Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

The Attack of the Chameleon Phishing Page

Recently, we encountered an interesting phishing webpage that caught our interest because it acts like a chameleon by changing and blending its color based on its environment. In addition, the site adapts its background page and logo depending on user input to trick its victims into giving away their email credentials.

We see an email with the “initial” URLs in the example below:

 

Figure1Figure 1. The raw phishing email showing the URLs, purporting to be a fax message that needs to be accessed.

 

There are three URLs in the email. The second and third URLs are identical, which we will discuss later. To see what would happen we placed the first URL in a web browser, equating to the email’s instructions for the target to click on the provided link to access the “fax document.” Doing so brought us to the phishing site shown below. The webpage is fabricated. The victim’s email address is already provided, and the site only asks for the victim’s password.

 

Figure2

Figure 2. Obviously, a phishing website, but wait there’s more.

 

As previously noted, the second and third URLs are identical. This is where things get interesting.  When we checked out these URLs in a browser it appeared to look just like another run of the mill phishing site. The phishing URL’s format is the victim’s email address and is referenced on the fragment part (#). The fragment was used to auto-populate the email address field in the webpage. This link contains a further explanation of URL fragments.  By removing the fragment part of the URL containing the victim’s email address, most of the web graphics disappear, making the login page look rather bland.

 

Figure3

Figure 3Wait, what? Another phishing page? The original fully dressed up and a second kind of vanilla flavored.

 

Instead of using the email of the intended recipient, we played around with the URL. We crafted a dummy email address and username and used common email provider domains like gmail.com and outlook.com. The results were interesting.

 

Figure4

Figure 4. Crafted gmail.com and outlook email address domain name and the results.

 

This custom phishing site acts like a chameleon, by changing and blending its images to camouflage itself.  There were four noticeable web elements that changed whenever we tested a crafted email address in the browser:

  • The page’s background
  • A blurred logo
  • The title tab
  • The capitalized text of the domain from the email address provider.

We can dive deeper into how these changes happen on the website in the backend by viewing the source code. The site does not allow this action when we do a mouse right-click, but there’s a keyboard shortcut for this in Google Chrome’s browser, CTRL + U, which opens a new page tab containing the code.

We checked out the scripts in the source code and discovered how the threat actors created their behind-the-scenes trickery. In the JavaScript code, the declared string variable my_slice is commonly used. The supplied email address was validated with a regular expression then parsed to extract the domain name.

 

Figure5

Figure 5. One variable that rules them all – my_slice

 

The Page Background

The iframe with ID mainPage was concatenated with text protocol https:// and the variable my_slice to be its source attribute. This action pulls in content from the domain in the email address, and this helps make the webpage believable, so the victim won’t notice that an incorrect webpage is being accessed.

 

Figure6

Figure 6. The iFrame code of the unclickable background.

 

The Blurred Logo

The code sourced the logo from Google favicon API. The my_slice variable was used in the API query to find the matching logo to make the phishing webpage realistic. The sourced logo seemed small, it was stretched, and that’s why it looks blurry on the webpage.

 

Figure7

Figure 7The stolen logo’s code.

 

The Tab Title and the Capitalized Text Beside the Logo

The parsed domain name variable, my_slice, then undergoes another parsing, disregarding the TLD, extracting the brand, and using it for the logoname global variable.

 

Figure8

Figure 8. The parsed domain's code.

 

The code also included various input text field validators to check the text of the email address and password.

Figure9

Figure 9. The text validators on the textbox fields.

 

As the victim keys in their password, a notification will appear, “Invalid Details, Please try again.” The submit button’s text shifts from Continue to Sign in. Unknowingly to the user, each time the button is clicked, the email and password data are forwarded to the attacker’s server. After three tries, it finally redirects the victim to the correct website. Once more, the variable my_slice is used by concatenating with “http://www.” to be the final landing page destination.

 

Figure10

Figure 10. This is where the target’s credentials are taken away and sent to the final landing page.

 

We tried sending a dummy email and password via POST monitored by the network monitoring application, Fiddler; unfortunately, the server is inaccessible.

 

Figure11

Figure 11. The attacker’s server is currently offline, for now.

 

Phishing webpages are often taken down in a matter of minutes or become unavailable as soon as information security companies detect them as being malicious.  These templated, or so-called chameleon phishing sites, are used repeatedly by malware authors using the clever tricks we just detailed to fool the user into thinking these pages are real. The phishers can easily customize the template and use other domains to host these scripts, allowing attackers to prey on unsuspecting users over and over again.  

Trustwave MailMarshal defends against this phishing campaign. 

 

IOCs:

URLs

  • hxxps://ipfs[.]io/ipfs/QmWzESuyrcihoEvCZYrzLpYoZjbeH2b9YdhnkhQWYGVJdX#[emailAddress]
  • hxxps://gateway[.]pinata[.]cloud/ipfs/QmbGkfWJDuhgF7PNYTpeqLqSyvmX8yupDbS1CZXWM7Jz4i#[emailAddress]
  • https://info[.]hyundai-inidan[.]ro/cgi/apc[.]php

Latest SpiderLabs Blogs

Ukrainian Intelligence Claims Successful Compromise of the Russian Ministry of Defense

On March 4, 2024, the Telegram channel of the Main Directorate of Intelligence of the Ministry of Defense of Ukraine (GUR) was updated with assertions that they executed a successful cyberattack...

Read More

Cost Management Tips for Cyber Admins

As anyone who has filled out an expense report can tell you, cost management is everyone's responsibility. Organizations must apply a careful balance of budget planning and expenditures that are in...

Read More

Resurgence of BlackCat Ransomware

Updated March 8: Based on our experience, we believe that BlackCat's claim of shutting down due to law enforcement pressure is a hoax. We anticipate their return under a new guise or brand after...

Read More