Phishing Page Branded with Your Corporate Website
Here is another perfect example that shows how attackers abuse free services...
Phishing campaigns are often combined with a layer of social engineering to make the victim more confident to click on a link or to open the attacked file. I spotted an interesting phishing email redirecting you to a classic login page.
The page asks you to provide your credentials to “unlock” access to a PDF document, but the attacker implemented a nice trick. The background of the fake login page is… a screenshot of your corporate website!
Here is an example with my own company:
I changed the targeted email address, and here is an example with the sans.org website:
I deobfuscated the JavaScript, and here is how they implemented this:
<script> let emailzz = "test@sans.org"; function jpgvbqitfwqpnhjgqktfqwpwoufrhtbrkktpjfizjuqjvxjjkperhumw(fscigkwyepzcytekcylktcjcpcurjwwebroblbnfyewnlqtqzgtwaa) { return fscigkwyepzcytekcylktcjcpcurjwwebroblbnfyewnlqtqzgtwaa.split("").reverse().join(""); } var dtisejcxzuvjbshjmgaewqkxryjqdxcqfykqczkhbwtdmytbtwgliiqerzem=document.write(atob(...))); </script>
This function decodes a stream of Base64 data that has been reserved. Pretty simple obfuscation. To make the script more difficult to read, this technique has been implemented ten (yes, you read properly) times! I wrote a CyberCheck recipe to decode it:
Label('Loop0') Regular_expression('User defined','[a-zA-Z0-9+=]{200,}',true,true,false,false,false,false,'List matches') Reverse('Character') From_Base64('A-Za-z0-9+/=',true) Conditional_Jump('[a-zA-Z0-9+=]{200,}',false,'Loop0',8) Regular_expression('User defined','[a-zA-Z0-9+=]{200,}',true,true,false,false,false,false,'List matches') From_Base64('A-Za-z0-9+/=',true)
By the way, this is a good example to demonstrate how CyberChef recipes may contain conditional jumps and label to implement loops! Pretty handy in this case.
Now, here is the interesting piece of code found in the deobfuscated script:
<script> const emailarr = emailzz.split("@"); let webzz = emailarr["1"]; const webzzarr = webzz.split("."); let webnamezz = webzzarr["0"] let googlezz = "https://www.google.com/s2/favicons?domain="+webzz; let weblogozz = "https://logo.clearbit.com/"+webzz; var bkimage = "url('https://image.thum.io/get/https://www."+webzz;"')" </script> ... <script> document.body.style.backgroundImage = bkimage; </script>
The variable 'emailzz' has been defined in the original HTML page (see above), and the domain is extracted. How the attacker gets the background?
It’s a free service provided by thum.io[1], the free website screenshot generator:
hxxps://image[.]thum[.]io/get/https://www."+webzz;
The same domain name is also used to fetch interesting data:
- The company logo is fetched via hxxps://logo[.]clearbit[.]com/<domain>
- The favicon is fetched via hxxps://www[.]google[.]com/s2/favicons?domain=<domain>
These graphical elements help to build the fake page that looks familiar to potential victims!
[1] https://thum.io/
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
https://defineprogramming.com/
Dec 26th 2022
8 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
8 months ago
rthrth
Jan 2nd 2023
8 months ago