Sophos Cloud Optix
Phishing is often regarded as old hat. From a technical perspective, it’s a case of ‘been there, done that’.
Sometimes however, we come across attacks that are just a little bit more interesting (or at least different) from the norm. In this post I am going to take a quick look at one of the techniques used in some phishing attacks we have seen in recent months.
Most phishing attacks that we see fall into one of two camps:
- Spam email containing a link to the phish site within the email message body. In some cases, the link in the message body may point to an initial web page (normally hosted on a compromised web site), which redirects the user to the phish site. Either way, clicking on the link results in the user ending up at the phish page.
- Spam email containing a HTML attachment which itself is the phish page. Sophos products block these attachments as Mal/Phish-A.
For the second type, to create the HTML attachments most attacks use the same technique:
- Take a copy of the HTML source for the web page that is being faked (e.g. bank login page).
- Optionally, obfuscate this code (perhaps deliver via some obfuscated JavaScript).
- Modify the relevant HTML form such that submitted data is sent to the attacker’s web server.
The other week I was alerted to a PayPal login page that was being spammed as an HTML attachment (nothing new there). However, in this case the HTML forms within the page all referenced legitimate PayPal servers.
Odd. So how is harvested data sent back to the attacker?
Closer inspection revealed quite a cunning way of ex-filtrating the user data.
The spam message itself was what you expect – social engineering being used in an attempt to trick the recipient into opening the attachment.
If the user opens the attachment, they are presented with what looks to be a PayPal login page. Inspection of the HTML source confirmed that the various forms within the page referenced legitimate PayPal resources.
The page did load suspicious JavaScript content from a non-PayPal server however. Furthermore, there was a suspicious (or at least unexpected) empty iframe within the page.
The remote JavaScript revealed the key to how the attack worked. The script was being used to validate user input entered into the various PayPal forms.
Data from the customer signup form was serialized and stored in the variable cus_data.
Then, data from the subsequent billing form was also serialized, and stored in the variable cc_data.
These variables were then sent back to the attackers by dynamically populating the empty iframe element (see above).
Cunning! So by hooking the form submission process, and then dynamically populating the iframe, the attackers are able to send the form data back to their server. This included all of the following:
- Password
- First name
- Last name
- Date of birth
- Citizenship
- Address
- Telephone number
- Credit card number
- Cvv number
- Expiry date
- Sort code
- Social security number
- Customer id
So why bother with all this? Why not stick to the basics and just edit the target of the HTML form?
There are probably 2 advantages to the technique used in this attack:
- The spammed web page will raise less suspicion. Seeing forms pointing to unexpected remote servers is a giveaway sign of the page being a phish.
- The mechanism enables them to include data from multiple forms. Ideal for complex sites where customers may enter data in different steps.
I guess the moral of the story is not to entirely dismiss ‘old hat’ attacks. They can still throw up surprises from time to time!
Feeding fish, net and phishing text images from Shutterstock.
a few simple cautions about grammar and style would see one recognise this
quality of attack without falling for the actual scam
The best thing to do is ignore the email completely. If one is to receive anything from Paypall etc the first thing you also note is the senders email address. If you are not sure delete the email and contact paypal directly from their legit website. I have received many an email claming to be from paypal but on further inspection I have noticed that the senders email does not click and honestly Paypal would not send any email with attatchments re your account. Any verification is done within the site. If you use an account like Yahoo as soon as your mouse passes over the senders name it will give you the email address.
Don't under estimate the old hat..We should look at how the email message been written,scan the attachment or html link,use security software that can monitor email..
The technique is indeed clever and interesting, but surely any forms-based HTML file sent as an attachment to an email should be considered suspicious, no?
These types of email messages usually have a common theme to them so that one can recognize the generic pattern, ie…bad grammar, off design/style