to make the phishing webpage realistic. The sourced logo seemed small, it was stretched, and that’s why it looks blurry on the webpage.

 

Figure7

Figure 7The stolen logo’s code.

 

The Tab Title and the Capitalized Text Beside the Logo

The parsed domain name variable, my_slice, then undergoes another parsing, disregarding the TLD, extracting the brand, and using it for the logoname global variable.

 

Figure8

Figure 8. The parsed domain's code.

 

The code also included various input text field validators to check the text of the email address and password.

Figure9

Figure 9. The text validators on the textbox fields.

 

As the victim keys in their password, a notification will appear, “Invalid Details, Please try again.” The submit button’s text shifts from Continue to Sign in. Unknowingly to the user, each time the button is clicked, the email and password data are forwarded to the attacker’s server. After three tries, it finally redirects the victim to the correct website. Once more, the variable my_slice is used by concatenating with “http://www.” to be the final landing page destination.

 

Figure10

Figure 10. This is where the target’s credentials are taken away and sent to the final landing page.

 

We tried sending a dummy email and password via POST monitored by the network monitoring application, Fiddler; unfortunately, the server is inaccessible.

 

Figure11

Figure 11. The attacker’s server is currently offline, for now.

 

Phishing webpages are often taken down in a matter of minutes or become unavailable as soon as information security companies detect them as being malicious.  These templated, or so-called chameleon phishing sites, are used repeatedly by malware authors using the clever tricks we just detailed to fool the user into thinking these pages are real. The phishers can easily customize the template and use other domains to host these scripts, allowing attackers to prey on unsuspecting users over and over again.  

Trustwave MailMarshal defends against this phishing campaign. 

 

IOCs:

URLs

  • hxxps://ipfs[.]io/ipfs/QmWzESuyrcihoEvCZYrzLpYoZjbeH2b9YdhnkhQWYGVJdX#[emailAddress]
  • hxxps://gateway[.]pinata[.]cloud/ipfs/QmbGkfWJDuhgF7PNYTpeqLqSyvmX8yupDbS1CZXWM7Jz4i#[emailAddress]
  • https://info[.]hyundai-inidan[.]ro/cgi/apc[.]php

Latest SpiderLabs Blogs

Using AWS Secrets Manager and Lambda Function to Store, Rotate and Secure Keys

When working with Amazon Web Services (AWS), we often find that various AWS services need to store and manage secrets. AWS Secrets Manager is the go-to solution for this. It's a centralized service...

Read More

Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01

The Trustwave SpiderLabs Threat Intelligence team's ongoing study into how threat actors use Facebook for malicious activity has uncovered a new version of the SYS01 stealer. This stealer is designed...

Read More

Tips for Optimizing Your Security Operations Framework

Building an effective Security Operations framework that provides the right balance of people, processes, and technologies can take years.

Read More